Human error remains the primary driver of cybersecurity breaches, a vulnerability set to worsen as generative AI empowers attackers to craft highly personalized social engineering campaigns. To combat this, New York-based startup Anagram (formerly Cipher) has launched a gamified training platform designed to replace ineffective, once-a-year compliance sessions with continuous, interactive learning.
Beyond Traditional Compliance
Anagram’s approach moves away from long, static training videos. Instead, the platform utilizes bite-sized content and interactive puzzles inspired by the engagement models of TikTok, Duolingo, and Khan Academy. By teaching employees to spot suspicious communications through frequent, hands-on tasks—such as requiring staff to create their own phishing emails—the company aims to fundamentally change user behavior.
Harley Sugarman, founder and CEO of Anagram, explains that the strategy ignores traditional industry standards in favor of proven engagement tactics. “We looked at platforms that have successfully changed user behavior outside of the security space and applied those lessons to our training,” Sugarman noted.
From Capture-the-Flag to Enterprise Defense
The company’s shift to its current model follows a strategic pivot. Originally launched as Cipher in 2022, the startup initially focused on “capture the flag” exercises to upskill dedicated cybersecurity professionals. However, feedback from CISOs highlighted a more critical, systemic pain point: the general workforce.
“CISOs described their employees as the weakest link, and there was a sense of hopelessness that this was an unsolvable problem,” Sugarman said. Recognizing this demand, the company rebranded as Anagram in January 2024 to focus exclusively on enterprise-wide behavioral training. The pivot has already attracted high-profile clients, including Thomson Reuters, MassMutual, and Disney.
Scaling Impact and Future AI Safeguards
Anagram recently secured $10 million in Series A funding, led by Madrona with participation from General Catalyst, Bloomberg Beta, and Operator Partners. The capital is earmarked for sales expansion and product development. According to the company, their training has already reduced phishing failure rates among client employees from 20% to 6%, with a goal of approaching zero.
As generative AI makes social engineering attacks increasingly difficult to detect through traditional email security filters, Anagram is also developing an AI-powered agent. This tool will integrate directly into employee email workflows, providing real-time safeguards—such as alerts when a user attempts to send sensitive information like credit card numbers—to prevent breaches before they occur.
“Humans are not dumb,” Sugarman said. “We can figure out how to not click on a suspicious link. We just need the right tools to adapt to the new reality of AI-driven threats.”