Back to blog

A Proactive System of Intelligence for Security: Our Investment in Artemis

Apr 15, 2026

The SIEM was supposed to be the brain for security operations. Instead, it has become an overpriced filing cabinet. Companies pay millions each year to store security logs, then millions more in labor to try to make sense of them.

The core promise of these platforms was to turn raw data into security outcomes: detecting threats, surfacing what matters, enabling fast response. But legacy SIEMs have failed to deliver on that promise. 

They collect massive quantities of data, but the detection, investigation, and threat hunting workflows built on top of them are almost entirely manual. Security teams rely on brittle, hand-written rules that generate massive alert noise while missing real threats. As data volumes grow 30-40% annually and vendors charge by the gigabyte, teams are forced to drop data to control costs, creating blind spots that attackers are happy to exploit.

With AI-powered attackers coming, every business will need proactive defenses. And for proactive defenses, we need a platform that doesn't just store and search data, but reasons about it autonomously. 

When we started talking to Shachar Hirshberg and Dan Shiebler about their vision for Artemis, it was clear they shared this conviction. We are so excited to partner with them at the Series A, along with our friends at Felicis, Brightmind, and First Round, to build the AI-native protection platform for the next era of cybersecurity.

The detection engineering treadmill

The root cause of the SIEM's failure isn't performance or cost, though both are painful. It's that legacy platforms have no understanding of what they're looking at. 

To a traditional SIEM, a log is just a string of text. It has no fundamental understanding that "jdoe" in Okta and "john.doe" in AWS are the same person, or that a sequence of individually benign actions might constitute an attack.

The consequences play out the same way at every company. An engineer writes a detection rule: "if events A, B, and C happen in sequence, fire an alert." It works for a couple months. Then a new service gets added, log formats change, and the rule breaks. They fix it, but now it's too noisy, generating hundreds of false positives that overwhelm analysts. They tune it tighter, and it starts missing real threats. 

Multiply this across hundreds of rules, and the result is a team that spends the vast majority of its time maintaining broken tooling rather than searching for or investigating actual attacks.

Closing the loop: from reactive alerts to autonomous protection

Artemis takes a fundamentally different approach, built from the ground up for proactive, agent-led security. 

Their platform ingests data and turns them from raw logs into a living model of the customer's environment: users, assets, relationships, security posture, and even cost inefficiencies. On top of this, they are able to build an entirely new type of security platform with:

  • Autonomous, closed-loop learning: With each incident (or proactive threat hunt), Artemis identifies new patterns or missing signals. These are converted into permanent detections that are researched, validated, and maintained, fully autonomously, driving investigation and remediation with high precision.
  • Agentic detections: Today’s detections are all simple data queries, which are brittle and noisy. Artemis’ detections themselves can include multi-step reasoning agents that dynamically query data, perform aggregations, and reason about context to confirm a threat before ever surfacing an alert.

For teams using today’s SIEMs, the impact is jaw-dropping. Legacy platforms get worse over time: static detections degrade with changing data and behaviors, requiring constant maintenance and countless hours spent chasing down false signals. Artemis gets better over time: it detects, investigates, and responds autonomously, and every incident makes the system smarter across the full security lifecycle.

Artemis is designed to deliver value quickly; it can connect to a single data source and immediately generate better detections, then expand to replace the entire SIEM when a customer is ready. This has allowed them to move incredibly fast: within a few months, they have more than a dozen production enterprise deployments and are processing over a billion events per hour. 

It’s no surprise that the founders behind Artemis have built the detection engines behind two of the most successful security products of the last decade. Shachar led the Amazon GuardDuty product, scaling the business to over 80,000 customers. Dan built and led the 60-person AI/ML team at Abnormal Security. We believe they will define what it means to build an AI-native security platform. 

If you're interested in learning more or joining this mission, check out the open roles at Artemis here.

Andy Triedman
Andy Triedman
Connect on LinkedIn
Share article
Previous article
Next article

Get the latest in AI & data, straight to your inbox.

Thanks for subscribing!
Oops! Something went wrong while submitting the form.
© 2026 Theory Ventures, LLC