When we led EclecticIQ's seed round in early 2019, the threat intelligence platform market was going through a definitional crisis. The term "threat intelligence" had been colonised by vendors selling essentially a feed subscription: a list of malicious IPs, domain blocklists, and STIX/TAXII bundles that security operations teams could ingest into their SIEM. The value proposition was real but narrow — blocking known-bad indicators at the perimeter. What it was not, despite the marketing language, was intelligence. Raw indicators without adversary context, without campaign tracking, without the ability to reason about attribution and likely next moves, is data, not intelligence. It is the difference between a security guard memorising a watch list and a trained analyst who can look at a new piece of malware and say: this TTPs fingerprint looks like the cluster we have been tracking since Q3, and they typically pivot to domain controller enumeration within forty-eight hours of initial access.
EclecticIQ's founding team understood this distinction at a technical level that was unusual for a commercial security company at the time. Their platform was built around structured threat intelligence in STIX 2.0 format — the OASIS standard for representing adversary campaigns, indicators, TTPs, and relationships — with a data model that could represent not just individual indicators but entire threat actor knowledge graphs. When we ran our technical diligence in early 2019, we spent two days working through their architecture with their engineering team. What struck us was the deliberateness of the graph structure: threat objects and their relationships were first-class citizens in the data model, not an afterthought bolted onto a feed aggregation engine. A security analyst could traverse from a file hash to the malware family it belonged to, to the actor group that deployed it, to the campaigns that group had run, to the industries targeted in those campaigns — all within a single query context.
The operational scenario that made this architecture compelling was one we encountered repeatedly in financial services diligence conversations that year. A Dutch tier-two bank's threat intelligence team — typically three to five people covering a complex environment — is ingesting indicators from a commercial threat feed, ISAC sharing, sector-specific information from FS-ISAC, and their own internal telemetry. The problem is not data volume; it is correlation. An indicator from one source may overlap with a campaign tracked differently by another source, with no automated way to resolve the relationship. Analysts spend a disproportionate share of their time deduplicating and normalising intelligence rather than producing analytical judgement. EclecticIQ's platform addressed this by treating relationship inference as a core platform function rather than a reporting add-on.
We should be direct about what we did not know at the time of investment. We were not certain how quickly the market would move from indicator-centric to actor-centric threat intelligence. In 2019, most procurement conversations were still anchored to feed quality and SIEM integration capability — the question was how many indicators per day, not how this helps analysts understand adversary behaviour. The shift toward actor-centric reasoning required a maturation in buyer sophistication that we believed was coming but could not time. This is a genuine risk we accepted, and it is worth naming because it illustrates how early-stage technical investment in security requires a thesis about market education as much as technical differentiation.
What Fund I taught us — and EclecticIQ was the clearest example — is that the defensible security infrastructure companies are those that build around a workflow that analysts actually want to sit in. The technical architecture matters enormously, but it is meaningless if the product creates friction in the investigation loop. EclecticIQ's team had this right: the graph traversal experience was designed around how an analyst reasons through a chain of evidence, not around how the data is stored. That alignment between cognitive workflow and data architecture is one of the pattern-matching heuristics we now apply in early diligence across every platform investment we evaluate.