Protect AI: $129M AI Security Startup Acquired 2025

Protect AI: ML/AI security startup founded 2022 in Seattle; $129M raised, acquired by Palo Alto Networks in July 2025. Makers of LLM Guard, Guardian, and Radar.

Protect AI was a Seattle-based AI security startup founded in 2022 by Ian Swanson. It raised $129 million and built three products: Guardian (machine learning model scanner), Radar (AI risk assessment platform), and LLM Guard (open-source LLM protection, 2.5 million downloads per month). Palo Alto Networks acquired the company in July 2025 for over $500 million, integrating it into Prisma AIRS.

Founded in 2022 in Seattle, Protect AI was an AI and machine learning security company that raised $129 million across three funding rounds before being acquired by Palo Alto Networks in July 2025 for over $500 million. The company built Guardian (ML model scanner), Radar (AI risk management), and LLM Guard (open-source prompt injection defense with 2.5 million monthly downloads), now part of Palo Alto Networks Prisma AIRS.

Founded: 2022 · HQ: Seattle, WA, USA · Team: 32 · CEO: Ian Swanson (now VP AI Security Products at Palo Alto Networks) · Funding: $129M total raised across 3 rounds (seed 2022, Series A 2023, Series B $60M Aug 2024 led by Evolution Equity Partners). Acquired by Palo Alto Networks for $500M+ in July 2025. · Valuation: $400M at Series B (Aug 2024); acquired by Palo Alto Networks for $500M+ in July 2025

