Picture of Marie Brattberg, CSO at Recorded Future


May 24, 2024

The scaleup helping 40 countries with cyber defence: ‘The new AI malware is like Ebola’

Recorded Future's first VC-backer was the investment arm of the CIA

Mimi Billing

6 min read

In the era of generative AI, the cybersecurity threat government agencies, companies and society face is ramping up. Malware, deep fakes and disinformation campaigns have all become cheaper and easier for cybercriminals to create.

Despite that, in 2023, the investments in cybersecurity in Europe decreased by one-third from the previous two years, from almost €2bn to €1.3bn.

Cybersecurity companies are fighting back nonetheless — and also turning to GenAI to keep up with the criminals.


One of those is the Swedish-American scaleup Recorded Future, which works with 40 governments on defence as well as many more large enterprises.

“We have no other options but to adopt AI as soon as possible as that's what the antagonists are doing,” says Marie Brattberg, chief strategy officer. “Generally, AI follows an exponential development curve — if we pause development, adversaries get an exponential lead and we’ll never be able to catch up,” she says.”

“So far, AI is still pretty good at determining what is developed by AI, but it's like an arms race.”

Using AI against AI

Cyberattacks cost the global economy an estimated $8tn in 2023 and it is expected to rise to $10.5tn by 2025, according to Cybersecurity Ventures. With GenAI making it easier to create deep fakes, phishing scams and disinformation campaigns, the work to fight cybercrime means a lot of development in AI for cyber defence companies.

Recorded Future has been using machine learning and natural language processing to combat cyber threats since it launched in 2010. It is also using large language models to speed up the response to an attack on a customer’s system.

As soon as OpenAI released ChatGPT, Recorded Future met up with the company and was one of the first to implement a decreased time for analysing a cyber attack, says Brattberg.

Instead of having a person investigate a breach or attack and write up an analysis for the customer, which could take hours or days — with GenAI the same work is done in minutes. With Recorded Future’s GenAI assistant, launched earlier this year, users can get notified and take action in real-time against converging threats across cyber, physical and influence operations domains.

AI can be used to build malware that works similar to some human viruses

Apart from disinformation and deep fakes, AI is also changing malware attacks.

“AI can be used to build malware that works similar to some human viruses,” says Brattberg. “They don’t look dangerous, but once inside a system, they transform and adopt systems-specific capabilities. A little bit like Ebola.”

To identify security threats, Recorded Future’s software scans the open internet and the "dark web". It creates a digital shield around its customers’ systems which detects if someone has tried or succeeded in making an entry. The threat data — from domain name systems (DNS), IPs, news and blogs, or closed dark web forums — is then structured and analysed. Its customers can then get signals depending on where they are based, which industry they are in, which infrastructure and products they use and which products they are connected to.

Brattberg can’t mention individual customers but — given the company’s annual price point of around €100k — it’s mainly large corporations that can afford it. However, as part of its supply chain risk product for its customers, it keeps track of and delivers security scores on 5m companies in real time.


Getting its first funding from the CIA's investment arm

Christopher Ahlberg, Staffan Truvé and Erik Wistrand founded Recorded Future in Gothenburg in 2009. A couple of years earlier, in 2007, Ahlberg and Truvé had sold their first startup, the analytics platform Spotfire, for about €150m to American company TIBCO.

The founders built a prototype of Recorded Future in “a virtual garage” — with the founders being based both in Gothenburg and the US — and in 2009, the startup secured its first investment of $2.2m from GV (Google Ventures), IA Ventures and In-Q-Tel, the investment arm of the CIA.

The company split its location to focus its engineering efforts in Gothenburg. Ahlberg said in an interview with local media in 2019 that people are as talented in the Swedish city as in the US — but more loyal.

It’s since grown to employ more than 850 people globally, opening offices in Dubai, Singapore, Tokyo, London and Washington. The company has an annual recurring revenue above $300m.

Sweden’s most secret startup

Recorded Future is, however, often described as “Sweden’s most secret startup”.

The reason may be that it hasn’t completed the VC rounds that other well-known startups have done, says Brattberg, who joined Recorded Future in 2013.

“We never adopted the trend to hyperscale through high valuation/investment, instead we’ve been careful with spend and financed our own growth. We’ve been profitable over the last couple of years.”

“Of course, in previous years, people have questioned that choice — they didn’t always agree with why we didn’t want to invest more in fast growth. But now, with the financial crunch, we look pretty smart,” she says.

Recorded Future had raised a total of $56m when in 2019 the US investor Insight Partners bought a majority stake in the company for $780m, buying out all previous investors. The founders and employees kept their shares in the company and the company is run as it was before, says Brattberg: “We have the freedom to act as we see fit.”

And with the heightened risk of cybercrime, the company is busier than ever.

Security of state

Large enterprises make up about 80% of Recorded Future’s customer base, although the company also works with governments. Ukraine is one of them, which Recorded Future is helping.

When an attack on national defence occurs, Recorded Future can find out which nation-state the incident came from, the sub-group within that nation, and the infrastructure they used. One of its recent findings, published in February, was that “a threat actor likely operating on behalf of Belarus and Russia [was] conducting cyber-espionage” against several governments including Georgia, Ukraine and Poland.

“When speaking of the threats of cyber, it can’t be done in isolation. They are linked to other vectors, disinformation as well as physical threats - like, bombings. The most sophisticated adversaries synchronize their attacks, and this has been very clear in the case of Ukraine,” says Brattberg.

“Partnering with Ukraine has been an incredible way for us to live our mission as a company.”

The company’s work in Ukraine has led to an increased interest from other European governments, says Brattberg. In January last year, Belgium announced Recorded Future as a cybersecurity partner.

With half of the world set to vote in national elections this year, it could sign up several new government customers keen to tackle disinformation.

“The volume and sophistication of disinformation will be very high,” says Brattberg.

Mimi Billing

Mimi Billing is Sifted's Europe editor. She covers the Nordics and healthtech, and can be found on X and LinkedIn