Ocean is betting that the next wave of phishing won’t just be harder to spot—it will be faster to launch, more personalized, and increasingly capable of “learning” from how people respond. On May 19, the company announced that it raised $28 million to build and scale its agentic email security platform, with Lightspeed Venture Partners among the backers, according to reports.
The headline number matters, but the more interesting part is what Ocean is trying to do differently in a category that has historically relied on static detection: signatures, heuristics, and classification models that decide whether an email looks malicious. Ocean’s pitch is that modern phishing—especially AI-assisted phishing—doesn’t behave like a fixed pattern. It behaves like an interaction. It adapts to context, mimics tone, and often targets the human workflow around email rather than just the message itself. That shift is why Ocean is leaning into “agentic” security: systems that can take actions, not only label threats.
To understand why this matters, it helps to look at how phishing has evolved. Traditional phishing campaigns were noisy. They cast wide nets, used recognizable templates, and depended on volume. Even when they were effective, they were predictable: the same domains, the same lures, the same telltale inconsistencies. Security teams could build defenses around those patterns.
AI changes the economics. It reduces the cost of producing convincing copy, generating variations, and tailoring messages to specific roles or industries. Instead of one template, attackers can produce dozens—or thousands—of near-credible versions. Instead of generic language, they can write in the voice of a vendor, a manager, or a colleague. And because AI can help attackers iterate quickly, the “time-to-fix” for defenders becomes a problem: by the time a signature is created, the campaign has already moved on.
Ocean’s approach, as described in coverage of the funding, is designed to detect and respond to sophisticated email threats with automation and agents. The core idea is that email security can’t stop at identification. It needs to understand what the email is trying to accomplish and then intervene in the workflow before damage occurs—whether that means preventing a user from engaging with a malicious link, reducing the chance that credentials are harvested, or containing the downstream effects of a successful lure.
That “respond” piece is where agentic security becomes more than a buzzword. In many organizations, email security is a triage pipeline: alerts come in, analysts investigate, and users are trained to report suspicious messages. But AI-driven phishing compresses the timeline. Attackers don’t just send messages; they attempt to trigger immediate action—clicking, replying, approving payments, or entering credentials—often within minutes of delivery. If the defense is slow, even a high-accuracy classifier can still lose.
Agentic systems aim to close that gap by acting quickly and consistently. Rather than waiting for a human to decide what to do with each message, the system can run playbooks: evaluate the message in context, check signals across infrastructure, and then take steps that reduce risk. The goal isn’t to replace analysts; it’s to prevent the most damaging outcomes from happening while analysts focus on the exceptions and the truly novel threats.
This is also why Ocean’s funding story is tied to its leadership background. The founder’s origin—moving from teen hacker to researcher focused on Israel’s Iron Dome—signals a particular mindset: building systems that operate under pressure, where speed and reliability matter. Iron Dome is not an email security product, of course, but the underlying engineering philosophy—rapid detection, decision-making, and response in a high-stakes environment—maps well to the security problem Ocean is tackling. Email phishing may not be kinetic, but the operational reality is similar: adversaries probe constantly, and defenders need systems that can react in real time.
Ocean’s mission, as framed in reporting around the raise, is to protect inboxes from AI-powered phishing tactics. That includes the obvious threats—credential harvesting and malicious links—but also the subtler ones: social engineering that looks legitimate enough to bypass casual scrutiny, and messages that are crafted to exploit specific organizational habits. For example, a phishing email might not need to be “malicious” in the traditional sense. It might be a plausible request that nudges a user into taking an action that benefits the attacker. The more the attacker can blend into normal communication patterns, the less useful simple “badness” scoring becomes.
Agentic email security can help here by shifting the evaluation from “Is this email malicious?” to “What is this email likely trying to cause, and how should we respond?” That distinction sounds small, but it changes the design of the system. It encourages deeper contextual checks: who is the sender claiming to be, what is the relationship between sender and recipient, does the content match prior behavior, are there anomalies in the links or attachments, and what would happen if a user interacts with it? The system can then choose a response that fits the risk level and the likely intent.
