Startup Diligence
Diligence report Cybersecurity; anti-ransomware; cyber resilience; enterprise endpoint security Private unicorn / growth-stage cybersecurity startup

Halcyon

Halcyon Startup Diligence Report

Proceed only to confirmatory diligence. A credible thesis depends on proving durable enterprise ARR, low churn, defensible ransomware-specific efficacy, scalable ROC/warranty economics, strong channel execution, clean IP/security/legal posture and a cap table that makes the headline valuation economically meaningful ([EC-009, EC-010, EC-012, EC-019]).

Company profile

Halcyon Startup Diligence Report

Eligibility passes: public sources support Halcyon as an active private cybersecurity unicorn and no public IPO, acquisition or shutdown was found in reviewed sources ([EC-001, EC-002, EC-003, EC-022]). The investability question is not eligibility; it is whether private diligence can substantiate ARR quality, customer retention, product efficacy, warranty risk, management transition and cap-table terms behind the $1B headline ([EC-004, EC-011, EC-015, EC-020, EC-021]).

Website
www.halcyon.ai
Sector
Cybersecurity; anti-ransomware; cyber resilience; enterprise endpoint security
Geography
United States; public sources reference Austin, Texas, San Diego/remote operations and Rancho Santa Fe legal address
Stage
Private unicorn / growth-stage cybersecurity startup
Known aliases
Halcyon, Halcyon AI, Halcyon Tech, Inc., Halcyon.ai
Report version
1.0
Timezone
UTC

Executive summary

Strengths

  • CB Insights, SEC filings, funding press/news, active website and job board support private-unicorn eligibility.
  • Public sources strongly support the Series C headline and 2023 financing trail, though Form D/press reconciliation and terms remain private.
  • Company product pages substantiate public platform components: prevention, DXP, key capture/decryption, ROC and warranty, while efficacy needs validation.

Risks

  • Financial statements, ARR, retention, margin, burn and sales efficiency are not public.
  • Product-efficacy and "undefeated" claims are company-provided and require independent validation.
  • Endpoint and cyber-resilience incumbents publicly market overlapping ransomware capabilities.
  • CEO-title transition and geography/address inconsistency require governance and HR diligence.
  • Legal/security/IP/insurance artifacts are incomplete without counsel and security data-room materials.

Gaps

  • Audited financials, ARR/bookings, cash/burn, margins, debt, backlog and revenue-by-customer data.
  • Cap table, financing terms, side letters, preferences, option pool and Form D/press reconciliation.
  • Independent technical validation, incident/warranty logs, customer references and product efficacy metrics.
  • Top-customer ARR/churn/NRR, contracts, partner economics and sales productivity.
  • CEO transition materials, HRIS, compensation, attrition, SOC/ISO/pen tests, insurance, litigation schedule and official IP records.

Recommended next steps

  • Open QoE/revenue-quality, technical efficacy, customer-reference, legal/security/IP and management/HR workstreams before relying on the $1B valuation.
  • Prioritize reconciliation of the 2025 Form D amount sold versus Series C press headline and the CEO-title transition.
  • Benchmark Halcyon against CrowdStrike, SentinelOne, Sophos and Rubrik through buyer references and win/loss data.

Risk register

high high likelihood

R-001: Financial opacity and revenue quality gap

No audited financials, ARR, margins, churn, burn, cash, debt, backlog or sales-efficiency metrics were public; Form D revenue range declined to disclose.

Diligence request: Open full QoE/revenue-quality diligence with audited financials, ARR bridge, cohort retention, burn/runway and sales productivity.

high high likelihood

R-005: Competitive pressure from endpoint, MDR and recovery incumbents

CrowdStrike, SentinelOne, Sophos and Rubrik publicly market overlapping ransomware prevention, endpoint, MDR or recovery capabilities.

Diligence request: Conduct win/loss, pricing, channel conflict and buyer-reference diligence.

high medium likelihood

R-002: Headline valuation and cap-table terms unverified

The $1B valuation headline is public, but cap table, preferences, option pool, side letters, secondary sales and Form D/press amount reconciliation are not.

Diligence request: Request financing documents, cap table, liquidation waterfall, 409A, investor rights, side letters and round reconciliation.

high medium likelihood

R-004: Product efficacy and undefeated/warranty claims need independent proof

Halcyon’s core claims around preventing/recovering from ransomware and zero customer ransom/disruption outcomes are company-provided and not independently audited publicly.

Diligence request: Run technical validation, customer incident-reference checks, warranty claims review and third-party testing.

high unknown likelihood

R-003: Customer concentration and retention not publicly verifiable

Named customers and testimonials are public, but no ARR concentration, renewal, churn, NRR or cohort data are public.

Diligence request: Request top-customer ARR, contracts, renewal status, churn/NRR cohorts and independent reference calls.

medium high likelihood

R-007: Legal, security, privacy and insurance artifacts incomplete

Public policies, SLA and DPA exist, but SOC/ISO, pen tests, subprocessor list, litigation schedule, insurance and executed contract terms are not public.

Diligence request: Counsel/security review of contracts, SOC/ISO/pen tests, insurance, privacy, subprocessors, litigation and regulatory materials.

medium medium likelihood

R-006: Management transition and headquarters/geography ambiguity

Public sources show Jon Miller as prior CEO/signatory while the current company page lists Aaron Mick as COO & Interim CEO; geography references vary among Austin, San Diego and Rancho Santa Fe.