About Protect AI

Protect AI was founded in 2022 in Seattle, Washington by Ian Swanson, Daryan Dehghanpisheh, and Badar Ahmed. Swanson served as CEO and is a serial entrepreneur who previously founded DataScience.com (acquired by Oracle in May 2018) and Sometrics (acquired by American Express in 2011), where he launched the industry's first global virtual currency platform. Dehghanpisheh and Ahmed brought leadership backgrounds from Amazon and Oracle, giving the founding team direct expertise in enterprise ML infrastructure at scale. The company was incorporated as a C-Corp with the thesis that AI and ML systems moving into production introduced entirely new attack surfaces that traditional cybersecurity tools were not built to address: model files could carry backdoors, data pipelines could be poisoned, and LLM-powered chatbots were vulnerable to prompt injection attacks that could extract sensitive information or hijack model behavior. Protect AI built a four-product portfolio covering the full AI security lifecycle. Guardian is the company's flagship enterprise scanner, checking ML model files in 35-plus formats (including PyTorch, TensorFlow, ONNX, Keras, Pickle, GGUF, and Safetensors) for malicious code, deserialization attacks, and architectural backdoors before deployment. Radar is an AI risk assessment and management platform that monitors an organization's ML supply chain, tracking vulnerabilities in datasets, foundation models, and open-source ML libraries, with native integration into Guardian for automated portfolio scanning. LLM Guard, a free open-source Python library, applies 35 input scanners to user prompts and 20 output scanners to model responses in real time, blocking prompt injection, PII leakage, harmful content, code injection, and 30-plus additional threat categories. NB Defense, the fourth product, secures Jupyter notebooks used by ML engineers, scanning for exposed credentials, dependency vulnerabilities, and other risks specific to notebook-based ML development. In January 2024, Protect AI acquired Laiyer AI, the company behind the open-source LLM Guard project, and launched a commercial-grade version with enterprise management features, compliance reporting, and custom scanner development capabilities. Guardian received updates in 2024 to add support for GGUF and Safetensors formats, covering the dominant packaging formats for publicly distributed LLMs on repositories like Hugging Face. A 2024 security study supported by Protect AI's research team identified thousands of publicly available model files containing malicious payloads, validating the need for model scanning in any ML pipeline that consumes external models. LLM Guard reached 2.5 million monthly downloads, establishing the open-source project as the reference implementation for LLM prompt and output security. Ian Swanson was honored by Goldman Sachs for entrepreneurship in October 2024, and the company won the SINET16 Innovator Award recognizing it among the 16 most innovative emerging cybersecurity technologies of the year. Protect AI raised $129 million in total venture funding across three rounds from 14 investors. The seed round of approximately $13.5 million was raised in 2022, followed by a Series A in 2023. The company completed a $60 million Series B in August 2024, led by Evolution Equity Partners. Major investors include Boldstart Ventures, Acrew Capital, Salesforce Ventures, Samsung's Venture Investment Corp., and 01 Advisors. Palo Alto Networks announced the intent to acquire Protect AI on April 28, 2025 and completed the acquisition on July 22, 2025 for a reported price exceeding $500 million, with some industry sources citing figures of $650 to $700 million, representing a roughly 4x to 5x return on the total $129 million invested by venture investors. Protect AI operated a freemium business model with LLM Guard available as free, self-hosted open-source software and the commercial Guardian and Radar platform sold via enterprise contracts. No public pricing tiers were published; organizations needed to contact the sales team for commercial pricing. Revenue came primarily from enterprise contracts in regulated industries where AI security review and model scanning had become mandatory deployment gates. The open-source LLM Guard project functioned as the primary top-of-funnel motion, converting high-volume open-source users into enterprise platform customers. The company's ARR was not publicly disclosed before acquisition. Ian Swanson served as CEO from founding through acquisition and became Vice President of AI Security Products at Palo Alto Networks following the deal's close in July 2025. Daryan Dehghanpisheh and Badar Ahmed co-founded the company alongside Swanson. Before the acquisition, Protect AI employed approximately 110 people across engineering, product, sales, and security research. The company operated from Seattle as its primary hub, with additional offices in Berlin, Germany and Bangalore, India. After integration into Palo Alto Networks, the standalone Protect AI entity retains approximately 32 employees as of early 2026, with the core technical team embedded in Palo Alto Networks' AI security product units. Protect AI's mission was to make AI and ML systems safe and secure for enterprise production use by addressing the attack surfaces unique to AI: training-time data poisoning, distribution-time model file tampering, and inference-time prompt manipulation. The company ran an active security research program, publishing vulnerability disclosures for MLflow, Hugging Face model hub components, and H2O through a coordinated disclosure process that covered widely deployed ML platforms. Protect AI's threat research helped define the practice of MLSecOps (machine learning security operations), contributing frameworks for integrating model scanning and LLM guardrails into standard DevOps pipelines. Post-acquisition, the research mission continues inside Palo Alto Networks' Unit 42 threat intelligence team. Protect AI competed with Lakera AI (LLM prompt injection detection), Mindgard (automated AI red teaming), and WhyLabs (ML observability and data drift detection), as well as broader cloud security vendors adding AI-specific features. Protect AI's edge was breadth: while most competitors focused on a single layer (either runtime LLM security or model file scanning), Protect AI covered both the ML model supply chain and LLM runtime in one platform. The open-source LLM Guard project gave distribution reach that pure enterprise vendors lacked. The company's primary limitation was team size: at ~110 employees it was competing against security giants with thousands of engineers. The Palo Alto Networks acquisition directly addressed that scale constraint, putting Protect AI's technology in front of tens of thousands of enterprise customers worldwide through the Prisma AIRS platform. AI security became a compliance requirement during 2024-2025 as the EU AI Act mandated risk assessments for high-risk AI systems and the NIST AI Risk Management Framework gave U.S. organizations structured guidance. Protect AI published guidance on EU AI Act compliance for ML teams and engaged with NIST on AI supply chain security standards. Guardian's model scanning reports and Radar's risk inventories provided auditable records that satisfy regulator requests for AI system documentation. Palo Alto Networks' acquisition brought Protect AI's technology into an organization with deep U.S. federal relationships and existing FedRAMP-authorized products, opening the path for Protect AI's tools to reach government agencies seeking AI security solutions. Following the July 2025 acquisition, Protect AI's products became core components of Palo Alto Networks' Prisma AIRS platform, the company's unified AI security offering sold to enterprise and government customers globally. LLM Guard remains available as open source at github.com/protectai/llm-guard. The protectai.com domain continues to host product documentation and security research. The Protect AI technology stack is now backed by Palo Alto Networks' global sales organization, customer success teams, and integration partnerships with major cloud providers, representing a distribution scale that was not achievable as a standalone 110-person startup.

