Organisations are ramping up their AI adoption, with more than two-thirds of respondents in a McKinsey survey noting pilots or significantly more widespread use to speed up tasks or swap out some roles altogether. That AI efficiency drive, however, might come at an unintended significant security cost — a situation that is particularly risky if the organisation in question is in defence or other critical industries.
Now a wave of businesses are emerging to address that cyber-risk. A London startup called RevEng.AI has developed a platform for defence and critical infrastructure operators to run and verify AI-generated software ahead of it being deployed in live, sensitive systems. The startup today is announcing that it has raised $15 million in funding to expand its business.
The Series A round, has a number of notable, strategic backers. The NATO Innovation Fund (NIF) is leading the funding, with In-Q-Tel (the strategic investment arm with links to the CIA and other US government entities), IQ Capital, Sands Capital, and Episode One also participating.
The fact that NIF and In-Q-Tel are in this round speaks to two points.
The first is the scrutiny that governments are putting on prevalence of using AI-written code generated on third-party commercial platforms and the vulnerabilities that code can create.
That weakness, of course, represents a strength to malicious actors: witness the response to Anthropic’s Mythos, a cyber tool that in testing phase was shown to be able to autonomously find and exploit IT vulnerabilities: in the wrong hands that kind of capability shows both the power and weakness of AI.
“[NIF’s] backing is a strong validation that this problem matters at both a commercial and national security level,” James Patrick-Evans, PhD, RevEng.AI’s founder and CEO, told Resilience Media. “In practical terms, it gives us access to a network of government, defence, and critical infrastructure stakeholders who are facing increasingly sophisticated software and supply chain threats. It also accelerates our ability to deploy our technology in real-world, high-consequence environments where software assurance, vulnerability discovery, and threat analysis are mission critical.”
The second is a measure of the traction that RevEng.AI has had in tackling that so far.
“It reinforces our belief that a new AI-native approach is needed to secure the organisation from the cyber threats of tomorrow and that understanding the binary artifact in software supply chains are becoming strategically important, not just developer tooling,” added Patrick-Evans.
The funding comes less than a year after RevEng.AI emerged from stealth with a $4.15 million, with Sands Capital leading that seed round.
RevEng is short for “Reverse Engineering” — a technique that is key to a lot of how cybersecurity platforms work. In its case, the startup has built a platform, anchored by its “BinNet” AI model, that it says evaluates code “at the binary level.” It analyses compiled executables, firmware, and third-party software. It claims it can do this without needing access to underlying source code.
The company is a graduate of the UK’s NCSC for Startups programme, and it says that BinNet been trained alongside allied government cyber units and commercial security teams to identify hidden vulnerabilities, malicious functionality, suspicious changes between software releases, and undeclared components buried inside binaries.
Software supply chain attacks have become a persistent headache for governments and defence organisations, particularly where critical systems rely on commercial software, open source dependencies, and vendor updates that are rarely inspected in full before deployment.
The problem is becoming even messier as AI coding tools evolve from autocomplete assistants into autonomous coding agents capable of generating and modifying large amounts of software with minimal human review.
RevEng argues that traditional application security tooling, which largely focuses on source code and package metadata, no longer provides enough visibility into what actually ends up running on machines. The solution is to peel back to basics.
“In a world where AI increasingly writes the code, the only universal source of truth is the executable binary files that actually run on machines,” said founder and chief executive James Patrick-Evans in a statement. “Much of the software being built today is never reviewed or seen by a human.”
The company claims its platform automates reverse engineering work that would otherwise require expensive specialist expertise, allowing organisations to verify software integrity faster and on a larger scale before deployment.
The scale of the problem speaks to what “critical” means today: not just defence organisations by how a wide range of enterprises and individuals are adopting AI and the potential problems that poses for security.
“RevEng.AI addresses one of the most fundamental and underserved vulnerabilities facing governments and economies today: the inability to verify, at scale, whether the compiled software running inside critical systems is safe,” said David Ordonez, senior associate at the NATO Innovation Fund, in an email to Resilience Media. “Every government network, every bank, every hospital, every energy grid, and every piece of civilian infrastructure runs on binary code that, until now, could only be inspected manually by a small number of highly specialised analysts. That process costs thousands of dollars per file and can only cover a handful of binaries per day.” He added that the startup’s platform can interpret compiled software “at a fraction of the cost and at speeds thousands of times faster than any alternative.”
RevEng says it is already working with enterprise and defence customers, although it has not publicly disclosed specific deployments. The funding will be used to expand the platform and scale operations as governments and industry scramble to secure increasingly AI-generated software stacks.
The problem is only going to become bigger. Ordonez pointed out that AI tools are now generating close to half of all new code written by developers.
“This is transforming how software is built across every sector, including defence and critical infrastructure,” he said. “The concern is that the speed of AI-assisted development is outpacing the ability to verify what that code actually does. Research has consistently shown that a significant proportion of AI-generated code contains security flaws, and the number of recorded vulnerabilities traced directly to AI-generated code is rising month on month.” And that’s before you consider how adversaries might use AI to produce malware that looks like legitimate software, evading conventional detection tools — which is one of the big worries with cybersecurity tools like Mythos: in the wrong hands you can see how abuse would become unstoppable.
“Allied governments are right to be concerned, and it is one of the reasons we believe capabilities like RevEng.AI‘s, which can verify compiled software at scale regardless of how it was written, are becoming essential infrastructure.”
