Building AI Agents to Fight Cybercrime: Vineet Edupuganti on Scaling Cogent Security and Winning Over Skeptical CISOs

Speaker A: Welcome to the Uncharted podcast. This is Polya. I have a special guest, first one of 2026, Vinette from Cogent Security. Welcome to the Uncharted podcast. How are we on this wonderful Tuesday? Doing great.

Speaker B: It's great to be with you.

Speaker A: It's great to be here. We were just talking about the weather before we came on the show. We're pretty blessed being in the Bay Area with the beautiful weather. It's super bowl week. Before we get into the fun game, give everybody a little bit of context on who you are.

Speaker B: Absolutely. So my name is Vineet Aduprianti. I'm the co founder and CEO of a company called Cogent Security. We build AI agents that, uh, investigate and resolve security vulnerabilities. My background, interestingly, did not start in cybersecurity, so I began my career as a machine learning engineer. Did a lot of work actually in the early innings of generative AI. So well before ChatGPT and the most recent hype wave, was working on that technology in a range of different applications and environments. Somewhat accidentally stumbled on cybersecurity, ended up at a company called Abnormal AI. So that company was very focused on email security, basically plugging into Microsoft 365 and Google Workspace accounts, finding the malicious emails there and being able to eliminate those without causing false positives. So it was a really interesting problem. I saw that company scale from just a small number of employees all the way to thousand plus folks, couple hundred million of revenue. And through that experience saw a bunch of things that are just fundamentally broken in cybersecurity. It's really interesting because it's a very impactful and horizontal and pervasive set of problems. And yet many aspects of cyber look the same today as they did 20 years ago. And a lot of those learnings were really the inspiration for starting Cogent.

Speaker A: Let's start with the Abnormal experience because it's a company that I would say is very favored in cybersecurity and usually you don't come across that quite often within the cyber security space.

Speaker B: Not wrong.

Speaker A: What are the two or three things Abnormal did well that you want to bring to your own company?

Speaker B: So I think the first thing, which is the highest leverage thing and the hardest thing to change is what problem are you solving? Right. And I think the interesting thing is at that time, phishing and social engineering, this was the leading cause of cybercrime, one of the leading causes of breaches. And so it was a hero on fire problem. It's an intuitive problem, right. If you were to Go to any chief information security officer and say, hey, your budget is slashed by 80%. You could keep five things. Email security is one of the things you'd keep right as his vulnerability management, which is where we focus. And I think on top of that, there's a lot of visibility even higher up in the org. Right. Like a CEO or a CIO immediately can empathize with the problem. Oh yeah, I remember that bad email that landed in my inbox. So I think that was one thing, solving a problem that was very important and, uh, very recognizable. And then I think from a product standpoint, which is maybe what you're getting at as well, a lot of products in cybersecurity are very clunky, they're hard to deploy. You basically need a PhD to be able to go and navigate the UI. And with abnormal, one of the core product principles was just simplicity. Plug it in, you press one button, this goes and does its job. You can show up in the UI to check on it whenever you want. And I think that was a very significant paradigm change where really easy to set up, really easy to use, solved an entire problem. And I think those are generalizable learnings, not just in cybersecurity into Cogent, but probably across every product in every industry out there.

Speaker A: As you're talking, I'm like thinking about your go to market motion. I'm assuming you're bringing some of those things, making sure the problem you're solving is hairy and impactful. It's easy to get going with customers. I think there's benefits of that because I'm assuming you'll get usage going. Right. As a company that's fairly young, but the downside of that sometimes is other bigger companies in the space can copy you. How do you balance the two?

Speaker B: I think like one thing first of all is just given the nature of the product, usage is a metric. This is something I tell our team as well, but it's not the metric like it would be for a productivity tool or some consumer application. And this was actually another thing that we saw at Abnormal and we see at Cogent as well. You just be sitting back and relaxing on the couch and the product is doing the job for you. Right. So if we're trying to drive outcomes from a security standpoint with agents that are in many areas replacing the work that humans would otherwise have to do, you actually don't necessarily need people coming in and being in the console 24. 7. But I think to your broader point on us as startups versus incumbents, I Think there's a multitude of advantages that startups have. I think the first is the fact that we are more nimble and can operate like a Switzerland layer. I think what we see typically with these big companies, they're very locked into their own ecosystem, um, they don't integrate nicely with a bunch of other tech stacks because maybe some vendors or their competitors or what have you. So there's the strategic side of things. I think there's an architectural side of things as well, right. Where you have thousands of customers and 15 year old legacy technology, really hard to retool into something modern and then port over all those use cases, all those customers, do that fast and not break a bunch of stuff. And so that ends up being a very costly, expensive and risky process for a number of those companies. And then I think the final piece is just actually talent, right? And the reality is that the best applied AI engineers, the best software folks that you know, are not clamoring to go work at like legacy 25 year old cybersecurity. And part of our bet is that we have an edge in being able to recruit that talent that wants to work in this domain that is paired with folks that are very deep in cyber and therefore we're able to innovate and cook things up that may not be happening in those sorts of ecosystems.

