Harley Sugarman

A trick everyone forgets they were taught

Ask a hundred chief information security officers where their company gets hacked, and ninety-something will point at the person two desks over. The intern who clicks the invoice. The VP who wires money to a spoofed vendor. Harley Sugarman asked that exact question, over and over, and what stuck with him was not the answer. It was the tone.

"What sort of surprised me was actually just the amount of hopelessness that I heard in their voices," he says. These are people guarding billion-dollar companies, and on the single biggest risk they face - their own colleagues - the best tool in the drawer was a 45-minute video and a quiz nobody remembers taking. Anagram is what he built instead.

Anagram makes security awareness training that does not feel like a punishment. Bite-sized modules. Interactive puzzles. The longest video runs 87 seconds. Employees get handed real-world scenarios and, in one exercise, are asked to write their own phishing emails - because the fastest way to spot a con is to run one. For clients, the numbers moved: phishing failure rates fell from roughly 20% to 6%.

From card tricks to the command line

Sugarman did not arrive in cybersecurity by the usual door. He walked into college as an English major and a semi-professional magician. Somewhere between the sleight of hand and the music videos he produced, he found code, ended up at Bloomberg writing infrastructure tools, then crossed over to the other side of the table as an investor at Bloomberg Beta, where he spent two years studying the future of work. The throughline is misdirection: a magician learns that people see what they expect to see, which is also the entire business model of a phishing email.

That investor's vantage point mattered. He watched founders, sat across from operators, and kept circling back to one unglamorous, unsolved corner of enterprise software - the training nobody wanted to take and nobody could prove worked.

The pivot he is proudest of

Anagram did not start as Anagram. In 2022 it was Cipher, and the product was a "capture the flag" trainer - a playground where enterprise security professionals hunted bugs in intentionally broken software to sharpen their skills. Then the market turned. Security teams got hit with layoffs, and the customers Cipher was built for started disappearing. So Sugarman made the call that he still describes as the company's defining moment: throw it all out.

"I'm really proud of the fact that we very quickly made the decision to basically throw away all this work that we had done and move into this more general purpose awareness tool," he says. The pivot landed in January 2024. The new product generated more revenue in three months than the old one had in a year. By February 2025, Cipher had a new name - Anagram - and a $10 million Series A.

Lessons stolen from Duolingo

The design philosophy is borrowed, openly. "We took lessons from TikTok, and lessons from Duolingo and Khan Academy," Sugarman says. "How can we apply those lessons within security?" The answer looks like habit formation rather than a yearly fire drill: short puzzle-style modules that adapt to a person's role, that reward attention, that show up in the flow of work instead of as a calendar event everyone resents. An AI engine personalizes the path. The next chapter is an AI-powered security agent that nudges employees in real time, in context, the moment a risky action is about to happen.

It is working on names that do not hand out logos lightly. Disney, Pfizer, Thomson Reuters, and MassMutual are all clients. And here is the part that should not work: a lot of that pipeline came from cold outbound. "I didn't think we would get a single meeting booked from cold calls," Sugarman admits. "But shockingly, it still seems to bear fruit."

The ten-year disappearing act

Sugarman's stated ambition is to delete his own category. He wants the annual security course and the gotcha phishing test to be obsolete within a decade, replaced by guidance so woven into the workday that nobody notices they are being trained. For a founder, that is a strange thing to root for - the obsolescence of the very ritual the industry sells. For a magician, it is the only ending worth performing. The best trick is the one where the mechanics vanish and all that is left is the result.

He is, by his own cheerful admission, not built for the spotlight that comes with the job. "It does feel cringy. I hate most social media things," he says. Which may be the most reassuring thing a security founder can tell you - that the person asking you to take your training seriously would also rather not be on camera. He treats users like adults. That, more than any feature, is the pitch.

Why the old model broke

For two decades, security awareness training was a box to tick. A vendor shipped a library of videos, HR scheduled an annual deadline, and employees clicked through at 2x speed to get the certificate. It satisfied auditors and changed almost nothing. The numbers told the story: people kept failing the phishing tests, and the people running those tests had stopped expecting otherwise. That resignation - the hopelessness Sugarman kept hearing - was the real market signal. The category had given up on its own outcomes.

Anagram's wager is that the problem was never the human. It was the medium. Treat training like a chore and you get the engagement of a chore. Treat it like a 60-second puzzle that respects someone's intelligence and time, route it to the specific risks of their actual role, and behavior starts to move. The platform leans on a personalization engine to decide who sees what, so the finance team's lessons look different from engineering's, and a new hire's path looks different from a tenured executive's. Microlearning is the format; relevance is the mechanism.

The cold-call paradox

Most enterprise security companies grow through warm introductions, channel partners, and the slow grind of conferences. Anagram landed marquee logos partly through cold outbound - emails and calls to people who had never heard of them. Sugarman expected nothing from it. He has said plainly that he didn't think a single meeting would come from cold calls. They did, and they kept coming, which tells you something about how badly the buyers wanted an alternative. When a market is full of people who have quietly given up, a credible new answer doesn't need a warm intro. It needs to show up.

The clients that resulted are not easy rooms to win. Disney, Pfizer, Thomson Reuters, and MassMutual operate in regulated industries where security training is not optional and the bar for vendors is high. Anagram now reaches more than 500,000 employees across its customer base. The reduction in phishing failure rates - from roughly one in five employees clicking to closer to one in sixteen - is the kind of before-and-after that closes renewals.

The machine gun and the club

Sugarman is clear-eyed about where this is heading. Generative AI has made phishing cheaper, faster, and far more convincing, and the asymmetry worries him. "AI is like a big wooden club for the defenders, but it's like a machine gun for the attackers," he says. An attacker only needs one click; a defender needs to be right every time. The traditional answer - more annual training - is a club against a machine gun. Anagram's response is to put AI on the defender's side of the desk, in the form of a real-time security agent that watches context and nudges an employee in the moment a risky action is about to happen. Not a yearly lecture. A whisper at the exact second it matters.

That is the disappearing act Sugarman is building toward. He wants the annual course and the gotcha simulation gone within a decade, replaced by guidance so embedded in the workday that it stops looking like training at all. For a founder, betting on the obsolescence of your own product category is unusual. For a magician, it is the whole point. The trick that lands is the one where the audience never sees the mechanics - only the result.