RSAC 2026 Innovation Sandbox | Fig Security: Guardian of the Reliability of Security Detection Systems
Company Profile
Fig Security is a cybersecurity startup founded in 2025. It is headquartered in Israel with business operations also based in the United States.
Cybersecurity’s Maginot Line Is Crumbling. The Future Belongs to Integrated Microsegmented Digital Fortresses.
Company Profile
Fig Security is a cybersecurity startup founded in 2025. It is headquartered in Israel with business operations also based in the United States. Despite its short history, the company has quickly gained industry attention through its innovative approach to security operations and has gradually emerged within the global cybersecurity startup ecosystem. The Fig Security team primarily hails from Israel’s mature cybersecurity industry, bringing deep technical expertise in areas such as security operations automation, security data analysis, and enterprise-grade security platform development.
In terms of capital market performance, Fig Security has secured support from several well-known cybersecurity investment institutions since its inception. The company has completed multiple rounds of financing, with total funding reaching approximately $38 million. Investors include Team8, a prominent Israeli cybersecurity venture capital firm, and Ten Eleven Ventures, which focuses on cybersecurity investments. These firms hold significant influence in the global cybersecurity investment landscape, and their backing reflects the capital market’s recognition of Fig Security’s technological direction and team strength.
Beyond its fundraising achievements, Fig Security quickly garnered attention from the security industry after its establishment and was selected for prestigious programs such as the RSA Conference Innovation Sandbox. The RSAC Innovation Sandbox is widely regarded as a key platform for showcasing global cybersecurity startups, having previously featured numerous companies that later grew into industry leaders. Fig Security’s inclusion in this program is seen as a testament to its technological innovation capabilities and industry potential, positioning it as one of the noteworthy emerging companies in the global cybersecurity startup scene in recent years.
Fig Security was co-founded by three serial entrepreneurs from the cybersecurity industry: Gal Shafir, Nir Loya Dahan, and Roy Haimof. The three founders have extensive experience in the field of security operations automation and previously participated in the establishment of Siemplify, a security automation platform company. A group photo of the founders is shown in Figure 1.
Figure 1: Founders’ Group Photo
Gal Shafir is the co-founder and CEO of Fig Security, with long-term experience in building enterprise security platforms and security operations systems. Prior to founding Fig Security, he worked on security architecture at Google Cloud and was involved in advancing security operations automation platforms. Before that, he was a core member of Siemplify, a security automation company that was later acquired by Google and integrated into the Google Cloud Security ecosystem.
Nir Loya Dahan is the co-founder and Chief Product Officer of Fig Security, responsible for the company’s product strategy and overall platform design. Dahan has years of experience in security operations automation products, played a key role in product development at Siemplify. He has accumulated extensive expertise in the design of Security Operations Center (SOC) tools, detection process optimization, and security analytics platforms.
Roy Haimof is the co-founder and Chief Technology Officer of Fig Security, primarily responsible for the platform’s technical architecture design and core technology R&D. Haimof has a strong technical background in large-scale data processing, security analytics platforms, and enterprise-level software architecture, providing crucial support for Fig Security’s technology development and engineering implementation.
Overall, the founding team of Fig Security embodies a quintessential Israeli cybersecurity entrepreneurship background. The members not only possess experience in developing security operations platforms but have also been involved in successful security startup projects, laying the foundation for the company’s continued innovation in the field of security operations technology.
Product Background
As enterprise security operations systems grow increasingly complex, security detection capabilities increasingly rely on multi-layered data collection, data processing pipelines, and detection rule systems. However, in actual operation, existing security operations systems still face the following key challenges:
a) Failure of detection rules is difficult to detect. When log fields change, data formats are adjusted, or systems are upgraded, detection rules that depend on specific fields may fail. However, SOC systems typically do not provide proactive alerts, leading to a decline in security detection capabilities that goes unnoticed.
b) Complex security data pipelines make problem identification challenging. Security logs typically need to go through multiple stages, including log collection, data pipelines, data storage, and SIEM. If data loss or field changes occur at any stage, security teams often struggle to quickly pinpoint the source of the problem.
c) System changes may undermine detection capabilities. During security system upgrades, log structure adjustments, or data pipeline optimizations, existing detection rules may be impacted. However, traditional security systems lack mechanisms to assess the impact of such changes.
d) There is a lack of continuous validation mechanisms for the security detection system itself. Existing security products primarily focus on attack detection and response, while lacking ongoing monitoring of the effectiveness of the security detection system itself.