Speaker A: I actually think hiring talent right now is like one of the most competitive things I've seen, especially where we are in San Francisco. What have you found to be successful and what has been a challenge?

Speaker B: Yeah, it's the million dollar question, right? And I think if you or uh, anybody else figures it out, give me a call. But I think just to echo your point, it's the most crazy I've ever seen in the talent landscape. And part of the reason why is you have distortion at the top end of the market, right? Big tech, the labs, all these sorts of entities that are just waving around crazy amounts of cash and attracting a lot of people. And then I think in the startup side of things, on the other side of the barbell, there's just so much choice. And I talk to candidates all the time who are like there's a thousand Y Combinator companies and this many companies backed by top VCs. How do I even start to pick these things apart? And so I think a guide that I would give both to recruits, but then also to founders of companies that are trying to help the candidates you're trying to recruit parse their way through the noise. Number one, you have to be an asset that's worth buying into. Right. So are you solving a big, meaty, important problem? I think that's what the best talent really looks for. So I think that's number one. I think branding, as painful as it is to say, is absolutely essential. Right. So if you have top VC backing, good logos of folks from your team, good traction, right. All those things I think really add up and it's a way of elevating above the rest of the folks in the pack. I think your existing team and culture, that's super paramount. Right. All the time we talk to candidates who are trying to understand what is the founder story. How did you come to birth this thing to life? Why do you spend so much time on it? Who are the backgrounds of the folks on the team? And for us, having a bunch of these pedigreed folks from places like DeepMind, Coinbase, Tesla Databricks, that definitely gives us an edge for the folks that want to come in and gain like 20 years of experience in two by learning from people what excellence looks like, but also having the autonomy to be at a startup. And then I think the final one, and this one may be more bespoke us in companies like ours is really mission, right? Because I talked to some companies also candidates vying for positions at multiple companies where it's like, hey, I could be working on applied AI for cybersecurity or applied AI for marketing and similar tech stacks, maybe similar caliber teams. And part of what we position there is do you really want to be building cutting edge AI to send people a bunch of marketing emails, or do you want to be doing that to go and fight the bad guys and help create a more secure world? I think that pitch actually really resonates with a bunch of folks.

Speaker A: From a, um, engineering perspective, how close are engineers to the customer? To talk to me a little bit about the landscape of making sure the team that's actually building can see the impact it has on the customers. How do you make sure that?

Speaker B: It's tricky, right? Because when you start a company, it's just three, four, five people around the table. You can have a couple of those folks on a customer call. The other two people are maybe like sitting just out of view of the camera, listening in. And then what happens when you get to 30 or 40 people? Is there some people whose core responsibility it is to be on those calls? Could be your sales engineer, product manager, maybe your Ford deployed engineer. But then there's a bunch of people that are out of the loop. Right. And I think we have a lot that we can do to mature in this domain, but we're trying to build systems that enable really tight information flow, right? So you have a customer call notes are transcribed from, that gets sent out into slack channels for broader visibility summarization through LLMs, right, that are parsing through call transcripts, extracting out the relevant product insights to send over to the product team, engineering insights that can be routed over to the relevant folks, and really just trying to break down silos wherever possible. Because I do see that becoming a challenge, right? When you have hundreds of employees, right, and the company scales, you end up in a scenario where there's this very long telephone chain and the people actually doing the work don't actually know why it matters, right? So more we can be doing in that vein, but it's really building systems that can break down these barriers.

Speaker A: And I'm assuming you guys sell to CISOs. Everything I have learned in interacting with CISOs and even our own CISO companies I work at, support, they're, um, they're a hard group to win over. They have a very high bar. You can't BS them. I think especially for cyber, there's so many people hitting the success you've had, bringing on some of the clients you've had. What do you contribute?

