Mimic

It is 2:14 a.m. somewhere inside a Fortune 500 data center. A piece of ransomware lands on a workstation, fans out, and begins encrypting. Within milliseconds, an alert fires - not in a SOC dashboard, but inside a tiny SaaS instance in Palo Alto. The attacker keeps typing. The systems keep working. Welcome to the strange new world Mimic is building.

Who they are now

A small company picking the largest fight in cybersecurity.

Mimic is roughly 120 people in a Palo Alto office, plus a remote bench drawn from places like Citibank, Walmart, Vodafone, Raytheon, F5 and the U.S. Department of Defense. The company has been out of stealth for about a year. In that year it has raised $77 million, picked up FedRAMP Ready status, and convinced the former CEO of Mandiant to join its board. The product has one job: ruin a ransomware operator's night.

For a category that has been declared "solved" by every vendor with a logo and a booth at RSA, this is, on its face, a strange thing to spend $77 million on. Ransomware is supposed to be a backup problem now, or an endpoint problem, or a training problem. Pick your flavor. The numbers say otherwise.

Ransomware is not an endpoint problem. It is a survival problem. - The Mimic thesis, paraphrased

A sentence the EDR vendors would prefer you did not read closely.

The problem they saw

Detection is fast. Recovery is medieval.

Every modern security stack promises to spot a ransomware attack. Most of them, eventually, do. The catch is the gap between "we detected it" and "we are back online." That gap is measured in days for the lucky, weeks for the normal, and never for the unlucky. The 2024-2025 wave of attacks on hospitals, school districts, port authorities and casinos pushed average downtime past the two-week mark - while the average ransom demand climbed past seven figures.

Mimic's founders looked at that arithmetic and concluded the industry was optimising the wrong number. Not whether you saw the punch coming. Whether you stayed on your feet.

The current playbook is: get hit, panic, page a forensics firm, pay a lawyer, maybe pay the attacker, and explain it on the next earnings call. We thought that could be improved. - the unofficial Mimic origin story

Improved is putting it mildly. Replaced would also work.

The founders' bet

Two people who have built this kind of company before.

Mimic was founded in 2023 by Derek Smith and Bob Blakley. Smith spent nine years running Shape Security, the bot-defense company that F5 acquired in January 2020 for roughly $1 billion. Blakley, his co-founder and Chief Product Officer, has spent decades inside the identity and security plumbing at IBM, Citi and elsewhere. Together they had already built one industry-first - the original data leak prevention category, eventually acquired by Raytheon.

Their bet on Mimic was specific. EDR and XDR products are too slow because they are too general. A platform designed only to fight ransomware - and only to fight it in the first few hundred milliseconds - can do something the general-purpose tools cannot: keep the business running while the attack is still in progress.

You do not need to win every fight. You need to make sure the lights stay on while you figure out what is happening. - the bet, in one sentence

CISO comfort food. Also: extremely hard to engineer.

The Mimic Timeline

Receipts, in chronological order.

2023: Founded in Palo Alto by Derek Smith and Bob Blakley, joined by veterans from F5, Raytheon, DoD and the Fortune 500.
May 2024: Emerges from stealth with a $27M seed round led by Ballistic Ventures, joined by Menlo, Team8, Wing and Shield.
Feb 2025: Series A: $50M led by Google Ventures and Menlo Ventures. Kevin Mandia joins the board. Greg Davison joins as Head of Revenue.
2025: FedRAMP Ready status announced - the federal door opens.
2025: Ransomware simulation capability launched - safely model a full attack with no live malware on the wire.

The product

Three verbs: detect, deflect, recover.

Mimic's SaaS sits across the customer's environment and watches for the behavioral signatures that precede the encryption step. When it sees one, it does something most platforms do not bother with: it intervenes in-flight. The attack appears to succeed from the operator's side. Files appear to be encrypted. Negotiations may even begin. Behind the curtain, the core systems are intact, the attacker's foothold is being mapped, and the IR team has bought hours instead of minutes.

Then comes the part the marketing decks are quietly proud of: recovery in seconds. Not "restore from last night's backup." Seconds. Without giving the threat actor a chance to re-enter through the same hole.

Time to recover, by approach

Lower is better. Yes, that is the point.

Pay the ransom21 days

Backup restore14 days

EDR + IR firm8 days

Mimicseconds

Industry averages drawn from public ransomware incident reporting; Mimic figure from company materials.

The pitch is not "fewer attacks." The pitch is "attacks that do not matter." - a working definition of cyber resilience

Two very different value props. Sales teams, take note.

The proof

Investors, board, and a federal handshake.

Money talks, but the names attached to it talk louder. Mimic's cap table reads like a who's-who of cybersecurity investing: Ballistic Ventures (Ted Schlein), Menlo Ventures, Team8, Wing Venture Capital, Shield Capital and now Google Ventures. The board includes Schlein and Kevin Mandia - the person most enterprise CISOs would call first if their company was on fire. Mandia did not join because he needed another board seat.

On the customer side, the company targets the Fortune 500 and Global 2000, with a freshly opened lane into federal agencies via FedRAMP Ready. Mimic has not published a public customer list, which in cybersecurity is closer to good manners than bad signal: nobody wants their ransomware vendor naming them in a press release.

You can tell a security company is serious when its customers will not let it talk about them. - Vendor Marketing 101, footnote

A rare case where the silence is the testimonial.

The mission

"Free of the constant threat of cyber extortion."

Mimic states its vision plainly on its About page: a future where companies can operate free of the constant threat of cyber extortion. The wording is careful. Not "a world without ransomware" - that would be marketing. Not "perfect prevention" - that would be a lie. Just: free of the constant threat. The implicit promise is that the attack can still happen and it just will not matter as much.

It is a smaller claim than competitors make. It is also, possibly, the only honest one.

Why it matters tomorrow

AI is about to make ransomware cheaper. A lot cheaper.

Every defender we talk to says the same thing in private: generative AI is going to lower the floor on ransomware operations. Better lures, faster reconnaissance, automated negotiation, polymorphic payloads. The cost curve for the attacker has only one direction, and it is down. If detection takes minutes and recovery takes weeks, the math gets ugly fast.

Mimic's wager is that the only sane response is to collapse those two timelines until they barely register. Detect in milliseconds. Recover in seconds. Make the attacker's economics worse, not the defender's.

The right answer to faster attacks is not slower defenses with more dashboards. - the next five years, summarised

A line that should make several keynote speakers nervous.

Back to 2:14 a.m. The ransomware operator is still typing. Somewhere across the building, the on-call engineer is asleep. The CFO is asleep. The CEO is asleep. By the time any of them wakes up, the incident will have been triaged, the attacker will have been mapped, the systems will be clean, and the only people working will be the lawyers - drafting a disclosure that says, almost apologetically, that nothing actually happened. That is the world Mimic is selling. They are not the first company to promise it. They might be the first to deliver.

Mimic.