Cotool

What do they actually do

Cotool is a hosted platform for security operations teams that combines an AI chat “copilot” with a no‑code agent builder. The copilot pulls context from your connected security tools during investigations, and you can turn successful chats or recorded steps into reusable automations (“agents”) you can test, schedule, or trigger on events (homepage/features; Getting started; Creating Agents).

It integrates with typical SecOps systems like SIEMs, EDRs, ticketing, and threat intel. A common flow is: connect tools and set granular access, use the copilot to triage or investigate, convert to an agent, test/refine in the builder, then run it on a schedule or trigger. Agents can auto‑enrich alerts, run hunts, update tickets, and generate incident reports (What is an Agent?; Creating Agents; Use cases).

The company is early (YC Spring 2025) with a small set of design‑partner SOCs/private beta users. Their engineering posts show active work on agent evaluation and context management for logs to improve reliability before broader rollouts (YC profile; Specter Insights; Evaluating AI Agents; Context Management).

Who are their target customer(s)

• Tier‑1 SOC analyst (alert triage): Drowns in alerts and spends time manually pulling context from multiple tools; needs faster, reliable enrichment and help deciding what to escalate.
• Incident responder (investigation/containment): Manually pivots across consoles to gather evidence and write reports, which slows containment; needs one place that assembles relevant data and can turn repeatable steps into automations.
• Threat hunter / continuous monitoring: Runs recurring hunts with scripts and manual scheduling; needs reliable automation that can be tested and run on schedule or event triggers.
• Detection engineer / automation owner: Maintains detections and playbooks but lacks time and safe tooling to test automations end‑to‑end; needs a low‑code builder with controlled permissions and staging.
• SOC manager / small security team lead: Must reduce mean time to detect/respond and show measurable impact without adding headcount; needs standardized investigations, less repetitive work, and clear time‑savings metrics from pilots.

How would they acquire their first 10, 50, and 100 customers

• First 10: Run 5–10 high‑touch pilots with design‑partner SOCs via YC intros and private beta, install connectors, co‑build 2–3 production agents per team, and measure time saved to produce 2 case studies and reusable templates (YC profile; Use cases).
• First 50: Publish a template library and onboarding guides, host targeted webinars for IR/detection owners, and convert inbound from engineering/benchmark posts into 30–90 day paid trials (Creating Agents; Evaluating AI Agents).
• First 100: Launch integration/partner programs with major SIEM/EDR/ticketing vendors and MSSPs, list in marketplaces, add enterprise controls (permissioning, audit logs), a community agent marketplace, and an ROI dashboard to compress procurement (Creating Agents).

What is the rough total addressable market

Top-down context:

Adjacent categories frame spend: SOAR is roughly a low‑single‑digit billion market in 2025 (e.g., ~$2.0B–$3.0B) while SIEM is ~ $8.6B by 2025; broader security automation is ~$10–12B in 2025 (Grand View Research – SOAR; KuppingerCole – SIEM; Grand View Research – Security Automation).

Bottom-up calculation:

If Cotool targets 10,000–15,000 organizations with in‑house SOCs globally and lands $75k–$150k in annual contract value per org for AI‑driven SecOps automation, the initial TAM ranges from ~$0.75B to ~$2.25B. This sits within the broader SOAR/security‑automation spend and can expand with deeper use across teams and automations.

Assumptions:

• There are on the order of 10k–15k organizations worldwide with in‑house SOCs that buy SecOps automation (mid‑market and enterprise).
• Average ACV for an AI SecOps automation platform falls between $75k and $150k per customer annually (mix of seats, agents, and usage).
• Adoption is gated by existing SIEM/EDR integrations and enterprise controls; SMBs without SOCs are out of scope in the near term.

Who are some of their notable competitors

• Microsoft Copilot for Security: Generative‑AI assistant embedded across Microsoft’s security stack; overlaps with Cotool’s copilot use cases for investigation and response.
• Palo Alto Networks Cortex XSOAR / XSIAM: Established SecOps automation and analytics platforms with playbooks and tight ecosystem integrations; strong incumbent in SOAR and autonomous response.
• Splunk SOAR: SOAR platform integrated with Splunk Enterprise Security; widely deployed for playbook‑driven alert enrichment, response, and ticketing.
• Torq: Modern, low‑code security automation platform with strong integrations and workflow tooling; overlaps on no‑code automation for SecOps teams.
• Dropzone AI: Startup building AI agents that act like virtual SOC analysts; closest to Cotool’s AI‑first investigation and triage vision.