When Ed Bellis helped build Kenna Security, the startup that brought data-driven thinking to vulnerability management, the biggest breakthrough was in their mindset: Prioritization was the future. More than a decade later, Bellis says that model still doesn’t go far enough. “Security is deeply contextual,” he wrote. “What’s high-risk for one organization might be irrelevant for another.” That’s the premise behind Empirical Security.
The Chicago-based startup, which just raised $12 million in seed funding led by Costanoa Ventures, with participation from DNX Ventures, Sixty Degree Capital, and several strategic angels, builds machine learning models that learn from a company’s actual security environment: its data, systems, and internal telemetry. Co-led by Bellis, Michael Roytman, and Jay Jacobs, all former Kenna Security leaders and the creators of the Exploit Prediction Scoring System (EPSS), Empirical says that local models can outperform the generic, one-size-fits-all systems that most companies rely on today.
“Today’s cyber attacks are custom-built using AI and your own infrastructure against you,” Roytman, now CTO of Empirical, said. “Defending with generic, one-size-fits-all models is a start, but only custom, localized models, trained on your data and environment, can close that gap.”
Bellis, who took over as CEO of Empirical, described the new venture as a continuation of the same mission he’s worked on for decades: using data, not assumptions, to drive security decisions. “The next frontier isn’t just more data, it’s more relevant data, more adaptive models, and more context-aware decisions,” he wrote in a company blog post announcing his move to Empirical.
A Split-Model Architecture
Empirical Security’s product is a dual-model architecture. The EPSS model, which the team also developed, offers predictive scoring on the likelihood a vulnerability will be exploited within the next 30 days. The company says it’s been adopted by over 120 vendors.
But the company’s claim to differentiation lies in its second layer: local models trained on a customer’s own infrastructure, asset data, threat telemetry, and historical incidents. These models are not shared or reused across clients. Instead, each instance adapts specifically to an enterprise’s internal environment and operational constraints. The result, the company says, is threat prioritization that reflects actual risk, not just statistical probability.
Empirical enters a cybersecurity landscape that’s already crowded with AI-enabled platforms and predictive scoring tools. Larger players like Palo Alto Networks and CrowdStrike are building or acquiring AI capabilities at scale, while companies such as Tenable and Qualys continue to push enterprise risk frameworks based on global heuristics.
Empirical’s bet is that explainability and relevance, particularly in regulated or resource-constrained sectors, will outweigh raw detection volume. Its success will depend on whether local models can consistently outperform established benchmarks without introducing new operational complexity.
“We backed Ed, Michael, and Jay at Kenna, where they pioneered the risk-based vulnerability management movement,” said John Cowgill, general partner at Costanoa. “With Empirical, they’re doing it again, but replacing generic risk scores with local AI models that tailor scores to each enterprise.”
The company is also offering enterprise support for its EPSS model, including UI, API access, and hourly score updates. But its value proposition hinges on adoption of its local model approach. Still, the pedigree behind Empirical’s founding team gives it credibility among early adopters.
