Critical security operations increasingly hinge on whether defenders can turn intent into action before a fast-moving adversary shifts tactics again, and the gap between knowing what must be done and actually rolling it out across sovereign, air‑gapped systems has become the hidden failure point of national cyber defense. Procurement drags. Integrations stall. Updates wait for escorts across isolated networks. In that friction, capable tools underperform, analysts drown in alerts, and zero‑trust plans remain paper architecture. Rilian entered this bottleneck with a deliberately unglamorous premise: make security execution automatic, compliant, and continuous where it is hardest—inside defense and critical infrastructure stacks bound by secrecy, safety, and sovereignty. By raising fresh capital and introducing an AI‑native orchestration platform built for constrained environments, the company set out to align machine-speed threats with machine-speed response.
Funding and Market Signals
Seed Round and Backers
Rilian closed a $17.5 million seed round led by 8VC, Tamarack Global, and First In, with participation from 8090 Industries, Liquid 2 Venture, and Protego Ventures, a cross‑section that blends Silicon Valley scale instincts with defense‑native diligence. The syndicate mattered as much as the sum. Generalist firms have increasingly scouted dual‑use software that can clear compliance gates without losing velocity, while sector specialists scrutinize survivability in classified and sovereign contexts. In backing Rilian, they converged on a thesis that control planes—more than point products—will decide whether agencies can absorb innovation without breaking process. That alignment put execution, not features, at the center of value creation.
Beyond signaling, the round equipped Rilian to recruit systems engineers versed in both operational technology and enterprise IT, a combination rare enough to slow many defense programs. It also enabled early deployments that require on‑site validation inside air‑gapped facilities, where proofs of concept cannot run on public clouds and where update paths must be designed to withstand audits as much as outages. The capital thus funded the messy, essential work of packaging AI agents, policy engines, and integration adapters into something acquisition officers can buy, accrediting officials can certify, and operators can rely on at odd hours with limited staff. In practical terms, the raise underwrote an engineering agenda focused on ruggedization rather than showmanship.
Why Investors Are Leaning In
Investor interest tracked a handful of visible shifts. Agencies formalized zero‑trust reference architectures that finally specify identity, segmentation, and continuous verification across mixed IT and OT. Prime contractors began to expose standardized interfaces for telemetry and policy control, enabling orchestration layers to drive outcomes without bespoke rewrites for every tool. Sovereign cloud footprints expanded, and with them, mandates for data residency, deterministic update chains, and verifiable provenance. In parallel, electronic warfare and cyber operations blurred, pushing defenders to close loops between detection, countermeasure, and targeting faster than manual workflows allow. Rilian’s approach addressed each lever by default.
This environment favored platforms that could prove reductions in time‑to‑protection with measurable, audited steps: days to deliver a patch into an air‑gapped enclave instead of weeks; minutes to propagate a credential policy across disjointed domains instead of overnight windows; seconds to fuse sensor outputs into an action plan that downstream tools can execute. Investors leaned in because those increments compound. When an orchestration layer can encode expert playbooks, replay them under stress, and document every change for compliance, the result is not just efficiency—it is operational assurance. The calculus was simple: budget scrutiny persists, but spending prioritizes capabilities that turn doctrine into repeatable outcomes.
Product, Focus, and Early Traction
Closing the Execution Gap With Caspian
Rilian’s platform, Caspian, sits as an AI‑native command layer above heterogeneous security stacks, coordinating detection, countermeasures, and targeting across commercial and government‑grade tools without displacing them. At its core are agentic services that watch system state, consult encoded playbooks, and execute actions across identity, endpoint, network, and OT controls. Rather than funneling analysts through a new console, Caspian treats each integrated product as an actuator governed by policy and context. It codifies veteran know‑how—how to triage an anomalous controller in an electric substation, when to quarantine a workload in a sovereign cloud, which approvals are mandatory before crossing a diode—so responses become consistent under duress.
The engineering choices reflect constraints of sovereign and air‑gapped deployments. Caspian ships with offline update mechanisms, cryptographic provenance for policy bundles, and connectors that respect one‑way transfer boundaries. Its delivery model prioritizes accreditation artifacts—configuration baselines, test vectors, and audit logs—so certifiers can replay decisions. Automation is scoped to mission risk: high‑confidence actions (key rotation, micro‑segmentation policies, sensor tuning) can run autonomously, while escalations route to designated approvers with full change diffs. By compressing the cycle from requirement to rollout, the platform operationalizes zero‑trust patterns across brittle environments where manual coordination once guaranteed delay.
Early Customers and Deployment Impact
Early traction centered on U.S.‑allied governments and defense‑oriented operators. A flagship engagement with the United Arab Emirates’ Cybersecurity Council put Caspian over critical infrastructure and OT networks, where conventional SOAR tooling often falters under protocol diversity and safety constraints. There, AI agents aggregate telemetry from industrial sensors, identity providers, and endpoint controls, then generate action plans that balance speed with plant safety. A policy update that once crawled through manual tickets now travels as a versioned bundle, verified at each hop, and committed with an audit trail usable by both cybersecurity and regulatory teams. The result is not a new dashboard; it is a faster, safer nervous system.
This deployment pattern highlighted what success required next: deeper integrations with major identity engines and OT gateways, expansion of language models fine‑tuned on sovereign lexicons and compliance templates, and playbooks co‑authored with national incident response teams. For defense and critical infrastructure leaders evaluating similar moves, practical steps had been apparent—map the highest‑friction workflows, start in enclaves where automation can act without jeopardizing safety, define approval boundaries that machines cannot cross, and require provable rollbacks for every autonomous change. As agencies plotted modernization from 2026 to 2028, these measures created a runway where automation earned trust incrementally, audits became easier, and the execution gap narrowed on purpose rather than by chance.
