Imagine you have a new home alarm system, and it alerts you that a back window is open. It’s no problem to go downstairs and lock it. But now you’re getting dozens of alerts an hour that every window, door, and vent is potentially open. What would you do?

Multiply that problem by a thousand and you’ll have a good sense of what it’s like to work in vulnerability management. An enterprise could have hundreds of thousands or even millions of software vulnerabilities open at a time. Any one of them could potentially be the way an attacker breaks into your system, causing a breach. But sifting through thousands of alerts to find the one that matters is extremely challenging, and the tools security teams have today – basic dashboards, enrichments, and rules-based scoring – only barely make a dent in the problem.

We need a fundamentally new approach: one that doesn’t just tweak existing workflows but is built from the ground up around intelligent AI systems. When we met the team at Maze, it was clear they shared our vision. We are excited to lead their $25 million Series A funding round, along with Cherry Ventures and Tapestry, to build the future of autonomous vulnerability management.

The Vulnerability Investigation Bottleneck

Every enterprise software platform is dangerously vulnerable – and it’s only getting worse. The number of software vulnerabilities increases by ~40% each year, and the average time that attackers take to exploit a new vulnerability has dropped from 63 days in 2018 to less than 5 today. It’s no wonder vulnerabilities keep executives up at night.

The core of the issue isn't finding vulnerabilities; it's the manual investigation that follows. Today’s vulnerability platforms aggregate and correlate data across sources, then apply rules-based scoring to try and prioritize them. But rules can only get you so far when every company is unique. A vulnerability that is “critical severity” and was found on a resource with customer data will always be flagged as a top priority – even if it’s entirely unexploitable because the machine is running the wrong operating system. Another that is “medium severity” might be ignored just because security teams don’t have the time to investigate it, even if it’s more of a real risk to the business.

The result is that highly skilled security engineers spend their days on tedious, repetitive investigations, discovering that up to 90% of alerts are ultimately not critical or actionable. It’s not just that they’re overwhelmed by the volume; they’re not spending time on the right issues in the first place.

From Rules to Reasoning: An AI-Native Approach

Maze is driving a paradigm shift in security that is built from the ground up for autonomous agents, versus layering AI on top of existing solutions. This is a truly AI-native security product, where every decision is made by AI agents, not static rules. Maze's agents replicate the investigative workflow of expert security engineers. They connect to existing security tools, perform research, simulate attack paths, and reason on the results. Instead of static prioritization scores, Maze delivers a short, validated list of the threats that demand immediate attention, along with human-readable justifications.

The results of this agent-first approach are mind-blowing. With our portfolio company Dropzone, we’ve seen that AI agents can be superhuman at resolving operational alerts, and at Maze, we see the same capabilities in managing vulnerabilities. As attackers move faster and faster enabled by AI tools, all companies must adopt an AI-first approach to transform security from reactive to proactive.

Building a Different Kind of Security Company

Despite the marketing hype, very few companies can successfully build AI-native products in complex environments like security. Doing so requires a deep understanding of AI and experimentation, data models and integrations, and product design for the new collaborative workflows emerging between humans and AI.

Maze founders Harry, Adrian, and Santiago bring together exactly these skillsets, with deep experience across AI, data infrastructure, product/design, and security at companies like Tessian, Elastic, Amazon, and Monad. When starting Maze, they were motivated by a frustration with the status quo of the security industry. Maze’s goal is to build a very different type of security company: one that doesn’t overhype its capabilities, that is product-first and cares about user experience, that is customer-first instead of sales-first, that doesn’t use an alphabet soup of acronyms (you’ll notice the only one in this blog post is “AI”).

We believe Maze will set a new standard not just for vulnerability management but for how security products are built and delivered. Their ambitions are huge: to be at the forefront of the generational shift that will see all security software become AI-native. We are incredibly excited to be on this journey with them.

To join their mission to end vulnerability backlogs for good, view the open roles at Maze here.

Enterprise software has been stuck in time for decades. Too deeply embedded to replace, the same systems of record (SORs)—Salesforce, SAP, Oracle—have been the unshakable backbone of businesses.

