Material Security

It is a Tuesday morning at a company you've heard of. A finance lead clicks a link in what looks like an invoice. The email is a forgery. The attacker is in. Twenty years ago, that would have been the end of the story. At a Material Security customer, it's barely the beginning.

01 - Who They Are NowThe contrarians of email security

Material Security is a San Francisco company with about 86 employees, a $1.1 billion valuation, and customers including OpenAI, Anthropic, xAI, Reddit, Figma, Lyft, Mars, PagerDuty, MassMutual, and Gusto. Its product sits on top of Google Workspace and Microsoft 365 - the two inboxes where most modern work actually happens - and watches what attackers do once they slip past the locks at the front.

That last part is the trick. Most of the security industry sells better locks. Material sells the assumption that the locks will fail.

"Attackers don't really want your password. They want what's behind it - tax forms, board decks, customer lists, the W-2s you'd rather not lose." - the working theory behind the product

02 - The Problem They SawPhishing is unsolved. So now what?

The cybersecurity industry has spent two decades trying to stop people from clicking on bad links. It has not worked. Every annual report from every email-security vendor agrees on this, even if they would prefer you not notice.

Material's founders looked at the 2016 US election cycle - DNC emails, John Podesta's inbox, screenshots all over cable news - and arrived at an unfashionable conclusion. The attackers were going to keep winning the first round. Maybe the answer was to make the second round harder.

Field note

The traditional email-security pitch goes: 'we'll stop the phish.' Material's pitch goes: 'we'll stop the phish from mattering.' One of these is verifiable.

03 - The Founders' BetThree engineers, one quiet code name

Ryan Noon, Abhishek Agrawal, and Chris Park met at Dropbox after their previous company, Parastructure, was acquired. In 2017 they started something new and gave it a code name: Stellarite. They stayed in stealth for nearly three years. By the time anyone outside the seed round knew the company existed, the product was already in production at real customers.

It is a peculiar way to start a security company. The standard playbook is loud: launch a logo, announce a manifesto, place a magazine cover or two. Material's founders did roughly none of that. They have publicly said, on podcasts and in interviews, that they wanted to build a security company that didn't sell with fear. Whether that is a marketing position or a temperament is up to the reader.

"You don't need to scare people into buying something that works." - the unstated company motto

04 - The ProductWhat the thing actually does

Material plugs into the Google Workspace or Microsoft 365 tenant via API. No agents on laptops. No new inbox for users to learn. The product then does a few things that, if you describe them at a dinner party, sound surprisingly sensible.

Email Security

Catches the sophisticated attacks that walk past Google's and Microsoft's native filters - the ones with no malware, just a believable tone.

File Security

Scans Drive and SharePoint for the documents nobody remembered to lock down, then quietly locks them down.

Account Security

Watches login behavior and contains account takeovers in real time, before the attacker has time to forward anything.

OAuth Remediation

Finds the third-party apps that someone authorized in 2021 and forgot about. Removes the malicious ones automatically.

Posture Management

Watches your tenant's configuration drift over time and pulls it back when it slides toward 'wide open.'

The clever part is in the email piece. Material can require step-up authentication on access to sensitive messages already sitting in the inbox - the tax forms, the wire instructions, the board minutes - so that even an attacker with valid credentials can't grab them. The mailbox becomes less like a filing cabinet and more like a safety deposit box.

"Material's bet is that the modern inbox is a database. And databases get access controls." - a venture investor's summary, paraphrased

Milestones, briefly

2017Founded by Noon, Agrawal, and Park. Code name: Stellarite.

2019Series A led by Andreessen Horowitz. Still in stealth.

2020Emerges publicly with $40M Series B. The name 'Material' finally exists in print.

2022$100M Series C from Founders Fund. Valuation hits $1.1B. Unicorn status.

2023Ryan Noon moves from CEO to Chairman. Abhishek Agrawal becomes CEO.

2025OAuth Remediation Agent launches. Customer list quietly absorbs the AI-lab who's-who.

05 - The ProofThe customer list does the talking

A useful test of any enterprise security company is to look at who buys it. Material's roster reads like a snapshot of the past five years of consequential software companies. OpenAI uses it. So does Anthropic. And xAI. So do Reddit, Figma, Lyft, PagerDuty, HackerOne, Quora, Asurion, MassMutual, and the candy company Mars - because, yes, M&Ms have an inbox too.

These are companies that could buy any email security tool on the market, and several of them already had one. They added Material on top.

Material, by the numbers

Approximate public figures, as of latest disclosure

Funding

$184M

Valuation

$1.1B

Series C

$100M

Customers

40+ named

Team size

~86

Sources: company disclosures, Crunchbase, press coverage. Bars are scaled for legibility, not for accounting.

"The companies most paranoid about being attacked tend to buy Material. That is either a recommendation or a warning." - a customer, off the record

06 - The MissionMake compromise survivable

Material's stated mission is to make cloud workspaces resilient to attacks that get past the perimeter. The unstated version is more useful: assume the attacker will eventually get in. Make sure that getting in is no longer the same as winning.

This is a small philosophical shift with enormous operational consequences. It changes the question a security team asks every morning. The old question was 'did anything bad happen yesterday?' The new question is 'if something bad did happen yesterday, did it actually matter?'

A small irony

A company built on the assumption that defenses will fail has, so far, mostly avoided the kind of failures that make security companies famous. Whether that is cause or correlation is a matter of taste.

07 - Why It Matters TomorrowThe agent problem is coming for the inbox

The next wave of email attacks won't be written by people typing in a basement. They'll be written by language models, in perfect grammar, in your CEO's voice, citing real meetings from last week. The phishing-detection layer is going to get worse, not better, against this. The data-protection layer is going to get more important, not less.

Material spent the early years preparing for an attacker who could already get inside. It turns out that was also the right preparation for an attacker who can sound exactly like a coworker. The customer list of AI labs - the people building the models doing the impersonation - is not an accident.

08 - Back To Tuesday MorningThe same click, a different ending

Back to that finance lead, that Tuesday, that bad link. The attacker is in. They navigate to the inbox they came for, scroll back through the archive, and try to open the message with last quarter's wire instructions.

They get a step-up authentication prompt they can't answer. The session is flagged. The OAuth token they tried to plant is revoked before they finish reading the docs page on how to plant it. The CFO finds out about all of this in a 9:14am Slack message from a security analyst who is, by every observable measure, calm.

The click happened. The breach didn't.

That, give or take a marketing tagline, is Material Security.

Material & Security