Diligence request: Request board minutes, CEO transition rationale, employment agreements, legal entity/geography/tax nexus memo and retention plan.

medium medium likelihood

R-008: GTM/channel execution and partner economics unknown

Partner program, Dell relationship and sales hiring are public, but partner-sourced ARR, attach rate, CAC, quota and funnel conversion are not.

Diligence request: Request channel contracts, pipeline attribution, quota/attainment, sales capacity model and Dell attach-rate economics.

Chapter 01

01Financial Information

Public evidence supports Halcyon as an active private unicorn with a $1B Series C headline and SEC Form D financing trail, but revenue, margins, burn, cash, debt and cap-table economics remain private ([EC-001, EC-002, EC-003, EC-004, EC-020]).

I.A Annual and quarterly financial information for the past three years

not publicly verifiable confidence: low

No audited financials, management accounts, backlog, AR aging or product/geography gross-profit data were public; Form D revenue range was declined to disclose ([EC-004, EC-005, EC-006]).

Evidence gaps

  • Audited financials, management accounts, ARR/bookings, deferred revenue, cash, debt, burn, backlog, AR aging, gross margin by product/channel/geography.

Hidden risks

  • Potential services/ROC and warranty cost burden could depress gross margin but is not public.

Follow-up questions

  • Provide monthly financial statements for FY2023-FY2026 YTD, ARR bridge, revenue recognition policy, cash/debt schedule, backlog and AR aging.
Public financial, ARR and unit-economic signals
metric areapublic signalverification statusprivate diligence request
Revenue / ARRSEC Form D revenue range declined to disclose; no ARR in reviewed public sourcesnot_publicly_verifiableAudited financials, ARR bridge, bookings, deferred revenue, revenue recognition memo
Gross margin / services mixProduct includes technology, 24/7 ROC service and warranty; no gross margin disclosednot_publicly_verifiableGross margin by product/service, ROC staffing model, warranty reserve and support cost
Cash / burn / runwayLarge 2024/2025 financing signals but no cash balance or burn disclosednot_publicly_verifiableCash, monthly burn, runway, debt, plan-vs-actual and board-approved budget
Sales efficiency / quotaGreenhouse open roles skew to sales; no quota, CAC or productivity metrics publicnot_publicly_verifiableSales capacity, quotas, pipeline, CAC payback, win/loss and partner-sourced ARR

Financial quality is the largest public-evidence gap.

I.B Financial Projections

not publicly verifiable confidence: low

Public sources describe financing and hiring expansion but not a forecast, sales plan, foreign operations plan, pricing model or capex/working-capital assumptions ([EC-008, EC-016, EC-020]).

Evidence gaps

  • Board-approved forecast, scenarios, sales capacity plan, pricing assumptions, partner-sourced pipeline, capex/working-capital plan.

Hidden risks

  • International sales hiring could add regulatory, tax and support complexity.

Follow-up questions

  • Provide three-year operating model with ARR by product/channel/geography, retention, sales-capacity assumptions, hiring plan and downside cases.

I.C Capital Structure

partially verified confidence: medium

SEC and press sources identify financing events and public stakeholders, but outstanding shares, investor ownership, option pool, debt instruments, warrants and liquidation preferences are not public ([EC-001, EC-002, EC-003, EC-004]).

Evidence gaps

  • Cap table, financing documents, option/warrant/SAFE/note schedule, debt, side letters, 409A, liquidation waterfall.

Hidden risks

  • Headline valuation may mask structure, preferences, secondary sales or option-pool effects.

Follow-up questions

  • Provide fully diluted cap table, financing documents for all rounds, debt/warrants/notes, side letters, option pool and current 409A/valuation support.
Capital structure and ownership snapshot from public sources
stakeholderpublic positionevidencediligence caveat
Evolution Equity Partners / Richard SeewaldSeries C lead; Richard Seewald joined board per announcement and appears as related person in 2025 Form DSeries C release; 2025 Form D related personsOwnership %, board rights, side letters, liquidation preference
Bain Capital Ventures / Enrique SalemSeries B lead; Series C participant; Enrique Salem listed as director/related personSecurityWeek and Form DPro rata, information rights, preferences
SYN Ventures / Jay LeekSeries A lead and Jay Leek chairman/related personSeries A release and Form D related personsFounder/investor governance, rights and board composition
Founders and executivesJon Miller and Ryan Smith co-founders; Jon signed 2025 Form D as CEO; company page lists Aaron Mick as COO & Interim CEOCompany page and SEC Form DFounder vesting, employment terms, current authority and transition history

No public stockholder schedule, fully diluted share count, option pool, debt or SAFEs/notes were available.

Public financing amount and valuation chart Chart of disclosed round amounts and headline valuation.

I.D Other financial information

partially verified confidence: medium

Financing history is public at a high level, but tax, accounting policies, revenue recognition, financing terms and use of proceeds are private ([EC-002, EC-004, EC-005, EC-006, EC-007, EC-008]).

Evidence gaps

  • Tax positions, revenue-recognition memo, NOLs, financing use-of-proceeds, investor basis and percentage ownership.

Hidden risks

  • Round-size discrepancies between press releases and Form D filings may reflect rolling closes or securities sold but require management explanation.

