Surf Raises $57M to Automate Security Hygiene With AI Agents

Agentic AI Surf Raises $57M to Automate Security Hygiene With AI Agents New York-Based Startup's AI Agents Analyze Asset Context to Fix Security Gaps Michael Novinson (MichaelNovinson) • March 17, 2026     Credit Eligible Get Permission Yair Grindlinger, co-founder and CEO, Surf AI (Image: Surf AI) An agentic operations startup led by an ex-Proofpoint executive emerged from stealth with $57 million to help large enterprises automate security operations with artificial intelligence agents. See Also: AI Agents Are Rewriting Risk for SOC Teams The Accel-led funding will help New York-based Surf AI strengthen security hygiene around identities, cloud infrastructure and data by identifying exposed assets and automatically remediating risks, said co-founder and CEO Yair Grindlinger. He said Surf AI builds a contextual understanding of enterprise assets and uses that context to safely execute security workflows at machine speed. "We want to help large-scale enterprises operationalize their entire security programs with AI," Grindlinger said. "That's a big undertaking, and we think it's the right place to start by proactively focusing on security hygiene." Surf AI, founded in 2024, has been led since its inception by Grindlinger, who founded cloud application protection startup FireLayers in 2014 and sold it to Proofpoint in October 2016 for $45.6 million. Grindlinger then spent more than six years at Proofpoint overseeing the company's information protection products as well as its cloud strategy. Why Surf AI Is Starting With Proactive Hygiene Management The company has introduced AI-driven agents capable of executing security workflows autonomously in an effort to identify exposures and actively remediate them through automated processes. Grindlinger said the company's approach is to start with proactive hygiene management and gradually expand until AI can operationalize broader portions of the security program. "There's a lot of different assets you have: cloud assets, identity assets, data assets, IT assets," Grindlinger said. "There are just a variety, and it's constantly growing." AI agents now make it possible to continuously monitor environments and automatically correct hygiene issues, which Grindlinger said is increasingly necessary because attackers themselves are beginning to use AI to identify and exploit vulnerabilities. Organizations can't rely on quarterly or annual reviews of security configurations, and instead must manage hygiene continuously and automatically. "It's not a new problem," Grindlinger said. "It's just we never had the tool. And the good news is that with AI now, finally we can actually automate all of those hygiene processes." Enterprises contain countless digital assets that must be secured, including human identities, machine identities, tokens, certificates, files, cloud storage buckets, folders and applications. Surf AI has built a system that understands these assets deeply, including who owns them, who uses them and how they interact with other resources in the organization. This forms the foundation for automation, he said. "Our job as a product is both to understand those assets really well and to build a system of agents that can operationalize the workflows to protect them," Grindlinger said. "We need to be able to work with more and more asset types. There's just a lot of different assets types in enterprise organizations, probably thousands. A lot of types of identities and folders and files and applications." Why Systems of Record Will Remain Important Surf AI's context graph aggregates information from identity providers, HR systems, ticketing platforms, communication tools and the assets themselves, and it uses this information to determine ownership, dependencies and risk relationships. If an account is flagged as potentially vulnerable, the system must determine whether the employee is currently active and if the account is tied to automated processes. "How do we understand context? What are the fundamentals of context?" Grindlinger said. "Eventually you need human ownership of an asset. Even if this asset is not human, you need a human to own it." Systems of record will remain important because organizations still need centralized repositories that describe their environments and provide visibility to security teams, auditors and IT administrators. Many systems of record contain stale or inaccurate data since updates often rely on manual processes, meaning the recorded information about assets may not reflect the current state of the environment. "Humans eventually need to understand what's going on in my system," Grindlinger said. "And that's great that I have agentic systems with audit, but I want to have a centralized, unified, cross-enterprise system of record to reflect the situation. And that's why we have these deep integrations with those systems of record, and we constantly update them." Surf AI rarely encounters direct product rivals and instead gets questions from enterprise clients around whether they should build similar systems internally using AI models such as OpenAI or Anthropic. Building such systems at enterprise scale is more difficult than it initially appears since without a comprehensive understanding of asset relationships and dependencies, AI agents may make incorrect decisions, he said. "The security, consistency and quality of a product that actually works at scale is a lot harder than vibe coding," Grindlinger said.