About this Map & Methodology
The AI Security Startups Map is an interactive, continuously updated directory of 294 companies building security for agentic AI — organized across 14 functional categories. It is curated by Prompt Security.
Published · Last updated .
Scope
The map covers commercial vendors and startups whose products secure AI agents, LLM applications, and the surrounding infrastructure. It includes companies that have been acquired (their offering still exists in the market) and excludes stealth-mode companies that have not publicly described a product. Both pure-play startups and dedicated AI-security lines from larger vendors are in scope.
The landscape in numbers
As of June 8, 2026, the map tracks 294 vendors across 14 categories and 24 countries:
- $7.5B in disclosed funding across the 214 vendors with public funding data.
- The largest category is Observability & Governance with 184 vendors, followed by Runtime & Guardrails (154) and MCP & LLM Gateways (65).
- The top three countries by headcount are USA (163, 55%), Israel (57, 19%), UK (17, 6%).
- 177 of 294 vendors (60%) were founded between 2023 and 2025; 2024 was the busiest year with 61 new companies.
- 27 companies have been acquired, led by Check Point (3), PAN (3), Cyera (3).
“Securing agentic AI is fundamentally different from securing traditional software. Agents act autonomously, call tools, and reason over untrusted input — which means prompt injection, identity, and runtime behavior have to be governed in real time, not just at the perimeter.”
— Prompt Security, curators of this map
Inclusion criteria
A company is listed when it meets all of the following:
- It ships a product or service whose primary purpose is securing AI agents, models, or AI-driven workflows.
- It has a public presence (website, product page, or launch announcement) describing what the product does.
- Its capabilities map to at least one of the categories below.
Companies may appear in multiple categories when their product spans more than one function. Placement reflects publicly stated capabilities, not vendor marketing tiers.
Categories
Each vendor is tagged with one or more of these 14 categories:
- Observability & Governance
- Continuous discovery, inventory, and behavioral profiling of every AI agent across the enterprise. Lifecycle controls, audit trails, and policy enforcement to keep the agent fleet visible and accountable.
- Runtime & Guardrails
- Inline content inspection and behavioral enforcement at the moment of inference. Blocks prompt injection, jailbreaks, data exfiltration, and unauthorized tool calls before they reach the model or downstream systems.
- Agentic Identity
- Issues verifiable, scoped, and revocable identities to AI agents and non-human workloads. Brokers least-privilege access to tools, APIs, and data so each agent action can be authenticated and audited.
- MCP & LLM Gateways
- Protocol-layer control plane sitting between agents and the MCP servers, tools, and models they call. Per-request auth, scope enforcement, tool-call inspection, and supply-chain governance for the agent ↔ tool boundary.
- AI Red Teaming
- Automated and human-in-the-loop adversarial testing of agents, models, and AI infrastructure. Generates attack chains, evaluates defenses, and produces auditor-ready findings before vulnerabilities reach production.
- AI-SPM
- Posture management for AI agents, models, datasets, and pipelines across cloud and SaaS estates. Maps agent dependencies, surfaces misconfigurations, and prioritizes risk before workloads are exploited at runtime.
- Agentic Data Governance
- Governs what data AI agents can read, write, and surface to users. Detects oversharing, enforces need-to-know access at inference time, and remediates sensitive-data exposure across the agent supply chain.
- Model Security
- Secures the model itself across the ML lifecycle — supply-chain scanning of model files for backdoors, malware, and poisoning. Runtime protection against adversarial inputs and integrity drift in production.
- Agentic Network Security
- Network-layer visibility and enforcement for AI traffic that bypasses traditional firewalls, SSE, and SASE. Decodes prompt/response flows, blocks shadow AI usage, and applies dynamic policy by app, user, and data type.
- Agentic Endpoint Security
- Next-generation EDR for AI agents running on developer and employee endpoints. Endpoint-native sensors intercept agent actions before execution, enforce intent-based policy, and surface shadow agents fleet-wide.
- Agentic Code Security
- Shift-left security for AI-generated code and agent-orchestrated codebases. Reviews designs, scans dependencies, and governs coding agents (Cursor, Claude Code, Copilot) before insecure code ships to production.
- Agentic Browser Security
- Controls AI usage happening inside the browser, where most employee GenAI activity lives. Browser-layer DLP, in-flow coaching, and per-action policy enforcement for ChatGPT, Copilot, Claude, and embedded copilots.
- Agentic SSPM
- Secures AI agents and copilots that live inside SaaS applications and citizen-developer platforms. Discovers OAuth-connected AI, governs Copilot Studio / Agentforce / LCNC agents, and contains SaaS-to-SaaS propagation risk.
- Sandboxing & Secure Envs
- Isolated execution environments where AI-generated code and agent actions can run without touching production. Container, microVM, and syscall-level boundaries that contain blast radius when agents go off-script.
Data fields
Where available, each vendor record includes:
- Name, website, LinkedIn — primary identifiers.
- Founded year and country — basic company facts.
- Founders and investors — leadership and backing.
- Funding — disclosed total, when public.
- Capabilities — what the product does.
- Sensors / integration — how it deploys (proxy, SDK, API, agent, browser, …).
- Protections — the threats it blocks or mitigates.
- Differentiator — what sets it apart.
Sources & maintenance
Entries are compiled from vendor websites, product documentation, funding announcements, public company registries, and analyst coverage. The map is reviewed and updated on an ongoing basis; corrections and additions are welcome. Use the “Suggest a startup” form on the map to submit a company.
Programmatic access
The full dataset is open and machine-readable. Access it via:
- /llms.txt — concise index for LLMs and AI agents.
- /llms-full.txt — every vendor expanded in plain text.
- /api/vendors and /api/categories — structured JSON.
/mcp— a Model Context Protocol server (streamable HTTP) with toolsget_categories,get_vendors_by_categories, andget_vendor_details.
Reference frameworks
Category definitions and threat coverage are mapped against established, independent frameworks for AI and LLM security:
- OWASP Top 10 for LLM Applications — the reference taxonomy for generative-AI risks.
- NIST AI Risk Management Framework (AI RMF 1.0) — U.S. government guidance for governing AI risk.
- MITRE ATLAS — adversarial threat knowledge base for AI systems.
- Gartner — Guardian Agents — analyst framing for AI agents that secure other AI agents.
Who maintains this map
This map is curated by Prompt Security, an enterprise platform for securing generative and agentic AI. Prompt Security builds runtime guardrails, prompt-injection defense, AI red teaming, and governance across the AI stack, and works daily with security teams deploying AI agents in production — the same domain this directory catalogs.
Contact: reach the team through the Prompt Security contact page for questions, corrections, or to suggest a company.
Follow or reach the team via LinkedIn, X / Twitter, and YouTube.
Disclaimer
This map is provided for informational purposes. Listing does not imply endorsement, and category placement reflects a best-effort reading of public information. Company facts change quickly; verify details with the vendor before relying on them.