Connect with us

Interviews

Alan LeFort, CEO & Co-Founder of StrongestLayer – Interview Series

mm
Published

Alan Lefort is a cybersecurity leader with over 15 years of experience building and scaling security products used by Fortune 500 companies. He previously led product and business units at Proofpoint, McAfee, and Intel Security, where he focused on advanced threat protection, insider risk, and behavioral analytics. At Intel, he helped drive product strategy across global markets, leading teams in the U.S., Europe, and Israel. Now as CEO of StrongestLayer, Alan is leveraging that deep enterprise experience to stop AI-powered phishing attacks before they reach users—redefining email security for the AI era.

StrongestLayer is an AI-native email security platform designed to stop advanced phishing and Business Email Compromise attacks. Using its proprietary TRACE engine, it applies large language models, behavioral inference, and contextual analysis to identify malicious emails that traditional rule-based systems miss. The platform integrates quickly with Microsoft 365 and Google Workspace, adds browser protections, and provides AI-driven employee training, offering organizations both strong defense and a more security-aware culture.

What inspired you and your co-founders to start StrongestLayer, and what specific gap in the cybersecurity landscape were you aiming to solve based on your experiences at companies like Proofpoint, FireEye, and Mandiant?

The company evolved with each co-founder’s perspective. It started with Riz, our CTO, recognizing that phishing was becoming too sophisticated for traditional employee training. His insight was that AI-powered customization could fundamentally improve security awareness.

When Josh joined as our Chief Product Officer, he brought the missing piece. While testing our early product, he discovered our AI analysis was detecting complex attacks that established email security vendors were completely missing. That’s when we realized we weren’t just improving training – we were identifying a fundamental gap in threat detection.

I joined as CEO in early 2025 after advising the team, and saw the strategic opportunity clearly: if only AI can defend against weaponized AI, then we needed to rethink not just detection, but how we empower humans in this new reality. The decision was simple – go all-in on AI-native detection and prevention.

Why do you believe email remains such a critical attack vector, especially in the era of generative AI?

Email remains the primary attack vector because it’s the one channel where business context matters most, and generative AI has made exploiting that context trivial.

Traditional email attacks were volume-based and obvious. AI changes the game completely – attackers can now generate personalized emails that understand organizational hierarchies, mimic communication styles, and reference actual business processes. They’re not just sending generic phishing anymore; they’re crafting attacks that feel authentic to specific organizations.

Email is also where trust decisions happen daily. Employees regularly receive requests from vendors, partners, and colleagues that require judgment calls about legitimacy. AI-powered attacks exploit exactly these trust relationships by appearing to come from known entities with plausible requests.

The fundamental challenge is that email security has always been about detecting “bad” technical patterns, but AI attacks look technically good while being maliciously intentioned.

How does StrongestLayer’s LLM-native architecture fundamentally differ from traditional email security solutions?

We built the first LLM-as-master architecture, fundamentally different from vendors who bolt LLM features onto existing pattern-matching systems. The distinction is architectural – the LLM orchestrates the entire analysis process rather than being an add-on module.

Traditional solutions operate like a prosecutor-only court system – they can only hunt for guilt with no mechanism to prove innocence. This creates the classic false positive/false negative tension that can never be solved within a prosecutor-only architecture.

Our breakthrough is dual evidence collection. We break the prosecutor-only paradigm entirely by having every email get its day in court. Our system acts as both public defender and prosecutor, while an impartial LLM judge weighs evidence and renders verdict.

The architecture required completely new infrastructure: LLM-as-master coordination, dual evidence synthesis algorithms, mixture of experts architecture for specialized analysis, and zero-memory architecture for enterprise data privacy. We deliver the reasoning power of a thousand elite analysts with the memory of a goldfish – maximum analytical capability, zero data persistence.

Can you explain how your TRACE (Threat Reasoning AI Correlation Engine) system works and what makes it uniquely effective against AI-powered phishing?

TRACE operates through dual evidence collection that fundamentally changes email security economics.

For every email, we simultaneously run two parallel investigations: public defender evidence collecting normality indicators, and prosecutor evidence collecting threat signals. An impartial LLM judge weighs all evidence to render confident automated decisions.

Take a $50M vendor payment from your CFO during quarterly close. Legacy systems see urgent language, large amount, after-hours timestamp – every pattern screams threat. Email gets quarantined, business disrupted.

Our dual evidence architecture runs parallel investigations: Public defender evidence includes CFO’s communication patterns, vendor’s established relationship, payment within procurement limits, following documented workflows. Prosecutor evidence includes external threat intelligence, communication intent analysis, authority bypass attempts, urgency manipulation patterns.

The LLM judge weighs all evidence. Strong legitimacy indicators outweigh minor threat signals. Email clears automatically with high confidence, business continuity maintained, analysts focus on actual threats.

What makes this uniquely effective against AI attacks is that we focus on stable indicators that persist regardless of attack novelty – business legitimacy patterns and malicious intent patterns remain consistent even when attack methods are completely novel.

With AI now enabling attackers to generate personalized emails at scale, how does your platform stay ahead of these evolving threats?

The key insight is that while AI makes attack generation infinitely scalable, it doesn’t solve the business logic problem for attackers.

AI can craft perfect grammar, mimic communication styles, and reference public information about organizations. But it can’t perfectly understand internal business processes, approval workflows, contract cycles, and relationship dynamics across every organization simultaneously.

Our platform stays ahead by focusing on business reasonableness rather than technical patterns. As AI attacks get more sophisticated in their technical presentation, they often become more desperate in their business logic – creating urgency where none should exist, bypassing normal processes, or requesting actions that don’t align with established relationships.

