The company that decided the weakest link in cybersecurity - the human one - was worth measuring, scoring, and actually fixing.
Above: the AI-native Living Security platform, asking the question every security team secretly dreads - "What should we work on today?" The answer, it turns out, is hiding in the data.
It is a Tuesday morning inside a Fortune 500 security team, and the screen does not show a wall of red alerts. It shows a single, almost casual prompt: what should we work on today? Behind that question sits Living Security's Unify platform, quietly correlating more than two hundred signals about how thousands of employees behave, log in, and respond to bait. It is not counting how many people finished their annual training video. It is ranking who, specifically, is most likely to hand an attacker the keys.
That is the whole bet. For two decades the cybersecurity industry treated employees as a compliance checkbox - watch the slideshow, pass the quiz, move on. Living Security treats them as data. Risky data, sometimes. But measurable, and therefore improvable.
Most breaches start with a person, not a server. Living Security built an entire company around taking that sentence literally.The premise, stated plainly
Here is the awkward truth the industry preferred not to discuss. Year after year, companies spent fortunes on awareness training, dutifully recorded a 100% completion rate, and then watched a single well-crafted phishing email walk straight past all of it. The training proved attendance. It did not prove behavior. And attackers, who are not graded on attendance, kept winning.
The numbers behind human-caused breaches stayed stubbornly high. The slideshows, meanwhile, kept getting longer - as if the solution to a behavior problem were simply more slides. It was a market built to satisfy auditors, not to stop attacks.
A check-the-box program can be 100% complete and still 0% effective. Those are not the same achievement.The gap Living Security set out to close
In 2017, Ashley and Drew Rose started Living Security out of their home in Austin. Ashley brought a background in software product leadership; Drew brought a CISSP, a stint in military intelligence, and an unusual hobby of applying game design and behavioral science to risk. Between them they had a conviction that sounded, at the time, slightly heretical: people don't change because you informed them, they change because you measured them and met them where the risk actually was.
Their first product leaned hard into that idea. CyberEscape was an escape-room-style game - a team locked in a room, solving security puzzles, learning by doing rather than by dozing. It was memorable, which in security training is close to a miracle. But the founders noticed something more valuable than engagement: the games generated data about how people actually behaved under pressure. The escape room was the hook. The data was the business.
The escape room got people to care. The data showed which people you should care about. One of those is a product. The other is a company.How the pivot to risk measurement happened
So they pivoted - from making training fun to making risk legible. The 2021 acquisition of Cyber-Ready accelerated the shift, and "security awareness" quietly became "Human Risk Management," a category Living Security helped name.
Ashley and Drew Rose launch Living Security in Austin, betting on behavior change over box-checking.
Early funding, including a $5M Series A led by Austin's Silverton Partners, fuels the move from games to platform.
Updata Partners leads a $14M round. The Cyber-Ready acquisition pushes the company fully into Human Risk Management.
Recognized as a Leader in The Forrester Wave: Human Risk Management Solutions, Q3 2024. Unify Insights adds AI recommendations.
Launches an AI-native platform and a Human + AI risk framework - built for a workforce that now includes autonomous AI agents.
The flagship is the Unify platform. Instead of living in its own silo, it plugs into the security tools a company already runs - identity, email, endpoint - and ingests the signals they generate. At the center sits Livvy, an always-on AI engine that the company says analyzes more than 300 behavioral, identity, and threat signals to surface the users who actually drive risk, then recommends what to do about them.
The output is not a completion certificate. It is a Human Risk Index - a score that says, in effect, here are the people, here is the exposure, here is the intervention most likely to help. Training still exists, but it becomes the consequence of a measurement rather than a substitute for one.
Correlates 200+ behavior, identity and threat signals into one view of workforce risk - the company says it delivers roughly 3x the visibility of compliance-based tools.
An always-on intelligence layer analyzing 300+ signals to flag risky users, generate content, and orchestrate response playbooks.
Immersive, role-based video training plus multi-channel phishing, smishing and vishing simulations - aimed at engagement, not endurance.
The gamified, escape-room-style experience that started it all - security education disguised as a team activity people actually remember.
Stop punishing the click. Fix the behavior that caused it - and prove, with numbers, that it got better.The Living Security operating philosophy
A contrarian idea is only interesting if someone buys it. Living Security reports more than 100 enterprise customers, a roster that includes a long list of Fortune 500 brands across healthcare, finance, retail, and manufacturing.
Share of human-driven risk concentrated in a small slice of the workforce, per Living Security's framing. If true, blanket training for all is the wrong tool - you want a scalpel, and you need to know where to point it.
If a tenth of your people carry most of the danger, training all of them equally is not fairness. It's just expensive.Why concentration of risk changes the math
The capital followed the logic. After a seed round and a $5M Series A led by Silverton Partners, Updata Partners led a $14M Series B in March 2021, with Active Capital, Rain Capital, and SaaS Venture Partners joining - bringing total funding past $20M. In 2024, Forrester named Living Security a Leader in its first Wave dedicated to Human Risk Management, validating not just the company but the category it had been quietly building.
Since working with Living Security, Cybersecurity Awareness Month is way, way easier than it used to be.- Alaina DeGregory, Highmark Health
Inside the company, the goal has a name: operate left of boom - the moment before the incident, not the cleanup after. The mission is to reduce human-led risk proactively, treating people as assets to protect rather than threats to police. It is a subtle but real reframe. The old model assumed employees were the problem. Living Security's model assumes they're the surface you measure and harden.
It's a tidy irony that a company born from an escape room now spends its days helping people avoid a different kind of trap. The puzzles got harder. The stakes got real.
In 2025, Living Security did the thing that tells you a company intends to stick around: it redrew its own map. As enterprises handed real access to autonomous AI agents, the question shifted from "which employees are risky?" to "which actors - human or AI - are risky?" The company launched an AI-native platform and what it calls a Human + AI risk framework, extending its scoring to a workforce that now includes software that acts on its own.
That same year, it reported a U.S. utility doubling its human cyber-risk visibility on the platform - the kind of concrete, unglamorous result that matters more than any tagline.
The workforce just grew a new category of member: the kind that never sleeps, never trains, and never reads the policy. Someone has to score that too.The frontier Living Security is betting on next
Return to the screen. Same security team, same casual prompt - what should we work on today? - but the answer is different now. It isn't "remind everyone to take the training." It's a name, a number, and a next step. The dashboard has turned a vague anxiety about human error into a short, ranked list of things a team can actually do before lunch.
That is the change Living Security set out to make. Not a louder warning. A sharper aim. The weakest link in cybersecurity is still human - it always will be - but for the first time it has a score, a trend line, and a plan. Curious skeptics can argue about the exact percentages. Harder to argue with the shift in the question itself: from did they finish the training to did the behavior actually change.