BREAKING  Tracebit raises $20M Series A led by FirstMark  ///  Total funding hits $25M DEPLOYED  2M+ canaries guarding 750+ cloud accounts  ///  Docker, Snyk & Riot Games onboard LAUNCH  Community Edition makes security canaries free  ///  Perimeter Canaries & GCP support live MISSION  Cut breach detection from months to minutes  ///  The answer to Assume Breach BREAKING  Tracebit raises $20M Series A led by FirstMark  ///  Total funding hits $25M DEPLOYED  2M+ canaries guarding 750+ cloud accounts  ///  Docker, Snyk & Riot Games onboard LAUNCH  Community Edition makes security canaries free  ///  Perimeter Canaries & GCP support live MISSION  Cut breach detection from months to minutes  ///  The answer to Assume Breach
Cybersecurity • Cloud Deception • London

Tracebit.

The answer to Assume Breach.

A cloud-native deception company that seeds your infrastructure with decoy canaries - so the moment an attacker moves, you know. Fewer alerts, but every one worth reading.

Founded2023
HQLondon
Raised$25M
Team~40
Tracebit logo
TRACEBIT. The company's wordmark, set against its cloud-native deception platform. Photographed for the record - the brand that guards over 750 cloud accounts with more than two million decoys.
Share this story LinkedIn Twitter / X Facebook Instagram
The Dispatch

Setting Traps in the Cloud

Most security tools try to find an attacker inside a haystack of billions of events. Tracebit takes the opposite approach: it hides a needle in the haystack that only an attacker would ever pick up. The London-based company builds cloud-native deception technology - realistic decoy resources, called canaries, scattered across a customer's cloud accounts, CI/CD pipelines, identity providers and developer workstations.

The decoys are designed to look valuable. A convincing set of AWS credentials. A bucket that appears to hold secrets. An identity that looks worth impersonating. None of them contain real data, and none touch production systems. That is the point: because a legitimate user has no reason to open them, any interaction is a high-fidelity signal that someone hostile is already inside.

The philosophy has a name in security circles - "assume breach" - and Tracebit has built its entire product around it. Rather than promising to keep every attacker out, the company assumes at least one will get in, and focuses on shrinking the time it takes to notice. Industry benchmarks still measure that window in months. Tracebit's pitch is measured in minutes.

It was founded in 2023 by Andy Smith and Sam Cox, two engineers who spent five years building the engineering team at Tessian, a UK cybersecurity firm acquired by Proofpoint in 2023. They had watched enough security teams drown in alerts that meant nothing, and set out to build detection that generated few signals - but ones worth acting on.

"Reduce the global mean time to respond to an incident from months to minutes."Tracebit's founding mission
By the Numbers

The Scale of Deception

2M+Canaries deployed
750+Cloud accounts guarded
~5BEvents watched / week
30minTime to switch on
The Mechanism

How It Works

Stage 01

Analyze

Tracebit profiles the customer's cloud environment to understand what real resources look like, so its decoys blend in convincingly.

Stage 02

Deploy

Using cloud-native APIs - and LLM-driven placement - it plants tailored canaries across accounts, pipelines and identities. No hardware, no agents to babysit.

Stage 03

Detect

The instant a canary is touched, Tracebit fires a high-fidelity alert into the customer's SIEM or workflow, pinpointing the threat.

The Problem

Why It Exists

The cloud moved fast. Detection did not.

Traditional deception tools were built for a world of hardware appliances and network segments. They are slow to deploy, hard to scale, and awkward in ephemeral cloud infrastructure that changes by the hour. Meanwhile, conventional detection tools flood analysts with alerts, most of them noise, and attackers exploit the gaps between them.

Tracebit's answer is to make the environment itself hostile to intruders - filling it with tripwires that are cheap to plant, automatically refreshed, and near-impossible to tell apart from the real thing.

