91% of Successful Attacks on AI Agents Steal Data Without a Single Stolen Password. Straiker Raised $64M Betting Nobody Else Is Watching.
The scariest attacks on AI agents don't look like attacks. No malware, no stolen credentials, no alarm that fires on any traditional security dashboard. Straiker's own research, published alongside its $64 million Series A this week, found that 91% of successful attacks on productivity agents end in quiet data theft using nothing but the permissions the agent was already granted. The agent did exactly what it was authorized to do. It was just told to do it by the wrong person.
The round was led by Marathon Management Partners, with Citi Ventures, Illuminate Financial, and Workday Ventures joining, and Bain Capital Ventures and Lightspeed returning from the seed. Total raised is now $85 million for a company that launched in 2025. CEO Ankur Shah previously ran Palo Alto Networks' Prisma Cloud business, and the instinct behind Straiker is the one he learned watching cloud security mature a decade ago: you don't secure infrastructure by locking it down before anyone uses it. You secure it by watching what the thing you built is actually doing once real users — and now, real agents — get their hands on it.
The other data point in Straiker's research is the one that should worry anyone deploying coding agents at scale: 36% of successful attacks on coding agents achieve remote code execution. Every enterprise racing to ship AI-written software this year inherited a new class of vulnerability the moment it gave an agent commit access, deployment credentials, or the ability to run its own generated code. Traditional application security scans the code a human wrote. It was never built to evaluate the trustworthiness of an agent that writes, tests, and executes its own code in a single autonomous loop.
The structural problem is that agent permissions are granted once, broadly, for convenience — an agent that books travel needs calendar access, payment methods, and email; an agent that handles back-office work needs CRM, financial systems, and document stores — and then never re-evaluated against what the agent is actually doing in any given moment. An attacker doesn't need to breach that perimeter. They need to convince the agent, through a manipulated input or a poisoned data source, to use the access it already legitimately holds. Static permission models, the foundation of every enterprise security stack built before 2024, have no mechanism for catching that.
This is not a peripheral problem for the agentic finance thesis — it's the central one. Every round flowing into AI underwriting, claims processing, KYC, and payments decisioning is a round betting that agents handling regulated, money-moving decisions can be trusted with standing access to the systems that move that money. Straiker's growth — run-rate revenue up more than 15-fold in under a year, with frontier AI labs and Fortune 500 companies as customers — is the market admitting that trust assumption isn't holding by default. Enterprises aren't buying this defensively. They're buying it because they've already been burned.
Capital is flooding into what agents can do. Almost none of it, by comparison, is flowing into what happens when an agent's legitimate access gets pointed somewhere it shouldn't. That asymmetry closes one of two ways: the market corrects it by funding the Straikers of the agent economy at the pace it's funding agent capability, or an incident big enough to dominate a news cycle does the correcting instead. Betting on the first one arriving in time is the optimistic read.