Mission

Make AI and machine learning systems safe and secure for enterprise production use by addressing the attack surfaces unique to AI: model tampering, data poisoning, and prompt injection.

Products

Links

Website · GitHub · LinkedIn · Blog

Frequently Asked Questions

What is Protect AI and what do they build?

Protect AI is an AI and machine learning security company founded in 2022 in Seattle, Washington, that built tools to scan, monitor, and protect enterprise AI systems against model-level attacks, prompt injection, and supply chain threats. The company was acquired by Palo Alto Networks in July 2025 for over $500 million, and its products are now integrated into Palo Alto Networks' Prisma AIRS platform. Protect AI's flagship product, Guardian, scans ML model files in 35-plus formats (PyTorch, TensorFlow, ONNX, Pickle, GGUF, Safetensors, and more) to detect malicious code, deserialization attacks, and architectural backdoors before a model is deployed. Radar is the company's AI risk assessment platform, providing visibility into vulnerabilities across the ML supply chain including datasets, foundation models, and open-source libraries. LLM Guard, Protect AI's open-source toolkit, applies 35 input scanners and 20 output scanners to LLM interactions in real time, blocking prompt injection, data leakage, harmful content, and PII exposure; it reached 2.5 million monthly downloads before the acquisition. The company served customers in automotive, energy, manufacturing, life sciences, financial services, and government sectors. NB Defense, a fourth product, secured Jupyter notebooks used by ML teams building and testing models.

Who founded Protect AI and who is the CEO?

Protect AI was co-founded in 2022 by Ian Swanson (CEO), Daryan Dehghanpisheh, and Badar Ahmed. Ian Swanson is a serial entrepreneur who previously founded DataScience.com, an enterprise ML platform acquired by Oracle in May 2018, and Sometrics, a virtual currency company acquired by American Express in 2011. Before his startup career, Swanson held executive roles at American Express and Sprint, giving him both large-enterprise and early-stage operating experience. Daryan Dehghanpisheh and Badar Ahmed brought leadership experience from Amazon and Oracle, which informed the team's focus on the security gaps inside production ML infrastructure at large companies. The founding team built the company around the thesis that AI adoption was racing ahead of security tooling, creating exploitable gaps that standard cybersecurity products were not designed to close. Following the Palo Alto Networks acquisition in July 2025, Ian Swanson became Vice President of AI Security Products at Palo Alto Networks, leading the AI security product line within the broader Prisma platform. Goldman Sachs honored Swanson for entrepreneurship in October 2024, and Protect AI won the SINET16 Innovator Award in the same year.

How much funding has Protect AI raised?

Protect AI raised $129 million in total venture funding across three rounds from 14 investors before being acquired. The company's first round of approximately $13.5 million was raised in 2022 shortly after founding, followed by a Series A in 2023. The company completed a $60 million Series B in August 2024, led by Evolution Equity Partners. Key investors include Boldstart Ventures, Acrew Capital, Salesforce Ventures, Samsung's Venture Investment Corp., and 01 Advisors, reflecting a mix of dedicated cybersecurity funds and strategic enterprise technology investors. Palo Alto Networks announced the acquisition on April 28, 2025 and completed it on July 22, 2025 for a reported price exceeding $500 million, with some industry sources citing figures in the $650 to $700 million range. The acquisition represented a substantial exit for investors relative to the $129 million raised. No IPO was pursued; the company exited via acquisition at the peak of enterprise demand for AI security tooling in 2025.

What products does Protect AI make?

Protect AI built four products targeting different layers of AI system security. Guardian is an enterprise ML model security scanner supporting 35-plus file formats that detects deserialization exploits, injected code, and architectural backdoors hidden in model files; it integrates with model registries and CI/CD pipelines for automated scanning at deployment time. Radar provides AI risk management and supply chain visibility, monitoring an organization's ML asset inventory for vulnerabilities in datasets, foundation models, and open-source ML libraries. LLM Guard is a free, open-source Python library at github.com/protectai/llm-guard that wraps LLM API calls with real-time scanners for 30-plus threat categories including prompt injection, PII exposure, toxic content, and code injection; 2.5 million downloads per month made it the reference implementation for LLM prompt security. NB Defense secures Jupyter notebooks used by ML engineers by scanning for exposed credentials, unsafe dependencies, and other notebook-specific risks. All four products are now distributed as part of Palo Alto Networks Prisma AIRS. Pricing for the commercial platform was not publicly listed; enterprise contracts required direct sales engagement.