Follow-up questions

  • Provide tax schedules, accounting policies, financing history by investor, use-of-proceeds report and reconciliation of press releases to SEC Form D filings.
Public funding-round and exempt-offering history
dateround or eventamount or offeringlead or participantsvaluation or termsverification status
2023-04-20 / 2023-05-08Series A / Form D noticePress: $50M; SEC: $43.75M offering, $42.25M soldSYN Ventures; Dell Technologies Capital; Corner Capital; other strategic investorsNot publicpartially_verified - reconcile discrepancy
2023-12-18 / 2023-12-19Series B / Form D notice$40M sold/reportedBain Capital VenturesNot publicverified for amount; valuation not public
2024-11-25 / 2025-01-06Series C / Form D noticePress: $100M; SEC: $127.79M offering, $125.28M soldEvolution Equity Partners; Bain Capital Ventures; SYN Ventures; Harmony Group; Corner Capital; Dropbox Ventures; ServiceNow Ventures; existing investors$1B headline valuation; preferences/secondary not publicpartially_verified - reconcile Form D amount

Public sources support funding history but not cap-table economics.

Funding and eligibility timeline Chronological public funding and eligibility events.
Chapter 02

02Products

Halcyon publicly offers a purpose-built anti-ransomware platform with prevention, DXP, key capture/decryption, ROC and warranty elements, but product efficacy, roadmap, pricing and unit economics require technical/customer diligence ([EC-009, EC-010, EC-020]).

II.A Description of each product

partially verified confidence: medium

The product/SKU evidence is visible on company pages, but growth rates, market share, profitability, independent efficacy and pricing are not public ([EC-009, EC-010, EC-020]).

Evidence gaps

  • Technical architecture, independent efficacy testing, roadmap, product-level ARR/gross margin, support/ROC unit costs, warranty reserves and pricing.

Hidden risks

  • Company-provided efficacy and undefeated claims may be difficult to validate without incident logs and independent tests.
  • Warranty/recovery services may create cost and liability exposure if attack patterns change.

Follow-up questions

  • Provide product demo, architecture/security review, third-party test results, roadmap, release history, module ARR, pricing, gross margin and warranty/ROC cost model.
Product / SKU matrix
product or skuaudiencepublic featuresevidence statusdiligence request
Anti-Ransomware Platform / preventionEnterprise and mid-market endpoint/security teamsAI engine trained on ransomware, vulnerable driver protection, EDR tamper protection, living-off-the-land detectionpartially_verifiedArchitecture, detection logic, false positives, OS coverage, independent tests
Data Exfiltration Protection (DXP)Security operations, privacy/legal risk teamsOutbound-flow monitoring, anomalous data movement detection, ransomware C2/volumetric featurespartially_verifiedNetwork coverage, data classification, tuning, incident examples
Encryption Detection + Key CaptureIncident response and IT recovery teamsCapture key material, create decryption keys, expert-led recovery via agent/ROCpartially_verifiedTechnical limits by ransomware family, key escrow/security, recovery SLAs, customer proof
24/7 Ransomware Operations Center (ROC)Security teams needing managed detection/response and recovery24/7/365 ransomware expert monitoring and recovery assistance includedpartially_verifiedStaffing, escalation, runbooks, SOC certifications, response-time history
Ransomware warranty / guaranteeCFO/CISO risk owners and cyber-insurance buyersExpert-led incident response and recovery services if attack bypasses defenses; marketed as no extra chargepartially_verifiedWarranty contract, exclusions, reserve, claims history, insurance/reinsurance

Product existence is public; efficacy and economics are not.

Pricing and commercial terms snapshot
commercial itempublic evidencerisk or gapdiligence request
List price / packagingGet-a-quote and demo CTAs; no public tier price foundPricing power, discounting and ACV cannot be benchmarked publiclyPrice book, discount schedule, ACV distribution, renewal uplift
Order-form subscription modelTerms define fees by order form and subscription periodActual customer terms may diverge from public standard termsExecuted MSA/order forms, side letters, termination/renewal terms
Warranty / guarantee costsWarranty marketed publicly; claims history not disclosedPotential reserve/liability if guarantee is broadWarranty terms, reserves, incident costs, cyber-insurance backing
Competitor pricing comparisonCrowdStrike page exposes per-endpoint units; Halcyon price not publicCompetitive pricing pressure unknownWin/loss price benchmarks against CrowdStrike, SentinelOne, Sophos, Rubrik and MDR providers

No public price list was identified.

Product capability and validation evidence ledger
claim areapublic evidenceverification statusvalidation needed
AI/ML ransomware modelsSeries C release says models trained on ransomware samplespartially_verifiedTraining corpus, model governance, efficacy tests, false-positive/negative rates
EDR tamper protectionAnti-ransomware page cites Microsoft Defender, CrowdStrike, SentinelOne, Palo Alto Cortex tamper/sabotage detectionpartially_verifiedIntegration list, OS/agent conflicts, test results
DXP data-theft detectionDXP page describes anomalous outbound data movement and C2/volumetric detectionpartially_verifiedCoverage by protocol, false positives, privacy impact, incident runbooks
Key capture/decryptionKey capture page describes seed/symmetric key capture and ROC-led decryptionpartially_verifiedRansomware-family coverage, encryption edge cases, customer examples

A private technical diligence track should be mandatory.

Public product architecture diagram High-level architecture inferred from public product pages.
Chapter 03

03Customer Information

Halcyon has visible customer testimonials, case studies, sectors and partnerships, but public evidence does not disclose revenue concentration, churn, NRR, contract terms, top suppliers or severed relationships ([EC-011, EC-012, EC-013, EC-014, EC-021]).

III.A Top customers by application

partially verified confidence: medium

Named and role-based testimonials identify several customers and verticals, but top-15 customer rankings and purchase timing are private ([EC-012]).

Evidence gaps

  • Top 15 customers by ARR/application, contract values, renewal dates, implementation scope, reference permissions.

