Exclusive: ThreatModeler, the cybersecurity company backed by Invictus, acquires competitor IriusRisk for over $100 million

Posted on by

AI coding tools have enabled developers to build software applications more quickly than ever before, yet the risk of hacks and exploits is increasing at the same pace. ThreatModeler, a cybersecurity firm that assists developers in spotting vulnerabilities in their applications, revealed on Thursday that it is purchasing its biggest competitor, IriusRisk. The transaction is valued at more than $100 million, per a source with firsthand knowledge, who also noted that the combined companies’ annual recurring revenue stands at approximately $50 million. 

In an interview with , ThreatModeler CEO Matt Jones stated that his company aims to “democratize” vulnerability detection—at a time when many organizations have to rely on basic tools from bigger platforms such as or use AI for threat modeling, which Jones contends is inadequate and can result in significant risks. Jones added that the acquisition will allow ThreatModeler to keep up as companies expand their coding capabilities to an unprecedented degree. “Being able to bring the two leaders together,” he said, “lets us be far more aggressive with our roadmap.” 

Attack surface

Established in 2010, New Jersey-based ThreatModeler offers automated software that helps coders assess security flaws in their applications prior to launch. For numerous organizations, the other option is depending on specialists called security architects, who examine codebases after they’ve been deployed—a process that can be unwieldy and frequently too late. 

Initially self-funded by founder Archie Agarwal, ThreatModeler secured its first institutional investment in 2024 from growth equity firm Invictus, which acquired a majority stake in the company. Invictus will also be the majority investor in the merged businesses going forward. 

Prior to the acquisition—which closed at the end of 2025—ThreatModeler’s top competitor was Spain-based IriusRisk; ThreatModeler even filed a patent infringement lawsuit against IriusRisk in early 2025. 

Beyond settling the legal dispute, Jones said the deal benefits customers by merging the two platforms—which he characterized as “80%” alike. “We’re going to take the best features from both and integrate them,” he explained. The merged companies will serve roughly 300 customers, most of which are 1000 enterprises like banks and major tech firms, though Jones declined to name specific clients due to security considerations. 

Although ThreatModeler was founded long before ChatGPT’s November 2022 launch sparked the current AI boom, Jones noted that the company has incorporated AI into its processes—including a plan to roll out an agentic product in the second half of next year that can adjust organizations’ threat models as their applications change. 

The downside of AI is that as organizations’ coding capabilities grow, so does their demand for software like ThreatModeler. “The more code that’s produced, the more that requires evaluation,” Jones stated. 

Various jurisdictions—including the U.S., Canada, and the European Union—are also introducing requirements for companies like financial institutions and hardware manufacturers to maintain their own cyberthreat models. 

As potential vulnerabilities multiply, ThreatModeler’s new primary competitors are likely companies using AI to build their own threat modeling solutions. However, Jones said his company’s role includes educating organizations on the importance of strong cybersecurity practices. “If you try to do it on your own, you’re fooling yourself,” he said. “You might think you’re conducting threat modeling, but in reality, you could be increasing your own risk.”