As per the latest EY and Institute of International Finance (IIF) bank risk management survey, aside from geopolitical risks, banks worldwide are also facing pressure on the cybersecurity front. Speaking about cybersecurity, this phenomenon has emerged as the long-term primary concern, with 75% of Chief Risk Officers (CROs) agreeing that it is the chief risk over the next 12 months, and it remains the primary near-term concern.
While companies are adopting strategies such as making it mandatory for their employees to complete yearly cybersecurity training courses, human-driven cybersecurity breaches continue to occur. The situation could worsen in the coming days as generative AI increases the scale and personalisation of social engineering campaigns. To address this challenge, Anagram, formerly known as Cipher, is taking a new approach to employee cybersecurity training that the start-up hopes will keep pace with the evolving nature of these social engineering campaigns.
In today’s edition of the “Start-up of the Week,” International Finance will delve into the New York-based venture, which is now known for its virtual platform that offers hands-on security training for enterprises. This method includes bite-sized videos and personalised interactive puzzles designed to teach employees how to spot suspicious emails and communications. These training sessions are frequent and engaging, as opposed to the current standard of a once-yearly, lengthy training session. In this way, businesses and their employees stay updated on the latest trends in the world of cybercrime.
A Game-Changing Training Method
According to Harley Sugarman, founder and CEO of Anagram, the training activities primarily include tasks such as having employees create their own personalised phishing emails, which, in turn, teach them how to identify sophisticated campaigns aimed at them.
“We took very little, in fact, basically no inspiration from the existing stuff out there. What we really took were lessons from TikTok, Duolingo, and Khan Academy. We looked at these platforms that have done really well engaging and changing user behaviour outside the security space, and we asked ourselves, ‘OK, how can we apply those lessons within security?’” Sugarman explained to TechCrunch, highlighting what differentiates Anagram’s cybersecurity training from existing methods.
Harley Sugarman, a computer science professional, initially sought to apply the cybersecurity industry’s “capture the flag” training approach to upskill enterprise cybersecurity employees. This training method involves building software with vulnerabilities and having security researchers find the bugs and figure out how to write code without falling into the same traps.
That initiative evolved into Cipher in 2022 and gained some traction. However, Harley Sugarman faced another challenge: chief information security officers (CISOs) told him that their businesses had a bigger security issue they were looking to tackle—their non-security employees. He said CISOs described their employees as their weakest cybersecurity link.
“What sort of surprised me was actually just the amount of hopelessness I heard in their voices. This was an unsolvable problem for them,” Sugarman said.
Cipher then scaled up in January 2024 to focus on solving that problem. In 2025, the venture changed its name to Anagram to reflect its new focus and is winding down its original product. In addition to strong growth following its rebranding, Anagram has secured high-profile clients, including Thomson Reuters, MassMutual, and Disney, among others.
In February 2025, Anagram raised a $10 million Series A round led by Madrona, with participation from General Catalyst, Bloomberg Beta, and Operator Partners, among others. The company now plans to use the funds to expand its sales team and continue improving the product. Sugarman said that so far, the start-up has been able to reduce client companies’ phishing failure rates from 20% to 6%, but the goal is to continue moving closer to zero.
Understanding The Method In Detail
According to Harley Sugarman, Anagram launched its product at a pivotal moment for the cybersecurity industry. As generative AI advances, so do personalised social engineering campaigns, which can make it more difficult for people to distinguish between what is real and what isn’t.
“I think the side effect of that is that traditional email security platforms are actually going to have a much harder time detecting these AI-generated phishing attempts. The ability to generate and randomise is just so strong, and it’s really difficult, from an engineering perspective, to defend against that,” Sugarman explained.
To address this challenge, Anagram has divided its hands-on security training into two parts: “Security Awareness Training” and “Developer Training.” The first method operates under the motto “Bite-Sized Lessons, Big Results.” The start-up describes this approach as “quick, real-world training that leverages the science of learning so your (business’s) employees know how to spot and stop an attack.”
“Security Awareness Training” launches phishing simulations within minutes using Anagram’s best-in-class templates (even assisting companies in building their own campaigns). It also integrates a company’s cybersecurity policies directly into the training method, ensuring that everyone understands the rules and stays safe.
When it comes to combating cybersecurity threats, employees within a company—just like their varied roles and responsibilities—face different threats and challenges. To address this, Anagram offers both general and topic-specific modules so users can create programmes relevant to their operational needs.
Every October, the start-up offers a gamified “Awareness Month Programme” for companies. However, the most unique aspect of the “Security Awareness Training” is its content library, which covers cybersecurity challenges such as business email compromise, coding with AI, handling sensitive data, detecting deepfakes, holiday scams, insider threats, tax scams, sharing data externally, social engineering, wire fraud, and more.
Regarding “Developer Training,” the start-up focuses on real-world scenarios, whether protecting secret keys, tackling API vulnerabilities, or preventing software supply chain attacks. The training also includes interactive sandboxes where software developers and website builders can learn security best practices in a safe, realistic environment.
Since the threats developers face are constantly evolving, Anagram uses examples pulled from actual vulnerabilities and breaches, so developers can learn how to tackle the issues they are most likely to encounter.
The training method, which is updated multiple times a year to keep up with the ever-changing cyber landscape, covers topics such as SQL injection, managing secrets, broken access control, cross-site scripting (XSS), validating API design, cryptographic failures, insecure logging and monitoring, avoiding outdated components, protecting backups, detecting SSRF, securing cloud infrastructure, and ensuring software and data integrity.
The Road Ahead
Anagram is currently working on developing an AI agent that will be embedded in enterprise employees’ emails and will be trained to flag potential cybersecurity slip-ups before they happen.
According to Sugarman, the agent will be able to intervene by asking employees whether they really want to send their credit card information over email, among other similar safeguards.
Last but not least, Anagram is also currently partnering with renowned industry leaders, including Steve Zalewski (Levi Strauss), Lena Smart (MongoDB), Tim Youngblood (McDonald’s, T-Mobile), David Cross (Atlassian, Oracle), and Andrew Wilder (Nestlé). These collaborations underscore Anagram’s commitment to driving innovation and delivering impactful security solutions.
By blending customised microlearning with real-time security scenarios, the platform has disrupted cybersecurity training in a positive way. This approach has attracted the attention of leading global enterprises, including several from the Fortune 500. Expect the start-up to make even more waves in the coming days.