It is 3 a.m. somewhere in Ohio, and a midsize accounting firm has no idea that a phishing email is mid-flight toward its CFO. At-Bay does. That is the elevator pitch.
Walk into At-Bay's San Francisco office today and the org chart reads strangely for an insurer. Underwriters share floor space with malware analysts. Actuaries argue with red teamers. Somewhere a Salesforce dashboard is humming next to a SentinelOne console. The thing is, all of it is the product.
At-Bay sells cyber insurance to small and mid-sized businesses, the kind of companies that have been quietly absorbing the bulk of ransomware losses for the last decade. But selling the policy is only the opening move. The rest of the company is built around making sure the policy never has to pay out: continuous scanning of policyholder attack surfaces, a managed detection and response service called Stance MDR, an email security product, and a small army of claims people who will phone a customer at 2 a.m. to say, in effect, "stop clicking that."
Field note. Most insurers measure success in claims paid efficiently. At-Bay measures it in claims that did not happen. Same industry, opposite scoreboard.
In 2016, cyber insurance was a coin flip dressed in a suit. Carriers asked clients to fill out a long questionnaire about their security posture, accepted the answers more or less on faith, and priced policies off a thin layer of historical loss data that was already obsolete by the time it was tabulated. Then ransomware grew up. Loss ratios at major carriers spiraled past the comfortable side of 100%. Premiums went vertical. Coverage shrank.
The underlying problem was simple and embarrassing. Traditional insurers were pricing a risk they could not actually see. Hurricanes follow physics. Cyberattacks follow people, and people change behavior weekly.
At-Bay's founders, all of them veterans of cybersecurity rather than the insurance industry, looked at the same picture and saw something different. If the loss event was a security failure, then the insurer's job was not just to price the failure - it was to prevent it. The actuarial table needed a SOC.
Rotem Iram, the company's CEO, took the route you might expect from someone who would later try to merge security and insurance: captain in Israel's elite Unit 8200 signals intelligence corps, then McKinsey, then COO of K2 Intelligence's cyber practice, with a Harvard MBA tacked on for good measure. He co-founded At-Bay in 2016 with Roman Itskovich (data), Etai Hochman (risk), and Tilli Kalisky-Bannett.
Their bet, which sounded plausible in a pitch deck and absurd to incumbent insurance executives, was that a tiny startup could underwrite cyber risk more accurately than century-old carriers - because it would do the security work itself. Scan every applicant's external footprint. Monitor every policyholder continuously. Use that telemetry to price, advise, and intervene. Charge a premium. Pay fewer claims.
Co-founder & CEO. Unit 8200, McKinsey, K2 Intelligence. The one who calls it InsurSec without flinching.
Co-founder & Chief Data Officer. Treats the underwriting model like a living piece of software.
Co-founder & Chief Risk Officer. Quietly responsible for the part of the business that has to be right.
Co-founder. Built the early product and operations spine the rest hangs on.
Caption, with feeling. Four people, one whiteboard, a phrase nobody had marketed yet: InsurSec.
Receipts. Funding rounds reported by Crunchbase, Calcalist, BusinessWire, and SecurityWeek. Years rounded; egos not.
The At-Bay product is, formally, a cyber insurance policy. Practically, it is a stack. When a broker submits an application, At-Bay's underwriting engine scans the prospect's external attack surface before issuing a quote. Misconfigured RDP ports, vulnerable VPNs, exposed file shares - these are repriced on the spot and, more importantly, flagged to the customer. Policyholders are encouraged to fix the issues, and many do, because the relationship does not stop at binding.
Admitted and surplus policies for SMBs, sold through a deep broker network.
Errors & omissions cover for software and IT services companies.
24/7 managed detection across endpoint, email, cloud, and identity.
Email security product purpose-built to stop financial fraud at the inbox.
Bundles that pair a policy with the security stack to unlock higher coverage limits.
Quoting, binding, and risk-monitoring tools for the agencies placing the business.
You can buy the security tools on their own, too. Stance MDR is sold to companies that are not policyholders, which is either generous or quietly strategic depending on how you read it - every additional endpoint At-Bay watches is another data point feeding its underwriting model.
Skepticism is healthy here. Lots of insurtechs have promised, and very few have delivered, an actual improvement on loss ratios. So consider the shape of At-Bay's funding history as one rough proxy for whether the model is working. Capital keeps showing up, including from Munich Re, an insurer that knows where the bodies are buried.
The partnership roster reads similarly. SentinelOne powers the MDR layer. CrowdStrike sits inside the SMB cyber-resilience program. HSB and Munich Re bring reinsurance capacity. None of those names attach themselves to insurtechs casually.
Counting things. $467M raised in total. ~360 employees. Tens of thousands of policies in force. A category - InsurSec - that did not exist on a Gartner slide in 2016.
At-Bay's mission language is gentle - "help businesses thrive in the digital age" - but the underlying ambition is sharper. Cyber risk is the only major category of business loss that the insurance industry has been losing ground on for a decade. The reasonable response would be to retreat. At-Bay's response has been to push deeper into the security side of the problem on the bet that this is the only way the math eventually works.
There is a version of this story where At-Bay quietly stops being an insurer and becomes a security company that sells policies as a customer-acquisition channel. There is another where it becomes a small carrier with an unusually good claims experience. The founders sound comfortable with both endings.
Email-based fraud has gotten very good very fast. Deepfaked CFO voices and convincingly written wire-transfer requests are no longer the stuff of trade-press hand-wringing. They are line items in claims reports. Stance Fraud Defense, At-Bay's 2025 email security release, is a direct response: catch the message at the gateway before it gets a chance to convince anyone.
If the next decade of business loss looks anything like the last one, only sped up by generative models, then the insurer that survives will be the one whose policy comes attached to an active defense. That is not a hypothesis At-Bay invented. It is the one it priced.
Editor's aside. The first time a carrier brags about preventing claims rather than paying them quickly is the moment to start paying attention. At-Bay started bragging about it years ago.
Stance Fraud Defense holds it at the gateway. The CFO sleeps. The accounting firm's controller wakes up to a normal Tuesday. No wire goes out. No incident-response retainer is activated. No claim is filed. The annual policy renews without drama.
From the outside, nothing happened. That is the whole point. At-Bay's best work is the work nobody notices, which is a strange business to be in if you are an insurance company, and exactly the right business to be in if you are this one.