Human Behavior is Security's Blind Spot. We Built Cimento to Fix it

The State of Human Risk Today

Enterprise security has spent decades protecting machines.

We've built sophisticated systems to monitor networks, secure endpoints, and detect anomalies across cloud infrastructure. Modern security teams can monitor what systems do in real time and respond when something is wrong.

But, we forget the Internet, and now modern AI is no longer a static system; it's a dynamic environment that's home to sensitive data, memories, and human lives, that move with us between work and personal worlds. Systems don't log into company platforms or social accounts; people do. We are what gets breached.

Today, 68% of breaches involve a human element, phishing accounts for more than 90% of cyberattacks, and the average breach costs $4.88 million.

Despite this, the way organizations manage human risk has barely changed.

Most companies still rely on annual training programs and periodic phishing simulations to check compliance requirements. These programs measure completion rates and audit readiness rather than whether employee behavior is actually becoming safer.

At the same time, the economics of social engineering have changed dramatically.

AI has made it easier and dramatically cheaper to generate convincing, personalized attacks at scale. Messages can mimic writing styles, reference real projects, and instantly target specific employees.

The threat has become responsive, but the defenses have not.

Security and Compliance teams also have little visibility into where human risk actually lives inside their organizations. Most Human Risk platforms still treat every employee the same, even though access levels and work patterns create dramatically different risk profiles.

A senior developer with access to production systems is a very different risk surface than a new hire with limited access. A c-suite executive who operates primarily through calls and text messages has a different relationship with technology than an intern working on Slack all day. Yet most security programs still rely on the same uniform training for everyone.

This all comes as a largely ungoverned attack surface is emerging: AI agents.

These systems increasingly operate inside enterprises with access to enterprise tools, data, and workflows. In many ways, they behave like employees, but there are few protocols to test or govern their responses to manipulation or social engineering attempts.

Human risk management is about accounting for both people and agents operating inside the enterprise, whether security teams are prepared for it or not.

Today, we're launching Cimento to be the fix.

Why We Built Cimento

Human risk has long been treated as a training problem rather than a security problem.

We created Cimento after seeing the same pattern on both sides of the table, within security teams and among investors evaluating the next generation of security companies. Despite billions spent, human risk wasn't improving. Backed by ~$3M in pre-seed funding from Bowery Capital, Indie VC, and a group of angels and security leaders from companies like Cloudflare, Palo Alto Networks, Cursor, Nvidia, and Okta, we've built the missing link: a system that treats human nature as a real-time security problem, not a periodic training exercise.

We believe the human layer should be managed with real-time monitoring, responses, and automated remediation. Instead of asking whether an employee completed training, Cimento asks:

How likely is this employee to be successfully attacked right now, and what should be done about it?

The very name reflects our philosophy: Cimento is an Italian word meaning 'trial, test, or experiment'. It has deep roots in the history of scientific rigor. Galileo's own disciples founded the Accademia Del Cimento in Florence, one of the world's first scientific institutions. Their guiding principle is Provando e riprovando — testing and retesting. Nothing was accepted as true until it had been challenged, observed, and proven under real conditions.

That's exactly how we believe human risk (and AI agents) should be managed. Not assumed but continuously tested, measured, and refined.

As of today, we emerge from stealth already working with household names such as Gemini, DigitalOcean, Tensorwave, Together AI, Aryaka, Moveworks, and many more.

How Cimento Works

Cimento is an AI-native human risk management platform that builds a living risk profile for every employee.

The platform integrates with tools employees already use, such as email, IDPs, cloud providers, and the majority of existing security tools, to provide a unified risk profile for security and compliance teams that helps security teams understand how individuals typically work within an organization.

Cimento runs realistic social engineering simulations that mirror how real attackers operate. These simulations span email, SMS, and voice, and often unfold as multi-step sequences rather than isolated, one-click phishing attempts.

When risk is detected, Cimento delivers short, contextual interventions designed to change behavior in the moment. Employees receive brief guidance tied directly to what they just experienced, typically lasting 60–90 seconds.

The platform runs automatically, without campaigns to manage or content libraries to maintain. Each interaction feeds back into the system, continuously refining how risk is assessed and how future simulations adapt. We're acting as an extension of your security team and automating tasks so you can focus on outcomes.

Securing Humans and Agents

The same framework can extend to AI agents.

As organizations deploy more autonomous systems, agents have access to data, tools, and decision-making authority. Yet most organizations have little visibility into how these systems behave under manipulation attempts. Agents are also being used closely alongside humans, following a continuous loop of prompting, reasoning, acting, and observing.

Cimento is building the first system designed to test, score, and govern AI agents just like humans, allowing security teams to not only manage the human risk but also agent risk, which is closely coupled.

Looking Ahead

Human behavior is the most exploited attack surface in enterprise security. But the tools designed to manage it were built for a different era: one where attacks were slower, less personalized, and easier to detect.

AI has fundamentally changed that equation.

Social engineering is faster and smarter. Security programs need to evolve just as quickly.

Cimento is built for a world where defenses adapt faster than the attackers.