"The inbox isn't where attacks land. It's what attackers are after."
October 2016. John Podesta's Gmail gets cracked open. Not by some zero-day exploit or nation-state malware - by a phishing link and a password. Within hours, decades of private emails are splashed across the internet. Campaigns collapse. Careers end. And somewhere in San Francisco, Abhishek Agrawal, Senior Product Manager at Dropbox, starts asking a question nobody else is asking: what happens after someone gets in?
Most of the security industry was busy building better locks. Agrawal was already thinking about what to do once the lock is picked. That distinction - quiet, almost academic when he first articulated it - would eventually be worth $1.1 billion.
Material Security, which Agrawal co-founded in 2017 with former Dropbox colleagues Ryan Noon and Chris Park, doesn't just try to block malicious emails. It treats your entire cloud inbox as a sensitive data repository that needs its own layer of zero-trust protection. When a breach happens - and per their premise, it will - your attacker should find the archive locked up behind a second authentication wall. The email itself becomes the vault, not just the attack surface.
That idea is now protecting the email systems of OpenAI, Anthropic, Reddit, Lyft, Roblox, DoorDash, Figma, Databricks, and a roster of enterprises whose security budgets collectively dwarf most countries' GDP.
A breach should not mean it's game over.
- Abhishek Agrawal, Co-Founder & CEO, Material SecurityIn May 2022, Founders Fund led a $100 million Series C that pushed Material Security's valuation to $1.1 billion - making it one of the rare cybersecurity unicorns that reached that threshold without burning through a decade and a dozen pivots. Andreessen Horowitz, Elad Gil, and Snowflake Ventures followed the capital in. The total raised: $184 million.
In April 2023, Agrawal stepped into the CEO role - having previously served as CTO - as co-founder Ryan Noon shifted to Chairman. The transition wasn't turbulent. It was planned, methodical, the kind of founder handoff that rarely makes headlines because nothing went wrong.
Agrawal, Noon, and Park didn't quit Dropbox with a pitch deck and a prototype. They quit with a list. A literal, bullet-point list of suspected problems and proposed solutions. For months, they tested that list on anyone who would listen - security professionals, CISOs, investors - honing the messaging like copywriters before writing a single function.
They built mock landing pages. Not to get sign-ups - to pressure-test language. If a security director didn't immediately recognize the problem statement, the words weren't right yet. They kept going until the problem was undeniable.
This was validation theater done right: real customers, real reactions, no code required. It's a discipline that explains why Material Security's early customers weren't startups looking for a cheap solution - they were enterprise security teams sophisticated enough to know the problem existed before someone handed them a product.
Mars - the 200,000-person chocolate-and-petcare conglomerate - was one of the first. When a company that size trusts your pitch enough to open their email infrastructure to you, you know the messaging hit something real.
Email is not just a great way to deliver attacks, but it's actually the target of attacks as well.
- Abhishek AgrawalWhen wallets are tight, you're going to cut through the BS.
- Abhishek AgrawalEnrolled in Princeton's Electrical Engineering and Computer Systems program at sixteen - not as a prodigy story to tell at cocktail parties, but as the starting point of a career that combines deep technical chops with product instinct. Graduated 2009.
After Princeton, two years as a Software Development Engineer at Microsoft's R&D division prototyping improvements to the Office suite. The kind of foundational experience that teaches you how large-scale software actually ships - slowly, carefully, with enormous attention to backwards compatibility.
Harvard Business School MBA (2011-2013), finishing in the top 5% of his class - earning the Baker Scholar designation. At HBS, he and classmates also launched a pub-trivia app for the App Store, which may be the most Baker Scholar thing imaginable.
Joined Dropbox as Senior Product Manager when the company was ~250-300 people. Shipped collaboration products. Built analytics infrastructure. And met Ryan Noon and Chris Park - the two people he'd eventually co-found a unicorn with.
Co-founded Material Security in 2017, initially as CTO. Built the platform's core architecture: an API-based approach that scans inbox contents in real time, flags sensitive material - credentials, documents, verification codes - and gates access behind additional MFA.
Moved from CTO to CEO in April 2023, with co-founder Ryan Noon shifting to Chairman. Now leads the company's push toward becoming the dominant cloud workspace security platform - the CrowdStrike for Microsoft 365 and Google Workspace.
Traditional email security sits at the door - scanning messages as they arrive for malware and phishing links. Agrawal's insight was that this approach entirely ignores what's already inside. Every employee's inbox is an archive of sensitive data: credentials shared in threads, contracts forwarded to personal accounts, verification codes that unlock financial systems.
Material Security connects via native API to Google Workspace and Microsoft 365 - no email routing changes required, no MX record updates. It continuously scans inbox content in real time, classifying sensitive information and tagging messages based on what they contain. When an account is compromised and an attacker tries to access flagged content, an additional authentication step fires before the data can be reached.
Agrawal describes their five capability pillars: Email Security (detecting attacks that bypass native controls), Data Security (protecting sensitive information in emails and files), Identity Threat Detection (hardening accounts and containing compromise blast radius), Posture Management (monitoring configuration drift), and the newer OAuth Remediation Agent (addressing third-party app security risks with AI).
The strategic aspiration is to consolidate what is currently four or five separate vendor categories - email security, DLP, CASB, SSPM, and threat detection - into one platform. As Agrawal frames it: become the CrowdStrike for M365.
"It takes at least as much creativity to make a technology safe as it does to invent it."Material Security - Core Philosophy
"Attackers are pivoting to attacks that do not require user authentication as that vector becomes harder."GovCon Wire Interview, 2024
"We must adapt to not trusting our service providers' infrastructure."On cloud security posture
"You don't even know who your buyer will be in the early stages - avoid assumptions."Unusual Ventures PMF Podcast
Agrawal is the kind of founder who will tell you constraints make better products. Not as a motivational platitude, but as a business observation: when budgets tighten, buyers stop listening to marketing language and start evaluating whether a product actually solves something. His phrase for it - "cut through the BS" - is the most honest description of enterprise sales you'll find in a founder interview.
What makes him unusual among technical co-founders is the overlap: deep engineering background, Harvard MBA discipline, and four years of product management at one of Silicon Valley's best-loved companies. The combination produces a CEO who speaks CISO and also speaks VC - and doesn't confuse the two audiences.
His interviews - on the Risky Business podcast, CyberWire Daily, Smashing Security, and the Unusual Ventures PMF series - share a consistent register: no technobabble, no silver bullets, no grandiosity. He explains threats the way a very good doctor explains a diagnosis: clearly, with the assumption that the person across the table is an adult.