Hidden risks

  • Named logos can overstate revenue traction if deployments are small or pilots.

Follow-up questions

  • Provide top-customer ARR by fiscal year/YTD, customer cohorts, renewal status, independent references and customer support history.
Publicly known customers and case-study signals
customer or referencepublic use case or quoteverification statusunverified items
Rocket Software / Mike Raeder, CISOAdded critical protection for high-risk endpoints and gaps in layered defensepartially_verifiedContract value, deployment scope, renewal, reference confirmation
CACC CargolinxSelected Halcyon after POC across prevention, behavior detection and key capture; deployed with minimal disruptionpartially_verifiedARR, airline-partner requirements, technical outcomes
Industrial Refrigeration ProsDeployed via Microsoft Intune to secure most of network within dayspartially_verifiedEndpoint count, price, operational results
City government≈1,000 endpoints, blocked all but one test variant and recovered remaining case in five minutespartially_verifiedIndependent validation, test design, production deployment evidence
OceanAir Federal Credit Union / Delaware Valley University / Shasta Community Health Center / healthcare insurerPublic testimonials cite MTTR improvement, no unplanned downtime, easy deployment and key capture peace of mindpartially_verifiedCustomer concentration, retention, legal approval, renewal status

Public evidence verifies marketing permission/testimonials, not financial quality.

Customer disclosure and concentration chart Bar chart of publicly disclosed customer metrics or absence of revenue weights.

III.B Strategic relationships

partially verified confidence: medium

Public strategic relationships include a partner program and Dell relationship, but terms and contribution are not public ([EC-013, EC-014]).

Evidence gaps

  • Partner contracts, reseller/MSSP list, sourced pipeline, attach rates, revenue share, exclusivity and support obligations.

Hidden risks

  • Partner success may depend on enablement, support commitments and margin economics not visible publicly.

Follow-up questions

  • Provide partner agreements, channel revenue, partner-sourced ARR, Dell attach-rate data and partner support SLAs.
Strategic relationships and partnerships
partner or relationshipnaturepublic evidencediligence gap
DellTechnology/OEM/channel relationship through Dell Trusted Workspace and commercial PCsHalcyon + Dell page says Halcyon is available on Dell commercial PCsAttach rate, revenue share, exclusivity, support responsibilities
ResellersPartner program path for direct resale and joint sellingPartner page names resellers and deal registration/enablementPartner list, sourced ARR, discount/rebate schedule
MSSPsManaged-service channelPartner page names MSSPs among supported partner typesMSSP contracts, SLAs, service handoffs, margin
Incident response partnersIR channel for containment/recoveryPartner page says IR partners use Halcyon to help customers contain and recover from ransomwareIR partner roster, referral fees, insurance/claims coordination
Technology partnersIntegrations / ecosystemPartner page names technology partners; platform pages cite EDR and backup adjacenciesSupported integrations, certification, API/SDK terms

Partnership evidence is public but economic contribution is not.

III.C Revenue by customer

not publicly verifiable confidence: low

Revenue by customer and any customers above 5% of revenue are not publicly disclosed ([EC-021]).

Evidence gaps

  • ARR by customer, gross margin by customer, churn/NRR cohorts, renewal and expansion history.

Hidden risks

  • Customer concentration could be material if named enterprise/public-sector deployments are large.

Follow-up questions

  • Provide revenue-by-customer schedule for FY2024-FY2026 YTD, >5% customer list, churn/NRR and renewal risk.

III.D Significant relationships severed within the last two years

not publicly verifiable confidence: low

No public source identified severed customer, partner or supplier relationships; this requires management and customer diligence ([EC-021, EC-024]).

Evidence gaps

  • Lost customers/partners/suppliers, churn reasons, disputed invoices, implementation failures.

Hidden risks

  • Lost logos or warranty/incident disputes could be non-public.

Follow-up questions

  • Provide two-year lost customer/partner list, churn reasons, non-renewals and customer success escalations.

III.E Top suppliers

partially verified confidence: low

Public supplier/dependency signals include Dell, Microsoft Intune in a case study, existing EDR adjacencies and hosted-platform references, but cloud/vendor spend and contracts are private ([EC-009, EC-012, EC-014, EC-017]).

Evidence gaps

  • Top suppliers by spend, cloud architecture, subprocessors, EDR/MDM integrations, partner/vendor contracts.

Hidden risks

  • Undisclosed cloud, telemetry, AI/ML and support-tool dependencies may create concentration or data-residency risk.

Follow-up questions

  • Provide vendor-spend report, cloud architecture, subprocessor list, critical supplier contracts and business-continuity plan.
Top supplier / cloud-and-infrastructure dependency snapshot
supplier or dependencyrolepublic evidenceconcentration risk
DellCommercial-PC/OEM distribution and endpoint channelDell Trusted Workspace / on-the-box availabilityChannel dependency and support obligations unknown
Microsoft IntuneCustomer deployment mechanism cited in Industrial Refrigeration Pros caseCustomer page says deployment via Microsoft IntuneMDM integration and support scope unknown
Existing EDR/XDR vendorsAdjacent/augmentative endpoint controlsProduct pages mention Microsoft Defender, CrowdStrike, SentinelOne and Palo Alto Cortex tamper/sabotage protectionIntegration conflicts and co-sell/compete dynamics unknown
Cloud hosting / data subprocessorsHosted platform services and personal-data processingSLA references hosted services; DPA references subprocessors but public subprocessor list not foundCloud/provider outage, data residency and subprocessors not verified

Private vendor list and cloud architecture are required.

