Haleum

What do they actually do

Haleum is an enterprise security product that analyzes communications and security telemetry to detect and investigate human-driven risk (insider fraud, data theft, policy violations, and account compromise). It connects to tools like Slack/Teams/Gmail, Okta, CrowdStrike, and Splunk, then correlates messages, identity changes, and alerts into a single, employee-specific case so an analyst sees context and likely intent rather than many isolated events homepage, solutions.

Analysts use Haleum to ingest data, automatically group related events, review a condensed timeline and narrative, and then apply suggested remediations and produce audit-ready reports. The company sells via demos/pilots to regulated industries and is an early-stage YC W25 startup founded in 2024 homepage, solutions, YC listing.

Who are their target customer(s)

• Insider-risk teams at regulated enterprises (finance, energy, healthcare): They must determine whether employees stole data, committed fraud, or violated policy and produce audit-ready evidence. Today they assemble logs, messages, and interviews manually, which is slow and inconsistent.
• Tier‑2/3 investigators and incident responders: They receive alerts from chat, email, identity, and endpoints and must stitch them into a single timeline to judge intent. Manual correlation creates long investigation times and backlog.
• Compliance and legal teams: They need defensible, explainable evidence and consistent reporting for regulators or litigation. Ad‑hoc investigations create gaps and increase regulatory risk.
• Security leaders (CISO / head of security): They worry about blind spots in external collaboration (Slack Connect, Teams external, vendor portals) and account compromise. They need measurable controls and faster resolution paths they can report to executives and auditors.
• SecOps/IT teams managing identity and threat tools: Telemetry is fragmented across platforms and alerts often lack human intent, causing repeated manual work and slow remediation.

How would they acquire their first 10, 50, and 100 customers

• First 10: Use YC/founder networks to land paid 6–12 week pilots in regulated industries; the team handles integrations and runs initial investigations to produce audit-ready cases and early references.
• First 50: Scale targeted outbound and partner referrals (Okta/CrowdStrike/SIEM ecosystems, select consultancies) while keeping high-touch onboarding; publish time-to-investigation and compliance artifacts to convert peers in the same verticals.
• First 100: Adopt a channel-led, productized pilot model with MSSPs/SIs and prebuilt connectors/templates; invest in automated agents and an analyst copilot to shorten setup and standardize remediation and reporting outcomes across partners.

What is the rough total addressable market

Top-down context:

Published estimates put insider‑threat/insider‑risk at about $4.8B in 2024 with projections toward ~$12B by 2030 Yahoo Finance summary. DLP is ~$2.7B in 2023 with forecasts to ~$10B by 2030 NextMSC, and UEBA/behavior analytics is roughly $1.9–2.4B in 2024 with high growth GIA/market summaries. Given overlap among categories, a practical TAM for Haleum’s class is ~ $6–10B today.

Bottom-up calculation:

Assume ~12,000 large regulated enterprises globally (finance, healthcare, energy, critical infrastructure). If Haleum’s platform ACV is ~$300k–$500k per enterprise for multi-source investigations and audit reporting, that implies ~$3.6–$6.0B; adding 25–50% of adjacent DLP/UEBA budgets those buyers reallocate brings the total to roughly $4.5–$9.0B, consistent with the top‑down range.

Assumptions:

• ~12,000 regulated enterprises with >1,000 employees globally (order-of-magnitude estimate).
• Average ACV for a cross-tool insider‑risk investigation platform: ~$300k–$500k per enterprise annually.
• 25–50% of adjacent DLP/UEBA spend is contestable when buyers prioritize investigation/intent over policy-only controls.

Who are some of their notable competitors

• Proofpoint (ObserveIT / Insider Threat Management): Enterprise insider‑threat platform focused on endpoint activity capture and forensic timelines (including optional screen capture), tied into DLP/compliance workflows; overlaps on investigations and audit reporting but is heavier on endpoint recording and classic DLP product, docs.
• Microsoft Purview (Insider Risk Management + Communication Compliance): Built into Microsoft 365 with policy templates, case management, and privacy/pseudonymization; a strong default when customers’ communications and identity live in Microsoft because it natively correlates those signals Insider Risk and Communication Compliance.
• Exabeam: SIEM/UEBA platform that ingests logs broadly, baselines behavior, and auto‑stitches alerts into incident timelines; competes on automated investigations and SOC productivity rather than deep message‑level intent analysis overview.
• DTEX Systems: Specialist insider‑risk/user activity monitoring with high‑fidelity endpoint and behavioral metadata, intent scoring, and AI‑guided investigations; emphasizes continuous endpoint telemetry and privacy‑aware pseudonymization platform.
• Teramind: Employee‑monitoring and endpoint DLP with session replay, OCR, and granular activity logs aimed at compliance and forensics; similar on investigation evidence but oriented to screen/session capture and productivity monitoring insider threat and DLP.