But these platforms weren’t built to make work efficient; they were built simply to track it. They require years of customization, layers of bespoke code, and an army of consultants to function. The result? A spaghetti of legacy tech that companies are terrified to touch. Newer SaaS platforms couldn’t break through because the cost and pain of switching always outweighed the benefits.

That equation has just flipped. AI is here, and it’s ripping the old enterprise stack apart.

The Legacy Lock-In Problem

For years, the argument for SORs was simple: they were the single source of truth, a custom-built solution that enterprises couldn’t function without. They stored customer data, processed transactions, and tracked business activities.

The problem is they were built for an era where humans did all the work. While some SORs built automated workflows around the margins, most tasks were left for the human. These were systems where people had to manually input data, run processes, and jump between applications. That inefficiency didn’t matter because there wasn’t an alternative—until now.

Why AI Is the Breaking Point

AI won’t just make these systems better. It will change how SORs work entirely.

1. AI will obviate most manual workflows. For jobs that touch a SOR, a majority of the work is simple data extraction, manipulation, and entry. Today’s AI systems automate those tasks with ease. They will drive such dramatic operational efficiencies that if a company doesn’t adopt them, they will fall behind.
2. AI-first platforms will beat bolt-on features. AI systems need to be deeply integrated with data and systems to work effectively. Bolting them onto decades-old platforms will limit their capabilities and create implementation headaches. Companies will realize that the most effective platforms are the ones built ground-up for AI.
3. AI mitigates the “too expensive to switch” argument. For decades, businesses have stayed put because ripping out an SOR meant months (or years) of painful migration. AI changes that by auto-configuring new setups, mapping integrations, and making transitions simpler.

How Startups Take Down the Giants

What will this opportunity look like in practice? There are two paths:

1. Workflow-First (The Trojan Horse Approach)

Start by automating a high-friction workflow—something painful, manual, and critical. Sales teams, finance teams, HR teams — they’ve all built out cumbersome processes on top of their SORs. An AI-powered workflow tool can swap in for these and automate most of the work.

At first, the legacy system is still there. But over time, people stop logging into it and it becomes a generic backend database. At some point, companies realize: Why are we paying millions for this thing we barely use? That’s when they make the switch.

2. Full Replacement (The Hard but Inevitable Play)

Some categories—like ERP—only work if you own the whole stack. You can’t automate workflows in a fragmented system. You need full data control, deep integrations, and an AI-native foundation.

This is a big bet. It’s harder, takes longer, but the upside is generational and competition is fewer. Just like Figma didn’t win by layering on top of Photoshop—it built a fundamentally better, cloud-native editor—AI-first ERPs, CRMs, and financial systems will replace legacy players entirely. The startups that pull this off won’t just be new SaaS companies; they’ll be the next Salesforce.

This Isn’t a Theory—It’s Already Happening

We’ve seen early signals of what happens when AI collides with legacy business software.

For example, our portfolio company Doss is an AI-first adaptive ERP and data platform that can be easily configured and modified for any business workflow. Rather than allowing customers to simply modify UI or reports, Doss fundamentally makes it possible to change the data model, business logic, and application, all without third-party code. No matter the industry, implementations that would have taken a year can be completed in days to weeks.

The CRM space is also evolving rapidly. Today’s CRMs are designed primarily to track activity as a prospect moves through the sales funnel. With AI, they will turn into operational platforms where people manage AI agents to do automated prospecting, outreach, and account management. Attio, Clay, Rox, Day, and others are building for this future; some as workflow tools that operate existing systems, others replacing the CRM entirely.

Overhauling SORs Resets Enterprise Software

Markets like this don’t open up often. For years, the prevalence of incumbents made switching impossible and innovation incremental, but that time has passed.

The next decade will be defined by AI-first enterprise software that automates entire workflows and makes legacy SORs obsolete. Companies will either adopt or die.

For startups, this is a once-in-a-generation window — build now, or watch someone else do it — and for enterprises, it’s the right time to get ahead of the curve on implementation.