Infrawatch Raises $3M to Catch Cyberattacks Before They Strike

Cybercriminals constantly rotate domains, accounts, and malware. Yet the infrastructure behind their attacks often stays the same. That is exactly where London-based cybersecurity startup Infrawatch comes in: the company is building a platform designed to identify suspicious internet infrastructure early and detect attacks and abuse before they escalate.

To that end, Infrawatch has now closed a pre-seed funding round of $3 million. The round was co-led by Outward VC and TriplePoint Ventures, with Portfolio Ventures and several angel investors also participating. Founder Lloyd Davies built the team in part with former employees from CrowdStrike, Recorded Future, and Intel 471.

Davies is direct about it: “I know from first-hand experience how broken infrastructure intelligence is today: fragmented data, noisy feeds, and taped-together workflows, where ‘real-time’ detection often means static daily updates in practice. Enterprises cannot keep up by patching together narrow intelligence feeds while the internet changes beneath them.” That is why Infrawatch was built from the ground up: “To turn one of the most underutilised aspects of cybersecurity into a practical defence layer that empowers defenders to act earlier and stop threats before they reach their customers, users or systems.”

Billions of signals from the internet, over 1,000 detection rules

The platform processes several dozen billion digital signals from the internet every day — including connections between servers, DNS queries, new domains, and other infrastructure data. From this, Infrawatch analyzes patterns of suspicious activity and assesses, among other things, how certain systems behave, who might be behind them, and whether they are linked to phishing, fraud, or cyberattacks.

In addition to more than 1,000 pre-built detection rules, security, fraud, and investigation teams can also define their own rules. This is intended to allow organizations to specifically track the threats that are relevant to their systems.

Threat intelligence experience and first international investigations

Founder Lloyd Davies brings experience from security research and threat intelligence. He worked, among other places, in PwC’s security intelligence team and at CrowdStrike, where he focused on nation-state cyber threats. There he witnessed first-hand how attackers leverage internet infrastructure — and how difficult existing tools make it to surface those activities early.

In April, Infrawatch published an investigation into a Belarus-based “SIM-Farm-as-a-Service” provider that, according to the company, was connected to operators in 17 countries.

The fresh capital is now set to flow into expanding the engineering and research teams as well as further developing the platform ahead of the planned general launch later this year. Infrawatch also plans initial enterprise deployments and expansion into the US, where the company says it is already seeing strong interest from security, fraud, and intelligence teams — so far without any active outbound sales or marketing, as investor Outward VC emphasizes.

Structural advantage

Investors see a structural advantage in Infrawatch’s approach. Sam Stone of TriplePoint Ventures explains: “While AI lowers the bar to carrying out cyber crime and drives up attack volumes, attackers at scale still depend on infrastructure to operate. We think Infrawatch offers the very best solution for society’s critical organisations to identify, understand, and disrupt that infrastructure.”

Andi Kazeroonian of Outward VC adds: “Hostile actors can spin up anonymised attack infrastructure in minutes, yet defenders often take months to discover a breach. That imbalance is impacting virtually every industry, and Infrawatch’s real-time detection of adversarial infrastructure at source tackles it head-on.”