IRONSCALES, Anthropic, and What it Means for the Future

For as long as there has been email security, attackers (the bad guys) have moved faster than the people defending against them (the good guys). They iterate in the open, trade techniques in public forums (inside and outside the dark web), and build on each other’s tooling without the safety constraints that legitimate defenders operate within. The gap was structural rather than accidental, and it widened every year because the architecture of the contest favored speed over guardrails.

Anyone who has worked inside a SOC or spent time in the threat analyst chair has felt this contradiction. You watch a new attack pattern surface on a Monday morning and by Friday afternoon it is in inboxes across your customer base, while your vendor’s detection model is still waiting on the next quarterly release to catch up.

The defender community has always moved at the pace of patch cycles, threat-intel feeds, and procurement committees, while the adversary moves at the pace of curiosity and code. That mismatch has shaped two decades within email security, and it is the reason the industry has spent so much time arguing about whether defense is even winnable as a category.

What changed over the past several weeks is not an incremental tooling upgrade or a new feature release from one of the legacy vendors. It is a shift in who can legitimately access the most capable AI on the planet, and on whose behalf.

Anthropic Recognized Our Vision and Verified It

Anthropic’s Cyber Verification Program (CVP) grants sanctioned access to frontier AI capabilities specifically designated for adversarial defense work. As Anthropic has tightened safeguards across its frontier models, those capabilities have moved behind an application process designed to keep them out of the hands of unverified actors. For the first time in the history of email security, advanced AI is gated on the side that matters (the good guys).

IRONSCALES is the first email security vendor verified under CVP. Not among the first. The first. I want to spend a moment on what that actually means, because the credential is just a part of the bigger picture we should discuss.

Anthropic surveyed the email security market and decided to extend access to our platform based on criteria and vision. AI-driven and API-native. Yes. Agentic protection layered on top of community-driven defense. Check. A forward-looking framework for handling AI-generated attacks while most of the industry was still trying to convince its customers that AI-generated attacks were real. Absolutely.

Our Phishing 3.0 framework, the Adaptive AI that has trained on real customer telemetry across the 17,000+ organizations we protect, the community intelligence network that already turns every detected attack into a shared lesson, and our new agentic posture are the work that earned this recognition. The credential follows from the vision rather than the other way around.

For anyone who has watched where IRONSCALES has put its R&D over the past decade, this is not a pivot or a marketing repositioning, but a confirmation of our approach. That decision is a statement about us, and a statement about which architectural choices the next era of email security will reward.

Defenders Now Have AI More Advanced Than Attackers

Threat actors work with what they can scrape from open-source repositories and what they can pay for from uncensored model providers. To be fair, those tools have grown impressively capable over the past two years, as anyone working in a SOC will tell you. The fact of the matter remains: the most advanced models are still gated by their developers, and those gates are getting reinforced with concrete. The landscape is starting to shift.

IRONSCALES, through CVP, now operates on the other side of those gates. We are using sanctioned frontier AI models to drive adversarial simulation at a level the adversary cannot legitimately reach.

We are wiring that capability directly into the Red Teaming Agent and the Phishing Simulation Agent, with the output flowing into the detection models that ride underneath them. The downstream effect is incredibly powerful. Simulations that mirror what a sophisticated attacker would actually send rather than a templated facsimile of one. Phishing tests that target your CFO in their voice against the specific vendor relationships your organization actually uses, in the language your people actually write in. Detection models hardened against attacks generated by AI more capable than anything in the adversary’s toolkit.

The asymmetry that has been running the wrong way for two decades has finally inverted, and we are using the inversion the way it was always meant to be used, by training defenders against the harder version of the attacker rather than against the recycled history of attackers past.

When Verified Access Feeds a Threat Intelligence Community

A credential by itself is a press release that ages quickly. Plugged into a community of 35,000+ security professionals across 17,000+ organizations, it becomes a repeatable process that is difficult to replicate by other vendors.

Every adversarial run we execute under verified access feeds back into our Adaptive AI and into the IRONSCALES Crowdsourced Threat Intelligence network. The data does not sit in a repository until it’s actioned. It is incorporated into the detection pipeline within the next training cycle, enriching the behavioral baselines our models have built across the organizations the platform already protects and sharpening the social graphs that flag impersonation attempts before they reach the inbox.

The new data also gives Themis, our agentic SOC layer, a richer set of attack patterns to reason over when it is deciding what to quarantine, what to escalate, and what to remediate without human intervention. The Red Teaming Agent contributes the offense side of the loop, the Phishing Simulation Agent contributes the training side, and the Phishing SOC Agent closes the loop by acting on what the other two have taught the system.

The compounding effect is the point. The longer an organization stays with IRONSCALES, the wider the gap between what our network has seen and what an unverified vendor can ever see, because frontier-grade adversarial data is reinforcing models that were already learning faster than the rest of the market. Defenders, in this architecture, share insight with each other faster than attackers can share techniques with each other, which is the monumental shift I want to highlight in this blog.

CVP did not invent this architecture. What it did was make it more powerful and accelerate the rate at which it compounds.

The Work Inside Our Platform Is What Compounds

I’d be lying through my teeth if I told you we will be the only email security vendor in this program for long. Other email solutions will join, and we want them to be included. A defender-only program with a single participant is a marketing line, while a defender-only program with a half-dozen serious participants is the beginning of a new category in cybersecurity. What matters is not whether IRONSCALES has a credential nobody else has. What matters is what we build during the window when most vendors do not yet have one.

The next wave of the IRONSCALES platform is being designed on top of the most advanced frontier AI models, not retrofitted around safeguards the rest of the market has to navigate around, and that distinction changes the architecture of what becomes possible. We are extending preemptive defense across the Phishing 3.0 attack surface to anticipate not just the email that arrives in the inbox but the meeting invite, the voice call, and the deepfake that follows it.

We are expanding Themis with frontier-grade reasoning so that the agentic SOC can investigate at the depth of a senior analyst across a higher volume of incidents than any human-staffed team could match. We are using OSINT reconnaissance generated by frontier-grade LLMs to build hyper-personalized simulations that no template library will ever match. 

The advantage is not the credential itself. It is what the credential lets us build during this window, and what that build compounds into a year from now, three years from now, and so on.

Protect Today and Innovate for Tomorrow

If you take one thing from this piece, take this. Verification is not a logo for the footer of a sales deck or a chip to play in a competitive cycle. It is an operational advantage that compounds inside the product, and a community that gets meaningfully stronger every time a CVP-cleared run feeds the network. It is also a roadmap accelerating into territory the rest of the market is structurally blocked from delivering until this program expands.

A new category is forming in cybersecurity, and Anthropic, by verifying IRONSCALES under CVP, has helped articulate what it looks like to be a defender that frontier AI labs trust to operate at this capability level. Within the next eighteen months, I expect to see procurement teams adding 'verified by a frontier AI lab' to their evaluation rubrics, and that language working its way across security companies. Analyst firms will create a new sub-segment. You all know the drill.

IRONSCALES will be ready for the question when it arrives, because we will have spent the window doing the work that makes the answer matter.

If you’d like to read more about our participation in the Anthropic CVP, be sure to read the press release linked below. I look forward to sharing more as we head down this new path.

You can find the full press release: Here