Chapter 04

04Competition

Halcyon’s ransomware-specific focus is distinctive, but broad endpoint, XDR, MDR and cyber-recovery incumbents publicly market overlapping ransomware capabilities ([EC-009, EC-019]).

IV.A Competitive landscape by market segment

partially verified confidence: medium

Public competitor pages show overlap from CrowdStrike, SentinelOne, Sophos and Rubrik; Halcyon’s differentiation depends on purpose-built ransomware focus, key capture, DXP, ROC and warranty proof ([EC-019, EC-009, EC-010]).

Evidence gaps

  • Win/loss data, competitive displacement, pricing benchmarks, analyst/customer perception, partner-conflict analysis.

Hidden risks

  • Incumbents can bundle ransomware features into broader EDR/XDR/backups and pressure pricing or procurement.

Follow-up questions

  • Provide win/loss by competitor, competitive pricing, buyer interviews, analyst references and renewal displacement data.
Competitor comparison matrix
companypublic overlapdifferentiator or pressureevidence status
HalcyonPrevention, DXP, key capture, ROC, warrantyFocused ransomware-only positioning and key-capture claimPartially verified by company sources
CrowdStrikeRansomware protection, endpoint monitoring, proactive threat huntingLarge platform incumbent; claims 100% ransomware protection in SE Labs testCompetitor marketing verified
SentinelOneEndpoint prevention, detection and responseBroad Singularity platform and marketplace; autonomous security positioningCompetitor marketing verified
SophosEndpoint ransomware prevention and rollbackCryptoGuard rollback and default-on endpoint controlsCompetitor marketing verified
RubrikRansomware recovery and immutable backupStrong recovery/backup buying center; adjacent or complementaryCompetitor marketing verified

Requires win/loss and pricing diligence.

Basis-of-competition scoring
axis
Ransomware-specific focus
Recovery depth
Platform breadth
Proof and trust

Scores are analyst judgments based on public materials.

Competitive positioning market map Positioning map for ransomware focus versus recovery depth.

Analyst positioning; validate with win/loss.

Chapter 05

05Marketing, Sales, and Distribution

Public GTM signals include enterprise quote/demo motion, partner program, Dell channel, research-led marketing and sales hiring, but funnel metrics, CAC, quota productivity and partner economics are private ([EC-013, EC-014, EC-016, EC-018, EC-020]).

V.A Strategy and implementation

partially verified confidence: medium

Halcyon positions directly to ransomware risk owners and uses partner/OEM/content channels, but channel performance is not public ([EC-013, EC-014, EC-018, EC-020]).

Evidence gaps

  • GTM plan, channel mix, pipeline, marketing spend, conversion, partner economics.

Hidden risks

  • Ransomware urgency can create demand, but sales cycles may depend on CISO, board, insurance and budget timing.

Follow-up questions

  • Provide GTM plan, pipeline/funnel, channel ARR, marketing attribution and budget-to-plan performance.
Distribution channels and GTM motions
channel
Direct enterprise sales / quote motion
Partner program
Dell/OEM route
Content/threat intelligence
Public sector / international field sales

Public GTM signals are strong but quantitative funnel data is absent.

Public GTM signal mix Count of public GTM signals by channel.

V.B Major Customers

partially verified confidence: low

Public testimonials support referenceability, but major-customer relationship trends and pipeline are not public ([EC-012, EC-021]).

Evidence gaps

  • Customer health scores, expansion pipeline, renewal risk, executive sponsor maps.

Hidden risks

  • A small number of large logos could drive ARR concentration.

Follow-up questions

  • Provide top-customer account plans, renewal/expansion pipeline and customer health dashboard.

V.C Principal avenues for generating new business

partially verified confidence: medium

Direct sales, partners, Dell/OEM, research content and regional/public-sector hiring are public avenues; quantitative productivity is not ([EC-013, EC-014, EC-016, EC-018]).

Evidence gaps

  • Lead sources, partner-sourced ARR, conversion rates, sales cycle, market-development spend.

Hidden risks

  • Rapid sales expansion could outpace implementation/ROC capacity.

Follow-up questions

  • Provide funnel by channel, conversion, sales cycle, partner attribution and quota attainment.
Public marketing and sales productivity signals
signal
Sales hiring
Customer testimonials
Research-led marketing
No public pricing

No private pipeline report or sales-efficiency model was available.

V.D Sales force productivity model

not publicly verifiable confidence: low

Sales compensation, average quota, sales cycle and hiring plan are not public; only job postings are visible ([EC-016]).

Evidence gaps

  • Quota capacity, comp plans, ramp, attainment, CAC, payback, sales cycle.

Hidden risks

  • Sales capacity investment after large financing could pressure burn if productivity lags.

Follow-up questions

  • Provide sales compensation plan, quota/attainment by rep, pipeline aging, CAC payback and hiring plan.

V.E Ability to implement marketing plan with current and projected budgets

not publicly verifiable confidence: low

Budget sufficiency is not public; recent financing provides capacity signal but no burn/budget evidence ([EC-002, EC-016]).

Evidence gaps

  • Budget, burn, marketing attribution, ROI and board-approved headcount plan.

Hidden risks

  • Marketing/sales spend may accelerate burn without clear sales efficiency.

Follow-up questions

  • Provide marketing budget, actuals vs plan, pipeline attribution and hiring-budget approval.
Chapter 06

06Research and Development

Public R&D signals include veteran technical founders, product leaders, research center, live threat intelligence and kernel hiring; roadmap, development cost, security architecture and IP assignments are private ([EC-015, EC-016, EC-018, EC-009]).