In response to these challenges, Fig Security has introduced a security observability and detection reliability management technology designed for SecOps infrastructure. By automatically analyzing dependencies among security data flows, detection rules, and response processes, the technology continuously monitors the health status of security data. When system changes or data anomalies occur, it promptly identifies degradation in detection capabilities, thereby enhancing the reliability and controllability of security operations systems.
Solution Overview
Fig Security has introduced a Security Operations Resilience solution designed for modern Security Operations Centers (SOCs). This solution achieves real-time monitoring and validation of security detection systems by continuously analyzing dependencies between security data pipelines and detection processes, ensuring that detection and response capabilities remain effective amid complex environmental changes. The core concept involves building a “validation and observability layer” atop traditional security detection systems to enable continuous monitoring and impact analysis of security detection workflows. As illustrated in Figure 2, from the product interface perspective, Fig Security deconstructs the entire security operations into modular components and establishes corresponding relationship spaces. Through this platform interface, users can monitor the operational status of current security systems, automatically identify changes in each module and their impact on the overall system, and subsequently enable the discovery and remediation of system failures.
Figure 2: Fig Security Product Interface Example
Solution Architecture
Fig Security’s overall solution architecture is built around a visualization and validation layer for SecOps data pipelines, with its core objective being the continuous tracking and analysis of the complete process from security data generation to response. By integrating with enterprises’ existing security technology stacks, the system automatically discovers and models security data flows and detection processes, thereby forming a comprehensive view of the security detection workflow.
In a typical deployment environment, an enterprise security detection system usually comprises multiple components, including log source systems, data collection agents, data processing pipelines, log storage systems, SIEM analysis platforms, and SOAR automation response platforms. Fig Security constructs a complete topology of detection and response processes by uniformly modeling these components.
Its overall architecture can be abstracted into the following core layers:
a) Data Sources: Includes cloud platform logs, endpoint security logs, network device logs, and application system logs, serving as the original source of security detection data.
b) Data Pipeline: Includes log collection agents, stream processing systems, and data cleaning and transformation systems, used for processing and transmitting security logs.
c) Detection Layer: Includes SIEM systems, rule engines, and threat detection algorithms, used for performing security detection on log data.
d) Response Layer: Includes SOAR platforms, automated response systems, and manual analysis processes, used for handling security incidents.
Built atop the aforementioned systems, Fig Security establishes a unified Detection Flow Map that can fully describe the entire process from security data generation to final response, thereby providing a foundation for subsequent monitoring and analysis. The example shown on their official website below illustrates how Fig Security abstracts the entire security operations into modular components, then conducts detailed, real-time analysis and detection for each module and the relationships between them, ultimately enabling the capability to “identify system issues promptly.”
System Functions and Technical Implementation
As a newly established startup, Fig Security has not publicly released whitepapers or technical documentation; therefore, inferences about its technical implementation principles are largely based on publicly available information. The core technical implementation of this product involves building a SecOps Validation and Observability Layer atop traditional security detection systems, achieving continuous validation of security detection capabilities by persistently analyzing dependencies among security data flows, detection rules, and response processes. The system can be divided into multiple functional modules, each responsible for security data discovery, process modeling, dependency analysis, and anomaly detection.
Security System Integration and Data Collection Module
The first step for Fig Security is integrating with enterprises’ existing security infrastructure to obtain structural information about the security detection system. Enterprise Security Operations Centers typically consist of multiple systems, such as log collection systems, data processing pipelines, SIEM platforms, data lakes, and SOAR automation response platforms. These systems collectively form the complete security detection and response workflow. Public information indicates that the Fig Security platform can integrate with enterprises’ existing technology stacks and automatically discover detection and response process structures without requiring changes to the original system architecture.[2]
Based on its capability descriptions, we have made reasonable inferences about the technical implementation. First, the system can obtain configurations and metadata by calling APIs provided by security platforms, such as detection rule configurations in SIEM, log index structures, and automated response workflows. Second, the system can parse configuration files of log pipelines and data processing systems, such as Logstash pipelines, Fluentd configurations, or Kafka topic definitions, thereby identifying log flow paths between different systems. Additionally, the platform can identify data structures through sampling analysis of log data, including log field names, field types, and data distribution patterns. This information collectively forms the foundational data for subsequent security process modeling.