The Difference

What Sets It Apart

Where competitors like Thinkst Canary and legacy honeypot vendors often lean on appliances or manual setup, Tracebit is cloud-native from the ground up. It uses the same APIs a customer's infrastructure already runs on to deploy and continuously refresh canaries across AWS, Azure, Google Cloud, Kubernetes and identity providers.

The result is deception at a scale that would be impossible by hand - millions of decoys - combined with a deliberately low false-positive rate. And with a free Community Edition, Tracebit has opened the same detection technique to developers and small teams who could never afford appliance-based tools.

The Platform

Products & Services

Core • 2023

Cloud-Native Canaries

Tailored decoy buckets, secrets, credentials and identities deployed across AWS, Azure and GCP via native APIs. Safe by design - no real data.

Detection • 2024

Credentials & Artifacts

Canary AWS tokens, SSH keys, browser cookies, password-manager entries and email trackers, planted where attackers hunt during lateral movement.

New • 2026

Perimeter Canaries

Edge-deployed decoys extending deception to SaaS and cloud perimeter surfaces - catching attackers earlier in the kill chain.

New • 2026

Deceptive Artefacts

Decoy artifacts embedded across infrastructure and workflows, broadening coverage well beyond credentials alone.

Free • 2025

Community Edition

A no-cost tier bringing AWS tokens, SSH keys, browser cookies and LLM canaries to individual developers and small teams.

Frontier • 2026

LLM & AI Agent Canaries

Decoys planted inside AI workflows to catch attackers who abuse autonomous agents and the credentials they carry.

Who Uses It

The Customers

Tracebit sells to security and engineering teams running cloud estates too complex to watch by hand.

DockerSnykRiot GamesSynthesia CrestaCoveoZepzAdmiral Insurance
"Deployment was seamless, integrating effortlessly into our existing infrastructure."Tim Welsh, Docker
The Record

Timeline

2023

Tracebit is founded

Andy Smith and Sam Cox leave Tessian to build cloud-native deception in London.

July 2024

$5M seed round

Accel leads the seed, joined by angels including Snyk founder Guy Podjarny.

Dec 2025

Community Edition

A free tier opens security canaries to developers and small teams.

March 2026

$20M Series A

FirstMark leads; Perimeter Canaries, Deceptive Artefacts and GCP support arrive alongside US expansion.

The Money

Funding

RoundAmountDateLead
Seed$5MJul 2024Accel
Series A$20MMar 2026FirstMark
Total$25M

Backers span FirstMark, Accel, MMC Ventures, Tapestry VC and CCL, with angels including Tessian founders Tim Sadler and Ed Bishop and Elastic CISO Mandy Andress.

The People

Founders

Co-Founder & CEO

Andy Smith

Spent five years growing the engineering team at Tessian before co-founding Tracebit. Leads the company's mission to shrink breach detection from months to minutes.

Co-Founder & CTO

Sam Cox

Fellow Tessian alumnus and technical architect behind Tracebit's cloud-native, API-driven canary engine that scales to millions of decoys.

Questions

The Briefing

What does Tracebit do?+

It deploys realistic decoy resources - canaries - across a company's cloud, CI/CD, identity and workstation environments. Because the decoys hold no real data, any interaction with them is a strong signal an attacker is inside, letting teams detect breaches in minutes rather than months.

Who founded Tracebit and when?+

It was founded in 2023 in London by Andy Smith (CEO) and Sam Cox (CTO), both former engineers at the cybersecurity company Tessian.

How much funding has Tracebit raised?+

About $25 million total: a $5M seed round led by Accel in 2024 and a $20M Series A led by FirstMark in March 2026.

Which companies use Tracebit?+

Named customers include Docker, Snyk, Riot Games, Synthesia, Cresta, Coveo, Zepz and Admiral Insurance. Tracebit reports over 2 million canaries deployed across 750+ cloud accounts.

How is it different from traditional honeypots?+

Tracebit is cloud-native and API-driven, so it can automatically deploy and refresh tailored canaries across AWS, Azure, GCP, Kubernetes and identity providers in minutes without hardware - unlike traditional appliance-based deception tools.

Follow the Trail

Links & Sources