VI.A Description of R&D organization

partially verified confidence: medium

The company page identifies technical/product leaders and a research-oriented origin story; actual R&D org structure and budget are not public ([EC-015, EC-016]).

Evidence gaps

  • R&D org chart, engineering headcount, roadmap ownership, invention assignment and security SDLC.

Hidden risks

  • Founder/technical concentration risk if key inventors leave or transition roles.

Follow-up questions

  • Provide engineering org chart, roadmap, SDLC, technical debt, IP assignments and engineering attrition.
Key R&D and product leadership roster
person or role
Jon Miller
Ryan Smith
Kris Lamb
Clark Lindsey
Research Center team / threat intelligence

Personnel roster requires HR/legal validation.

R&D and product leadership map Public R&D/product org signal map.

Actual reporting lines not public.

VI.B New Product Pipeline

partially verified confidence: medium

Public pipeline signals include DXP, key capture/decryption, Dell PCs and Research Center outputs; development cost, release schedule and critical-technology risk are private ([EC-009, EC-014, EC-018]).

Evidence gaps

  • Product roadmap, development costs, coverage by ransomware family, release milestones, QA and technical risk register.

Hidden risks

  • Ransomware techniques evolve quickly; product efficacy may degrade without sustained R&D.

Follow-up questions

  • Provide roadmap, release notes, R&D budget, technical validation by ransomware family and post-incident lessons learned.
Public product / research pipeline
pipeline item
Ransomware Research Center / Threat Actor Index / Attack Map
DXP
Encryption key capture/decryption
Dell ransomware-resilient PCs
Kernel and federal sales hiring

No private roadmap, development cost or release schedule available.

Chapter 07

07Management and Personnel

Public sources show experienced cybersecurity leadership, active hiring and remote/global operations, but CEO-transition, address/geography differences, total headcount, compensation and attrition require private diligence ([EC-015, EC-016, EC-025]).

VII.A Organization Chart

partially verified confidence: low

A full org chart is not public; company page provides senior leadership roles but not reporting lines ([EC-015]).

Evidence gaps

  • Current org chart, reporting lines, board/advisor roster and management succession plan.

Hidden risks

  • Actual reporting lines and management spans are not public.

Follow-up questions

  • Provide current org chart, board roster, advisor list and reporting lines.
Senior management roster
name
Aaron Mick
Jon Miller
Ryan Smith
Scott Stout
Jeff St. Clair
Jeff Williams
Kris Lamb / Oliver Newbury / Tom Lee / Ryan Schultz / Tim West / Mitch Plonski

Management roster is public but background checks and employment terms remain private.

Public senior leadership org chart Public senior leadership and management-transition map.

Public page lists roles but not reporting structure.

VII.B Historical and projected headcount by function and location

partially verified confidence: medium

Historical/projected headcount is private; careers/Greenhouse provide only remote/global and open-role signals ([EC-016, EC-025]).

Evidence gaps

  • HRIS export by month/function/location, contractor list, approved hiring plan, attrition.

Hidden risks

  • Distributed workforce can create employment, tax, security and culture risks.

Follow-up questions

  • Provide historical/projected headcount, employment locations, contractors, PEO/EOR use and tax nexus review.
Headcount and hiring signals
signal
Remote/global team
Open roles count
Sales-weighted hiring
Engineering hiring

Point-in-time public job board; not total headcount.

Public job-opening mix chart Function/geography mix from Greenhouse postings.

VII.C Senior management biographies

partially verified confidence: medium

Company page provides public biographies for founders and leaders; background checks and employment terms are private ([EC-015]).

Evidence gaps

  • Background checks, references, employment agreements, restrictive covenants and invention assignments.

Hidden risks

  • Public bios may omit departures, litigation, restrictive covenants or employment issues.

Follow-up questions

  • Provide management bios, background-check consents, reference list, employment agreements and IP assignment documents.

VII.D Compensation arrangements

not publicly verifiable confidence: low

Key employment agreements, compensation and benefits are not public ([EC-016]).

Evidence gaps

  • Executive employment agreements, comp bands, variable comp, benefits, retention bonuses.

Hidden risks

  • Retention risk cannot be assessed without compensation/equity details.

Follow-up questions

  • Provide compensation by employee, offer letters, executive agreements, benefits plan and severance/change-in-control terms.

VII.E Incentive stock plans

not publicly verifiable confidence: low

Option pool, incentive stock plan and equity grants are not public ([EC-003, EC-004]).

Evidence gaps

  • Equity plan, option pool, grants, vesting, 409A, refresh policy.

Hidden risks

  • Dilution and employee retention risk cannot be assessed.

Follow-up questions

  • Provide equity incentive plan, grant ledger, vesting schedules and 409A valuations.

VII.F Significant employee relations problems, past or present

not publicly verifiable confidence: low

No public employee-relations problem schedule was identified; this is not publicly verifiable ([EC-024]).

Evidence gaps

  • Employee-relations matters, complaints, investigations, severance agreements and employment claims.

Hidden risks

  • Employee claims, restrictive-covenant disputes or harassment/retaliation matters may be non-public.

Follow-up questions

  • Provide employment claims schedule, complaints/investigations, severance agreements and HR policies.

VII.G Personnel Turnover

partially verified confidence: low

Turnover data is private; public sources show a CEO-title transition and active hiring but not departures or attrition ([EC-015, EC-016]).