Security Data Pipeline Modeling
After obtaining system structural information, the platform needs to construct a comprehensive security data pipeline model. Public information indicates that Fig Security can automatically discover and map an organization’s complete detection and response processes, tracking the entire journey of security data from data sources to final response systems—a process commonly referred to as data lineage analysis [3].
This model describes the complete flow path of security data within the system, such as how logs enter the log collection system from data sources, pass through data pipelines into the SIEM platform for detection, and ultimately trigger automated response workflows. By constructing such a data pipeline model, the system can clearly delineate the dependencies of security data across different systems. Public reports indicate that the platform builds a model describing data flow relationships between security systems and continuously analyzes the connections among these components [4].
In terms of technical implementation, this module typically constructs a graph-structured model where nodes represent system components (such as data sources, data pipelines, detection rules, or response processes), and edges represent data flows or dependencies. Through this approach, the system can form a comprehensive Detection Flow Map, providing a foundation for subsequent detection capability validation.
Detection Rule Parsing and Dependency Analysis
After completing data pipeline modeling, the system needs to further analyze the dependencies between detection rules and data. Public information indicates that the platform can continuously validate detection logic and analyze dependencies among security systems, therefore the system needs to parse detection rules and identify the data fields they depend on [4].
In terms of technical implementation, the platform needs to parse detection rules from different SIEM systems. For example, Splunk uses SPL query language, while Elastic and Microsoft Sentinel use KQL query language. These rules typically contain filter conditions, aggregation conditions, and related analysis logic for log fields. By performing syntactic parsing on rule statements, the system can identify the field names and data sources involved in the rules, thereby establishing dependency relationships between detection rules and data sources. When log fields change or data sources experience anomalies, the system can identify potentially affected detection rules through this dependency relationship model. Compared to previous data pipeline modeling, this part focuses more on the detailed relationships between data, such as logical relationships and dependencies like name mappings and field mappings. Sorting out these relationships ensures that when system changes occur, potential related issues can be identified immediately, thereby detecting potential rule failure risks in a timely manner.
Data Drift and Anomaly Detection
After establishing security data pipelines and rule dependencies, the system needs to continuously monitor changes in security data to identify anomalies that could lead to degraded detection capabilities. Public information indicates that the platform can monitor data pipeline health status and identify abnormal changes in data pipelines, such as data pipeline failures or degraded detection capabilities caused by system configuration changes [4].
In terms of technical implementation, this module typically identifies anomalies by performing statistical analysis on log data. For example, the system can monitor whether log fields suddenly disappear, whether field types change, or whether log volumes experience abnormal fluctuations. When certain key fields no longer appear in logs, the system can determine that the data pipeline may have changed and further analyze whether this change affects existing detection rules.
Additionally, anomaly detection methods commonly used in the data engineering field can also be applied to identify log volume changes or data format variations, such as identifying data distribution anomalies through statistical baseline models. Related research indicates that by performing baseline analysis on data streams, issues such as data source anomalies, data format drift, and log volume changes can be identified [5]. In layman’s terms, at this stage, Fig Security primarily functions as an anomaly detection module, while the corresponding “anomaly detection” technology represents a direction with many years of research and practice. How they specifically excel in the system risk control of “security operations” may be one of the core competitive advantages of their product.
Detection Capability Validation and Root Cause Analysis
When the system identifies data anomalies or dependency changes, it needs to further assess their impact on security detection capabilities. Public information indicates that the Fig Security platform can issue alerts when detection capabilities are affected, and explain the root cause and potential impact of the problem.
In terms of technical implementation, the system utilizes the previously constructed security data pipeline model to perform impact analysis. When a data field or system component changes, the system can trace its impact scope along the data pipeline. For example, when a log field is deleted from the data pipeline, the system can identify all detection rules that depend on that field and analyze whether these rules will fail. Through this approach, the platform can provide security teams with clear problem localization information, such as pointing out whether the issue is caused by log collection failure, data pipeline configuration changes, or changes in fields that detection rules depend on.
System Change Simulation and Risk Assessment
In addition to monitoring system operational status, Fig Security also supports impact assessment for security system changes. Public information indicates that the platform allows security teams to simulate changes before system upgrades or configuration adjustments, and evaluate the impact of these changes on detection processes.