We also benefit from cross-customer learning without exposing individual customer data. Patterns of business logic abuse are often consistent across organizations, even when the technical implementation varies.

What types of organizations are currently most at risk of AI-enhanced phishing, and how does your platform address their unique challenges?

Organizations with complex vendor relationships and approval processes are at highest risk – particularly financial services, healthcare, and legal firms. These sectors have valuable data, established business processes that attackers can research, and employees who regularly handle sensitive requests.

Mid-market companies face a specific challenge: they have enterprise-level obligations and complexity but without the security staffing or budgets to match. They’re sophisticated enough to be attractive targets but resource-constrained enough that advanced attacks succeed.

Our platform addresses this by automating the business context analysis that would normally require dedicated security analysts. Instead of requiring teams to manually investigate every suspicious request, TRACE provides the reasoning that helps organizations make informed decisions quickly.

We also focus on user experience because these organizations can’t afford solutions that create operational friction or require extensive training.

How does your predictive campaign detection system identify and neutralize fake company websites so quickly?

Our approach combines real-time domain registration monitoring with business context analysis.

We monitor global domain registrations continuously, looking for patterns that suggest impersonation campaigns – similar spelling to legitimate domains, registration timing clusters, and infrastructure patterns consistent with attack preparation.

But the key differentiator is correlating this technical intelligence with business context. When we see domains registered that could impersonate customer vendors or partners, we can predict campaign targets and timing based on business relationships and cycles.

The “neutralization” happens through early warning – we alert customers about potential impersonation campaigns weeks before emails are sent, allowing them to prepare defenses and notify employees about specific threats to watch for.

This pre-campaign detection is only possible because we understand both the technical attack infrastructure and the business context that attackers are likely to exploit.

What were some of the hardest technical problems you encountered while building a truly LLM-native cybersecurity solution?

The hardest problem was building a system that could reason about business context without exposing sensitive organizational data, while proving it worked against novel attacks that legacy systems miss.

We recently had validation when our TRACE system detected a Microsoft 365 Direct Send exploitation attack that both Microsoft’s native security and the market leader completely missed. The attack was published and validated by Dark Reading. It exploited legitimate Microsoft features, used image-based obfuscation, and dynamically personalized phishing pages – completely novel techniques with no historical patterns to match.

The technical challenges were significant: building LLM-as-master coordination that could perform sophisticated reasoning while keeping sensitive data local, avoiding false positive traps when moving from pattern matching to reasoning, and optimizing performance to provide real-time decisions within email flow latency requirements.

But the biggest breakthrough was proving our dual evidence architecture worked in the real world against attacks that stumped established vendors. That validation gave us confidence the architecture could handle whatever novel techniques attackers develop next.

How do you see the threat landscape evolving by 2026–2027, and how are you preparing your platform to meet that future?

By 2026-2027, I expect sophisticated AI-enhanced attacks to become mainstream rather than advanced persistent threat territory. The tools and techniques will become commoditized, dramatically expanding the threat actor pool.

We’ll also see attacks expanding beyond email to all business communication channels – Teams, Slack, mobile messaging. Attackers will orchestrate campaigns across multiple channels, making single-point detection insufficient.

We’re preparing by building TRACE as a reasoning engine that can be applied to any business communication channel. The core technology – understanding business context and intent – isn’t email-specific. We’re also investing heavily in cross-channel correlation capabilities.

The other major shift will be attacks that exploit AI adoption within organizations. As companies deploy AI tools for business processes, attackers will target those integrations and data flows.

What lessons have you learned so far from real-world deployments, and how have those shaped your product roadmap?

The biggest lesson is that novel attacks validate our architectural approach in ways we couldn’t have predicted. When our TRACE system detected the Microsoft 365 Direct Send exploitation attack that both Microsoft and the market leader missed, it proved our thesis that reasoning beats pattern-matching against truly novel techniques.

We learned that user experience matters more than we initially realized, but not in the way we expected. Security teams don’t just want accurate detection – they want to understand why the system made decisions. Our dual evidence approach helps because analysts can see both the prosecutor and public defender evidence that led to the LLM judge’s verdict.

We also discovered that novel attack detection creates competitive advantages we hadn’t anticipated. When we published the Direct Send analysis that Dark Reading validated, it established technical credibility in ways that marketing claims never could. Prospects realized we weren’t just claiming to detect unknown threats – we were proving it with documented cases where established vendors failed.

These lessons shaped our strategy around transparency and technical validation. Our roadmap now emphasizes not just detection capabilities but the ability to explain reasoning and share threat intelligence with the broader security community.

Where do you see StrongestLayer in the next two to three years, and what’s the long-term vision for the company?

In the next two years, I see us becoming the reasoning engine that protects all business communication – not just email, but Teams, Slack, mobile messaging, and emerging channels.

The technical foundation we’ve built with TRACE – understanding business context and intent – applies beyond email security. As organizations adopt more communication channels and AI tools, they need consistent protection that understands business logic across all platforms.

Long-term, our vision is to be the intelligence layer that helps organizations communicate confidently in an AI-powered world. Instead of security being a barrier to communication, we want to be the system that enables businesses to adopt new communication technologies safely.

The ultimate goal is reaching a point where organizations don’t think about email security as a separate problem – it’s just built into how business communication works, protecting them automatically while enabling productivity.

Thank you for the great interview, readers who wish to learn more should visit StrongestLayer

Related Topics:
mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.