Evidence gaps

  • Two-year attrition, regretted attrition, departure reasons, management transition memo and retention plan.

Hidden risks

  • Executive transition could signal governance, scaling or founder-role changes.

Follow-up questions

  • Provide attrition by function, executive departure history, CEO-transition materials and retention plans.
Departures / turnover / management transition signals
transition signal
CEO-title change
Geography/address inconsistency
Personnel turnover data

Turnover cannot be validated publicly.

Chapter 08

08Legal and Related Matters

Halcyon has public SEC/Form D, privacy, terms, SLA and DPA artifacts and some trademark-search signals, but litigation, regulatory actions, insurance, official IP status, SOC/ISO/security reports and customer contract terms are not publicly verifiable ([EC-017, EC-023, EC-024]).

VIII.A Pending lawsuits against the Company

not publicly verifiable confidence: low

No substantive lawsuit against Halcyon was captured in surface web searches, but no official docket/counsel search was available ([EC-024]).

Evidence gaps

  • Counsel litigation schedule, PACER/state docket searches, arbitration/employment claims, threatened claims.

Hidden risks

  • Unknown warranty, security, employment, customer or IP disputes may be non-public.

Follow-up questions

  • Provide litigation/threatened-claims schedule, counsel letters, arbitration/employment matters and warranty-claim register.
Pending lawsuits against the company - public-search ledger
case or search
Surface web search for "Halcyon Tech, Inc." lawsuit/court
Customer/product liability or warranty claims
Privacy/security incidents

No counsel docket search was available.

Legal, regulatory and policy timeline Public legal/regulatory artifact timeline.
Risk heatmap Heatmap of top public-diligence risks.

VIII.B Pending lawsuits initiated by Company

not publicly verifiable confidence: low

No company-initiated litigation was publicly verified; IP enforcement/oppositions are inconclusive because official trademark records were not retrieved ([EC-023, EC-024]).

Evidence gaps

  • Counsel plaintiff-matter schedule, IP oppositions/enforcement, collections and employment enforcement matters.

Hidden risks

  • Company-initiated IP, collections or employment enforcement actions could exist outside surface results.

Follow-up questions

  • Provide plaintiff-claims schedule, USPTO/opposition docket and collections/enforcement matters.
Pending lawsuits initiated by the company - public-search ledger
case or search
Surface web search for Halcyon Tech plaintiff matters
IP/trademark opposition/enforcement

No official docket search.

VIII.C Environmental and employee safety issues and liabilities

not publicly verifiable confidence: low

As a remote-first software company, public environmental/safety signals are minimal; employee safety, remote-work, incident-response and office obligations are not public ([EC-016, EC-025]).

Evidence gaps

  • Employee handbook, remote-work policy, workers compensation, office leases, safety incidents.

Hidden risks

  • Remote work and international hiring can create occupational safety, labor-law and tax compliance questions.

Follow-up questions

  • Provide employment/remote-work policies, office lease/safety documents, workers-comp claims and international labor compliance review.

VIII.D Material patents, copyrights, licenses, and trademarks

inconclusive confidence: low

Trademark snippets indicate public marks tied to Halcyon Tech, Inc., but official USPTO status and patents were not verified ([EC-023]).

Evidence gaps

  • Official USPTO records, assignments, patent portfolio, invention assignments, open-source and third-party license audit.

Hidden risks

  • IP ownership or prosecution gaps could weaken defensibility.

Follow-up questions

  • Provide IP schedule, USPTO/TSDR exports, patent applications, trademark assignments, open-source audit and invention assignment agreements.
Material IP - trademarks and patent/publication gaps
asset
HALCYON word mark
DXP mark
ROC mark
HALCYON RANSOMWARE FIREWALL mark
Patents / proprietary technology

Official IP counsel review is required.

VIII.E Insurance coverage and material exposures

not publicly verifiable confidence: low

Insurance coverage is not public; warranty/guarantee exposure is public but claims/reserves and insurance backing are not ([EC-010, EC-011]).

Evidence gaps

  • Cyber/E&O/D&O/CGL policies, warranty backing, claims history, reserve methodology.

Hidden risks

  • Warranty exposure could be material if ransomware bypasses controls or exclusions are narrow.

Follow-up questions

  • Provide insurance certificates, policies, claims history, warranty reserve and claim adjudication process.

VIII.F Material contracts

partially verified confidence: medium

Public standard terms, SLA and DPA exist, but actual customer, partner, Dell and supplier contracts are private ([EC-017, EC-014]).

Evidence gaps

  • Executed MSAs/order forms, DPAs, SLAs, partner agreements, Dell agreement, supplier contracts, indemnities and liability caps.

Hidden risks

  • Side letters, warranty commitments, indemnities or partner exclusivity may alter risk profile.

Follow-up questions

  • Provide material-contract schedule and copies of customer, partner, Dell, supplier, DPA/SLA and warranty agreements.

VIII.G Regulatory agency problems

not publicly verifiable confidence: low

Public sources show SEC Form D filings and privacy/SLA/DPA artifacts; no regulatory agency problems were publicly verified, and official/legal searches remain incomplete ([EC-003, EC-017, EC-024]).

Evidence gaps

  • Regulatory correspondence, privacy/security audits, export-control review, sanctions screening, public-sector compliance, SOC/ISO reports.

Hidden risks

  • Privacy/security, sanctions/export, public-sector and cyber warranty claims can create regulatory exposure.

