Security Week

Orion Security Raises $6 Million to Tackle Insider Threats and Data Leaks with AI-Driven DLP

Kevin Townsend March 19, 2025

Orion Security has emerged from stealth with a $6 million seed funding round led by Pico Partners and FXP, with participation from Underscore VC and cybersecurity leaders. Based in Tel Aviv, Israel, the firm was founded in 2024 by Nitay Milner (CEO) and Yonatan Kreiner (CTO) with a mission to use AI to revitalize data leak prevention (DLP).

Orion’s platform automatically learns and understands how data normally flows within an organization. “By using AI to map and understand an organization’s operational DNA, we’re enabling a new generation of data protection that can accurately distinguish between legitimate business workflows and potential data theft, without burdening an already overstretched security team,” explains Milner.

Orion uses two primary AI models. The first uses multiple LLMs to understand and classify company data: is it PCI traffic, is it unstructured IP, is it PII or PHI with SSNs or private addresses. “The second,” says Milner, “is a reasoning model. It helps you understand the entire context around a data incident. Who sent this data outside? What department does he work for? Where did this data go? What is this data containing? It basically considers all the criteria around an incident to be able to decide whether it was a genuine incident or just a legitimate business flow inside the company.”

The advantage of this approach is that it will instantly detect the first attempt at low and slow data exfiltration by an insider (or, indeed, an attacker) and draw the security team’s attention to the incident –- or stop it.

“The three primary use cases we look at,” says Milner, “are human error, the insider threat, and attackers who have got into the system and are now trying to exfiltrate data. The insider threat is our current focus. It could be a disgruntled employee, it could be a curious employee who wants information, such as payroll information, that he or she should not see; or it could be a North Korean agent who has gained employment but is really after company IP.”

The third use case is interesting. Since the platform’s first attention is to the flow of data, followed by an instant determination on the legitimacy of the flow (that is, should that person be doing this with such data at this time?), the potential of the solution has further possibilities. For example, attempts at large scale data exfiltration could indicate the presence of an undetected attacker. It could, in fact, be the pre-encryption data theft stage of double extortion ransomware — which it could detect and stop.

Milner recognizes this. While stressing that the platform is currently designed for the insider threat, he told SecurityWeek, ‘We are looking at the wider ransomware threat and what we could do about it. It’s part of our vision for the future and the next use cases we can include in the platform.”

This platform uses the power of artificial intelligence to revolutionize the current approach to DLP. Instead of relying on manual policies to prevent data leaks, the platform monitors the data, relates it to the company’s DNA, and stops (or reports) illegitimate data movement. In this sense it automates the whole process of DLP policy creation and enforcement. Manual policies are never enough. They are expensive in manpower, always lag behind reality, and generate too many false positive alerts. There are new applications and new workflows every day – and they all require new policies.

Advertisement. Scroll to continue reading.

Orion eliminates reliance on this. By first understanding the company at a very deep level, it can concentrate on protecting the data in real time without waiting for manual policies that may not yet exist. Its purpose is to reduce the cost and improve the efficiency of data leak prevention.

A separate report from DLP firm MIND published on March 18, 2025, reveals the failure of traditional methods. Fifty-three percent of participants in a survey reported two or more unstructured data leaks in the last 12 months. Alert fatigue is real: 92% deferred inspection for more than 24 hours; and 47% of alerts inspected within 24 hours are false positives.