Speaker B: That I have all these startups bombarding me and I'm sure there's great ideas somewhere in there, but when six people are all working on the same thing, I have no idea what horse to bet on, right. And if that meeting is worth my time. So I think just to break through, it kind of goes back to what we were talking about with talent as well, the VC backing, the associations, who the founders are. I think that actually does make a pretty significant impact early on in terms of just getting that first cohort of people and then you just have to light the fire, right? Ultimately, like you get those people, they tell their friends, your awareness grows and then it gets steadily easier. So I think that's step one, which is like, how do you get in the door? How do you even get a meeting with these people? Which by the way is non trivial for anybody that's tried. If you're just trying to cold email your way into the Fortune 500 CIOs and CISOs, it is a very difficult endeavor. And then once you're in the door, that's where the other aspect that you're mentioning here comes into play, which is that security audiences are a lot more adversarial, inherently skeptical. It's not, hey, this is some cool Technology, let's just go deploy it and use our discretionary experimental funds. It's let me click every single tab in your product and identify where it breaks. Right. And I think in a way that's good because it sets the bar really high for the product. Right. Where you have to make sure from a data perspective, from an ML inference perspective, from a user experience standpoint, things are airtight because there's really no hiding. Right. I uh, think it's good actually to go through the ringer and have things be battle tested. And that is one thing in cyber that I think is also really nice because that barrier is a little bit higher. It's tougher obviously to overcome the activation energy, but you also have a little bit more of a moat, so to speak, where there's durability and you're building stuff that actually has real value.

Speaker A: And would you say the lifetime value is like through the roof? Like I'm assuming once you guys are in, is it hard to replace you guys?

Speaker B: If the product is deployed in driving value, it's hard to replace. And I think of it like an employee. Right. If you had an employee that was performing really well over a 5, 10 year time, Spanish sure wouldn't just fire them and try to get like an intern to take their job. I think of it the same way. And we sit on a lot of proprietary data. Our system gets smarter every successive day as it continues to learn the customer's environment, so. Absolutely right. And that's why whether you take examples of abnormal or other best in class cyber companies, it's an annuity. Right. Customer may be a lifelong customer. And that's where for us like earning that trust initially is the most critical part because it's just the start of what might be a multi decade relationship.

Speaker A: Yeah, I've seen you talk uh, a lot lately about the role of AI when it comes to cybersecurity. And what I'm curious is, it's like the good guys have access to it, so did the bad guys. Right. What's the optimistic view of that scenario and what's the pessimistic view that concerns you?

Speaker B: We'll start with the pessimistic view, which is current state. Right. Which is basically any hacker can just feed a prompt into clogged code and exploit vulnerabilities and breach organizations in way less effort than was previously the case.

Speaker A: Right.

Speaker B: It used to be that you had to be good at your job. Humans only had so much time even on the hacking side of things, and now they're able to scale themselves. And I think the asymmetry is that the hacker only needs to be right once, meanwhile the defender needs to be right all the time. Right. You can't make any mistakes and at the same time you have to protect availability of your systems. Right. In our domain, if you try to patch a vulnerability and take down some revenue generating system, that's probably worse than having the vulnerability in the first place. Right? So lots of dynamics and very complex. So pessimistic view is every attacker is now a superhero and organizations are scrambling with not enough people to do the jobs, not enough ability to move at that same pace. What is the promise and the optimistic view? That's really where we fit and what we're trying to usher in, which is building these defensive AI agents that understand the model of an organization, operate like its best IT security and engineering personnel, and then cut off the attack paths proactively before the attacker can get in. And so I think the optimistic, bullish view in five years is you have defensive AI that can actually neutralize the offensive AI.

Speaker A: Do you think the good guys are going to move faster than the bad guys?

Speaker B: I think there's two aspects. I think like number one on the defensive side, it's a shift from a reactive model to a proactive model. I think if you're always in this cat and mouse chasing the tail type of dynamic, it's very difficult to stay abreast of what's happening. And so I think that's where again gen and some of this new technology can be deployed. Is thinking about predictive, proactive, where could the risk manifest in the future and how do I make myself smaller as an organization so there's less surface area for an attacker to break in? And then, uh, I think some of the other pieces that we want to think about just from a defensive standpoint is one of the advantages that defenders actually have over the attackers is better understanding of their environments. What are my crown jewels? Right? What are the soft points? And actually if you have that insight, you can start to be a little bit smarter about how you fortify your company. And that's actually one of the core tenets of our approach as well, is gathering that organizational context and then deploying it, uh, for superior security outcomes.

Speaker A: How often do you have to be involved in like the sales cycles and these conversations with CISOs versus having the rest of the team take advantage of it?

Speaker B: I pick my spots. There's only so much time in the day, right? I think in an ideal state I'd be everywhere. But some of the things that are especially leveraged for me is early on conversations. Right. I think at this stage, a lot of it is evangelical. Right? Here's why you should go bet the future of your security strategy on this company that you may or may not have ever heard of warming that up, telling the story, getting people excited. That's where I can uniquely contribute. And then there's spots along the way where of course, I want to inspect that the right things are happening and support the team and more and more with time. Obviously that'll be delegated off and handed off to additional folks, but it's the biggest tension point because I want to be everywhere. But obviously, as you grow and as you have more and more customers, that becomes practically impossible.