One unique angle in Ocean’s positioning is that it treats email as an active channel rather than a static artifact. Attackers use email to initiate a chain of events: a click leads to a credential prompt, which leads to account access, which leads to further compromise. Defenders often focus on stopping the first step. But in practice, stopping the first step is hard when the first step is designed to look normal. Agents can incorporate additional signals and take action earlier in the chain—before the user’s behavior completes the attacker’s plan.
This is where the “agentic” part becomes operationally meaningful. A conventional security tool might flag a message and quarantine it. But what if the message is ambiguous? What if it’s a legitimate email that happens to contain a link that looks suspicious due to tracking parameters? What if the organization’s workflow requires users to interact with external vendors regularly? Over-quarantining creates friction and drives users to ignore warnings. Under-quarantining creates risk.
Agentic systems can be built to handle that tension by using graduated responses. Instead of a binary allow/deny, the system can apply different levels of intervention based on confidence and context. It can also adapt to feedback: if a user reports something as safe, or if an analyst confirms a threat, the system can update its understanding of similar patterns. While the details of Ocean’s internal mechanisms aren’t fully laid out in the funding coverage, the general direction is clear: the platform is designed to detect and respond, not just classify.
The funding itself—$28 million—suggests that investors see a market pull for this kind of approach. Lightspeed Venture Partners’ involvement indicates confidence that agentic security can move beyond prototypes and into enterprise deployments. Email security is a crowded space, but the category has been forced to evolve as attackers have changed their tactics. The rise of AI-generated content is simply accelerating a trend that was already underway: phishing is becoming more conversational, more targeted, and more operationally integrated into business processes.
There’s also a broader implication for how security teams will measure success. Historically, email security products have been evaluated on detection rates, false positives, and time-to-triage. Agentic platforms introduce a different metric: time-to-response and prevention of downstream harm. If an agent can stop a user from clicking a malicious link, or can neutralize a risky message before it reaches the inbox, the value is measured in incidents avoided—not just alerts generated.
That shift matters because AI phishing doesn’t just increase the number of threats; it increases the cost of each missed threat. A single compromised account can lead to fraudulent wire transfers, data exfiltration, or lateral movement. The attacker’s goal is often not to “hack” in the technical sense, but to manipulate trust. Email is the trust layer. If the attacker can get a user to trust the message, the rest of the attack becomes easier.
Ocean’s emphasis on responding to sophisticated threats suggests it’s aiming to reduce the window in which trust can be exploited. In practical terms, that means the platform must integrate with existing email systems and security workflows. It also means it must operate reliably at scale, because enterprise email volumes are enormous and security teams can’t afford to drown in alerts. Agentic systems, if implemented well, can reduce alert fatigue by handling routine decisions automatically and escalating only what truly needs human attention.
Another reason this funding story resonates is that it reflects a shift in how founders are approaching cybersecurity innovation. Many security startups are built by people who understand vulnerabilities and exploitation. Ocean’s origin story—teen hacker to Iron Dome researcher—points to a different emphasis: building resilient systems that make fast decisions under uncertainty. That’s a valuable skill set in security, where the environment is adversarial and the signal-to-noise ratio is often poor.
It also hints at why Ocean’s platform is described as “agentic.” Agents are essentially decision engines with the ability to act. In security, that means the system must be able to interpret evidence, weigh risk, and choose actions that are safe enough not to break business operations while still being aggressive enough to stop attacks. That balance is difficult. Too cautious, and attackers win. Too aggressive, and legitimate communications get disrupted.
The investor backing also suggests that Ocean is not just building a model, but a product that can fit into enterprise environments. Agentic security platforms require careful engineering around permissions, auditability, and integration. If an agent takes action—quarantines a message, rewrites a link, blocks a domain, or triggers a workflow—security teams need visibility into why it did so. They also need controls to tune behavior and ensure compliance with internal policies. In other words, agentic security isn’t only about intelligence; it’s about governance.
There’s another subtle point: AI phishing is not only about generating text. It’s about generating context. Attackers can use AI to craft messages that reference recent events, mimic internal jargon, and align with the recipient’s role. That makes it harder for defenders to rely on surface-level cues like grammar errors or inconsistent formatting. It