Mondoo Inc. is pitching its capabilities as the first “agentic vulnerability management” platform to not only categorize but entirely eliminate threats in software after raising $17.5 million in funding today.

The new funding round was led by HV Capital and saw participation from existing backers such as Atomico, Firstminute Capital and System One. It brings Mondoo’s total amount raised to date to $32.5 million.

Mondoo says it has developed a platform designed to help organizations fix vulnerabilities within the software they use before they can be exploited by hackers. It believes that organizations have good reasons to want to do this, for they’re becoming more commonplace by the year. It cites the National Vulnerability Database, a U.S. government repository that catalogs security risks in software and hardware, which listed more than 40,000 new common vulnerabilities and exposures in 2024, up 39% from the year before.

In particular, Mondoo says it’s worried about the potential of vulnerabilities in AI software. As AI agents that automate business tasks on behalf of humans become more widely adapted, they’re expected to become a major target for hackers looking to take advantage of whatever exploits they can find – and such attacks could potentially be even more damaging to organizations.

Fixing software with AI agents

Mondoo’s idea is to use AI agents to monitor software for vulnerability and bugs, including AI models and AI agents. Its Agentic Vulnerability Management platform is driven by a structured AI-native security model that’s designed to be context-aware.

That gives it the advantage of being able to work out how any vulnerabilities it surfaces are likely to be exploited by hackers. It can also estimate the potential impact those exploits will have. Armed with this knowledge, it can prioritize the most urgent vulnerabilities for remediation.

Its platform is built on three pillars – namely, agentic prioritization, agentic orchestration and agentic remediation – where the entire process of discovering vulnerabilities, working out a fix and then implementing that solution is automated by AI agents. Its AI-native security model has been designed to cut through alert fatigue and focus on the most pressing risks.

It does that by weighing up the exploitability, exposure, compliance impact and business criticality of each vulnerability it detects. Its model has been trained on “deep asset intelligence” spanning more than 380 Center for Internet Security benchmarks across cloud, on-premises and software-as-a-service platforms, as well as compliance frameworks such as SOC-2, PCI DSS and ISO 27001.

Mondoo co-founder and Chief Product Officer Dominik Richter said the company’s structured security model provides the foundation for everything it does. “By reducing manual work and integrating into DevOps workflows, Mondoo bridges the gap between security and engineering teams without sacrificing development speed,” he said.

Once vulnerabilities have been identified and ranked in this way, Mondoo then instructs its AI agents to work on remediation. They will open and track tickets in information technology security management tools and provide all of the necessary details for fixing the vulnerability. The agents possess the ability to automatically close and reopen issues as necessary, such as when model drift occurs, reducing manual work and friction for engineering and security teams.

Finally, the actual remediation process is conducted by agents too. Mondoo provides detailed root cause analysis of each bug, creates guided remediation steps and then generates pretested remediation code that can be delivered through Ansible, Terraform or Intune.

Once done, the remediations go into a queue where they can be reviewed and approved by engineers. It creates a transparent pipeline with full version histories and the ability to instantly rollback any fixes.

Fix now, fix forever

The startup says it aims to ensure that any risks it identifies are not only addressed immediately, but prevented from ever recurring. It does this by embedding adaptable guardrails into developer’s workflows as it implements its fixes. That way, if a bug in an AI agent gets fixed and a developer later starts tinkering with it again, the guardrails will ensure they don’t do anything that might cause the vulnerability to reappear.

According to co-founder and Chief Product Officer Dominik Richter, Mondoo’s biggest advantage is speed. “Attackers move in hours, not weeks, and Mondoo gives defenders the ability to move at the same speed, with the context, transparency and control organizations need,” he said.

It’s a popular concept, if Mondoo is to be believed. The startup says it has enjoyed strong momentum over the last year, quadrupling its customer base and growing its revenue sevenfold, exceeding its targets by more than 60%, though it didn’t reveal absolute numbers.

One of its flagship customers is the German telecommunications giant Deutsche Telekom AG, whose Chief Security Officer Thomas Tschersich is joining Mondoo’s board of directors as an advisor. “The speed and accuracy of Mondoo`s Agentic Vulnerability Platform in combination with its deep insights into the entire IT architecture enables customers to quickly remediate issues and significantly reduce vulnerabilities and policy violations, ” Tschersich said.

Mondoo’s plan is to use the money from today’s round to expand its presence in the U.S. and European markets, and its primary strategy to do that involves strengthening its channel partnerships.

HV Capital General Partner Barbod Namini said he believes Mondoo’s platform will usher in a shift toward greater automation in the cybersecurity industry. “It delivers measurable ROI and dramatically cuts mean time to remediate,” he said. “These are the kinds of outcomes that really move the needle.”

Image: Mondoo