In terms of technical implementation, this module typically performs analysis based on the security data pipeline model. When security teams plan to modify data pipelines, update log formats, or adjust detection rules, the system can calculate the impact scope of related nodes based on the dependency graph, thereby identifying detection rules and response processes that may be affected. The system generates reports on changes in detection coverage, helping security teams determine whether changes will lead to degraded security detection capabilities. Through this approach, enterprises can identify potential security blind spots before system deployment, thereby avoiding disruption to existing defense capabilities due to system changes.
Conclusion
Fig Security’s solution primarily addresses the challenge of validating detection capabilities within modern security operations systems. By building a validation and observability layer atop existing security technology stacks, it achieves continuous monitoring and assessment of security detection processes. Compared to traditional security products, this solution exhibits several notable characteristics in security operations reliability management.
(1) Full-Process Observability for Security Detection Systems
Traditional security products typically focus on attack detection or incident response. For example, SIEM platforms are responsible for log analysis and detection rule execution, while SOAR platforms handle automated response workflow orchestration. However, these systems often lack visualization and observability capabilities for the entire detection process. Fig Security’s solution automatically discovers detection and response processes within enterprise security systems and tracks the complete data pipeline of security data from data sources, through data pipelines and SIEM platforms, to automated response systems, thereby enabling security teams to understand the operational structure of security detection systems from a holistic perspective. Public information indicates that the platform can construct a comprehensive detection flow map and track end-to-end data lineage, thus achieving continuous monitoring of security detection processes.
(2) Continuous Validation of Security Detection Capabilities
Traditional SOC systems typically assume that detection rules are always effective. However, during actual operation, factors such as log structure changes, data pipeline configuration adjustments, or system upgrades may cause detection rules to fail. Fig Security’s solution performs continuous validation of detection logic by persistently analyzing dependencies between detection rules and data fields. When the system detects changes in data fields that detection rules depend on or anomalies in data pipelines, it can promptly identify potentially affected detection rules, thereby avoiding security blind spots caused by failed detection logic. Related reports indicate that the platform can continuously validate detection logic and issue alerts when detection capabilities are impacted.
(3) Automated Root Cause Analysis Capabilities
In complex security architectures, when detection capabilities decline or detection rules fail to trigger, security teams often struggle to quickly pinpoint the source of the problem. For example, issues may originate from log collection systems, data pipeline configurations, log field changes, or the detection rules themselves. By constructing a security data pipeline model, Fig Security enables the system to automatically trace problem sources along the data pipeline and identify the specific components causing detection capability degradation. Public information indicates that the platform can explain the root cause when detection capabilities are impacted and identify system changes that affect detection processes.
(4) Support for Security System Change Impact Assessment
During enterprise security system upgrades or configuration adjustments—such as log format changes, data pipeline structure modifications, or detection rule updates—existing security detection systems may be impacted. By analyzing the security data pipeline model, Fig Security’s solution can simulate the impact of system changes on detection processes, thereby identifying potential risks before system deployment. Public information shows that the platform supports simulation of security system changes and evaluates whether these changes will disrupt existing detection capabilities.
(5) No Changes Required to Existing Security Architecture
Fig Security’s solution does not replace existing security products but rather operates as an independent validation layer atop the current security technology stack. The platform obtains system information through API integration and configuration parsing, without requiring changes to enterprises’ existing SIEM, data pipeline, or SOAR system architectures. Public information indicates that the platform can integrate with and analyze enterprise security processes without altering existing security infrastructure.
In summary, Fig Security’s solution, by building observability and validation mechanisms for security detection processes, achieves continuous monitoring and assessment of enterprise security operations systems, enabling security teams to timely identify degraded or failed detection capabilities, thereby enhancing the reliability and controllability of overall security operations systems.
Reference
[1] https://fig.security/
[2] https://pulse2.com/fig-security-38-million-raised-for-secops-resilience-platform/
[3] https://www.helpnetsecurity.com/2026/03/03/fig-security-38-million-seed-and-series-a-rounds
[4] https://siliconangle.com/2026/03/03/fig-security-launches-38m-map-validate-secops-detection-response-flows/
[5] https://softwareanalyst.substack.com/p/the-rise-of-security-data-pipeline
The post RSAC 2026 Innovation Sandbox | Fig Security: Guardian of the Reliability of Security Detection Systems appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/rsac-2026-innovation-sandbox-fig-security-guardian-of-the-reliability-of-security-detection-systems/
About Author