Speaker A: Lately, at least in my experience, the hardest part has been even getting the meeting, getting the at bats. Right, right. What have you found to be like, successful? Go to market channels, Is it referrals? Is it dinners? Is it, uh, into your VC networks?

Speaker B: Yeah. It's interesting because in the age of AI, where now everybody's got like an AI cold emailer at their disposal, what it's done is, in my opinion, and from what I'm seeing, it's saturated those channels, right. I talk to so many buyers who say this is like LinkedIn message number 56 of the morning, right? From all the vendors trying to reach me. And there's just so much clutter. People are tuning it out. And so anything that is relationship oriented I found to have much greater success. So that could be warm intros, right? That could be activating your personal network, going out to events like meeting people and shaking their hand in person, telling the story, making a social connection, having them associate the face, uh, the name, the company, right. If we just look at our funnel and run the metrics, disproportionate amount of the customers and prospects that we have come through those sorts of mechanisms.

Speaker A: I'm curious on the emotional intelligence side, what's like a soft skill that you think has been really incredibly hard to pick up for yourself for the last 12 years that you think has had the most impact?

Speaker B: I think this whole journey of entrepreneurship ultimately is a great test of resilience, right. And I think there's the common saying, right? The highs are never as high as they seem. The lows are never as low. And I think, like, ultimately, like these things happen at such high frequency, right? At, ah, 10:00am Maybe something happens. That's super exciting. 1:00pm Something happens. That's unfortunate. I think when you go through enough cycles of those things, it just, like, battle hardens you. Right. My emotional roller coaster right now has a lot less variance than it did a year ago if we were getting started. And I think that's actually a really positive outcome of going on this journey is you kind of get to a point where nothing phases you, right. And you take it all in stride and you think about the next step, not dwelling on the past. And ultimately, I think those muscles just working out at the gym, you'll develop them, um, once you have enough reps. Right. And so no way to do that outside of just building the company, basically.

Speaker A: I would say if there's one common thread I've heard time after time from a lot of founders, it's that you just gotta be in the middle. Are there things outside of just experience that have helped you deal with it, uh, better?

Speaker B: I think a really important thing is to build your support network. And I don't mean necessarily support network in the form of counselors or therapists. Maybe those things are useful, but I think at the very least, a council of peers and folks that have been through it before that are basically your mentors, and you can call them about anything, share exactly what's on your mind. There's no fear of that going back to your board or whatnot. To have a set of, I think, like five to 10 people in that circle, that becomes super helpful because the reality is, when you encounter any situation, chances are they face that or something that's somewhat analogous in the past, and you just talk through it. Right. And sometimes you just need that ability to get things off your chest and brainstorm with folks and have that sparring partner in an environment that has no judgment, no stakes. Make sure you define who are those five to 10 people that have diverse skill sets. And maybe when you're encountering a certain situation, you pluck the two people that are most relevant, use them, um, and your counsel. Right. And then make your decisions and proceed from there.

Speaker A: Could not agree more. I've really enjoyed this episode, and I can't thank you enough for paying it forward. The one question we love to ask before we say our goodbyes. If you could go back to any time, and I'll let you pick the, uh, time. What's one piece of advice you would give your younger self now that you've been on this journey?

Speaker B: We hit on it a little bit earlier. Right. I think, like, one thing that I've learned that is a little bit counterintuitive, and I never would have thought this maybe a decade ago, is the impact of relationships, right? These people become your investors, your customers, your team. Right? And people from your network just show up in such interesting ways. And I think in college, high school, whatever, right? We're so wired to focus on academics because that's the immediate short term objective in front of you. You get, like a quick reward mechanism, um, of the feedback there. But I think actually, like, rewinding the clock. You want to work hard, you want to learn as much as you can, but I think just like having fun, building relationships, that's actually super, super impactful. And it's, like, hard to see that there's that much diminishing returns associated with that. So it's actually one thing I wish I had known earlier on. And just to make sure that the audience doesn't think that's a license to goof off, I would join that with. Hard work is also super important. Right. So I think doing those two things in tandem, that's kind of like the advice that I would give to myself maybe a decade ago.

Speaker A: This has been fantastic. Again, I can't thank you enough for coming on the show. I want to thank your team, the CRED PR team, for bringing us together. For everybody. Until next time, be well, be safe. We'll catch you on the next episode of the Uncharted podcast.