Where is Protect AI headquartered and how big is the team?

Protect AI was headquartered in Seattle, Washington, with additional offices in Berlin, Germany and Bangalore, India. Before the Palo Alto Networks acquisition in July 2025, the company employed approximately 110 people across engineering, product, sales, and security research roles. The founding team's background at Amazon, Oracle, and American Express drove a Seattle and enterprise-adjacent hiring strategy rather than a Bay Area concentration. After the acquisition closed in July 2025, the majority of Protect AI's technical and commercial team was integrated into Palo Alto Networks product organizations. The standalone Protect AI entity retained approximately 32 employees as of early 2026, with the core team embedded within Palo Alto Networks' AI security product units. The company did not publicly disclose a remote work policy; its three-office presence across the US, Germany, and India suggested a distributed work structure.

What is Protect AI's mission or research focus?

Protect AI's mission was to make AI and machine learning safe and secure for enterprise production use by addressing attack surfaces unique to AI systems: training-time data poisoning, distribution-time model file tampering, and inference-time prompt injection and output manipulation. The company ran an active security research program, publishing vulnerability disclosures for MLflow, Hugging Face model hub components, and H2O through a coordinated disclosure process covering widely deployed ML platforms. Protect AI's threat research team identified and disclosed thousands of malicious model files on public repositories, demonstrating that model file backdoors were an active exploitation vector rather than a theoretical concern. The company contributed to the emerging practice of MLSecOps (machine learning security operations), defining frameworks for integrating model scanning and LLM guardrails into standard DevOps pipelines. The team published guidance on EU AI Act compliance for enterprise ML teams and engaged with NIST on AI supply chain security standards. Post-acquisition, the research mission continues inside Palo Alto Networks' Unit 42 threat intelligence team and the Prisma AIRS product organization.

Is Protect AI compliant with SOC 2, GDPR, HIPAA?

Protect AI did not publish a public trust center or disclose specific compliance certifications before its acquisition by Palo Alto Networks in July 2025. Protect AI's products operate on customers' own infrastructure and ML systems, making them tools for achieving compliance rather than SaaS data processors subject to the usual third-party compliance requirements. LLM Guard is fully self-hosted with no data sent to Protect AI's servers, making GDPR and HIPAA data-processor requirements not applicable for deployments using the open-source version. The commercial Guardian and Radar products are now governed by Palo Alto Networks' compliance posture, which includes SOC 2 Type II and ISO 27001 certifications across the Prisma platform. Enterprise customers with HIPAA or FedRAMP requirements can obtain relevant compliance documentation for the integrated Prisma AIRS offering from Palo Alto Networks directly. Specific pre-acquisition compliance certification documentation for the standalone Protect AI product line was not publicly available.

Who are Protect AI's main competitors?

Protect AI's primary competitors in AI/ML security included Lakera AI (specialized in LLM prompt injection detection and guardrails for real-time deployments), Mindgard (automated red teaming and adversarial testing for AI models), and WhyLabs (ML observability, drift detection, and data quality monitoring). Against Lakera AI, Protect AI had the advantage of broader product coverage spanning both ML model supply chain security (Guardian) and LLM runtime protection (LLM Guard), while Lakera focused purely on real-time LLM prompt filtering with a simpler deployment model. Against WhyLabs, Protect AI was focused on security threats rather than model performance and data quality, though both platforms gave visibility into production ML systems. Mindgard's automated red teaming targeted teams wanting to proactively attack-test models, complementing rather than directly competing with Protect AI's scanning and monitoring approach. The Palo Alto Networks acquisition changed the competitive dynamic fundamentally: Protect AI's technology is now backed by a sales force of thousands and an installed base of tens of thousands of enterprise customers, outpacing standalone AI security startups on distribution. Emerging competition in 2025-2026 comes from hyperscalers (AWS, Azure, Google Cloud) adding native model scanning and LLM guardrail features directly to their ML platforms.