Follow-up questions

  • Provide regulatory correspondence, compliance audits, SOC 2/ISO, pen tests, export/public-sector compliance materials and privacy assessment.
Regulatory, privacy, contractual and insurance exposure summary
area
Privacy
DPA / GDPR / state privacy
SLA
Standard subscription terms
Regulatory / agency actions
Insurance / warranty backing

Public legal artifacts are not a clean legal opinion.

Evidence

Evidence claims
IDClaimStatusSources
EC-001 CB Insights lists Halcyon as a $1B United States Enterprise Tech unicorn that joined on 2024-11-25. verified high SRC-001
EC-002 Halcyon announced a $100M Series C led by Evolution Equity Partners, with the round valuing the company at $1B and bringing total raised to $190M. verified high SRC-002SRC-009
EC-003 SEC EDGAR identifies Halcyon Tech, Inc. as a Delaware corporation with Austin, Texas business address and three Form D filings. verified high SRC-003
EC-004 The 2025 Form D reports a $127.79M offering, $125.28M sold, revenue range declined to disclose, and related persons including Jon Miller, Ryan Smith, Jay Leek, Nicholas Warner, Enrique Salem and Richard Seewald. verified high SRC-004
EC-005 The December 2023 Form D reports $40M sold and revenue range declined to disclose. verified high SRC-005
EC-006 The May 2023 Form D reports a $43.75M offering with $42.25M sold and revenue range declined to disclose. verified high SRC-006
EC-007 Halcyon announced a $50M Series A led by SYN Ventures to accelerate a ransomware resilience platform. verified medium SRC-007
EC-008 SecurityWeek reported Halcyon raised $40M Series B led by Bain Capital Ventures and planned to expand engineering, R&D and sales. verified high SRC-008
EC-009 Halcyon positions its platform as AI/ML-trained anti-ransomware technology, with key capture and DXP capabilities. partially verified medium SRC-002SRC-011SRC-012SRC-013SRC-014
EC-010 Halcyon publicly describes a platform bundle of anti-ransomware technology, 24/7 Ransomware Operations Center and ransomware warranty. verified medium SRC-011
EC-011 Halcyon claims no significant customer disruptions, exfiltration, backup restores, ransom payments or warranty claims to date. partially verified medium SRC-002SRC-009
EC-012 Halcyon publicly lists customer testimonials and case studies across software, healthcare, logistics, industrial refrigeration, finance, education and government. partially verified medium SRC-015SRC-010
EC-013 Halcyon has a public partner program for resellers, MSSPs, incident response and technology partners. verified medium SRC-016
EC-014 Halcyon publicly markets a Dell relationship for ransomware-resilient PCs through Dell Trusted Workspace. verified medium SRC-017
EC-015 Halcyon was formed in 2021 by cybersecurity veterans and lists a leadership team, but public sources show an apparent CEO-title transition. partially verified medium SRC-018SRC-002SRC-004
EC-016 Public personnel signals show a remote-first team, San Diego/Austin office references and 14 open roles skewed toward sales. verified medium SRC-019SRC-020
EC-017 Halcyon publishes privacy, subscription, SLA and DPA artifacts, including a 99% hosted-platform availability commitment. partially verified medium SRC-021SRC-022SRC-023SRC-024
EC-018 Halcyon operates a public Ransomware Research Center with attack map, threat actor index, reports and alerts. verified medium SRC-025
EC-019 Halcyon faces competition or adjacency from major endpoint and cyber-resilience vendors with ransomware capabilities. verified medium SRC-026SRC-027SRC-028SRC-029
EC-020 Public pricing for Halcyon was not found; the website routes buyers to quotes, demos and order forms. not publicly verifiable low SRC-011SRC-012SRC-022
EC-021 Public customer revenue concentration, churn, retention and backlog are not disclosed. not publicly verifiable low SRC-015SRC-002
EC-022 Public financing and operating sources support active private-company status, with no public IPO/acquisition/shutdown evidence found in the reviewed sources. verified medium SRC-001SRC-003SRC-004SRC-010SRC-018SRC-020SRC-032
EC-023 Public trademark evidence is incomplete: web search surfaces Halcyon Tech trademark records, but official USPTO API access required a key during this research. inconclusive low SRC-030SRC-031
EC-024 No comprehensive public litigation, regulatory-action or employment-dispute schedule was available. not publicly verifiable low SRC-032SRC-021SRC-024
EC-025 Public sources show geography inconsistency: CB/SEC and SecurityWeek emphasize Austin, while the company page says technically headquartered in San Diego/remote. inconclusive medium SRC-001SRC-003SRC-008SRC-018SRC-019SRC-024
Sources
IDPublisherTitleAccessed
SRC-001 CB Insights CB Insights complete unicorn companies list - Halcyon row 2026-06-07
SRC-002 Business Wire via FinancialContent Halcyon closes $100M Series C funding round at $1B valuation 2026-06-07
SRC-003 U.S. SEC SEC EDGAR filer page for Halcyon Tech, Inc. CIK 0001976365 2026-06-07
SRC-004 U.S. SEC SEC Form D primary document, accession 0001976365-25-000001 2026-06-07
SRC-005 U.S. SEC SEC Form D primary document, accession 0001976365-23-000002 2026-06-07
SRC-006 U.S. SEC SEC Form D primary document, accession 0001976365-23-000001 2026-06-07
SRC-007 Halcyon Halcyon closes $50M in Series A funding 2026-06-07
SRC-008 SecurityWeek Halcyon raises $40 million for anti-ransomware platform 2026-06-07
SRC-009 Crunchbase News Anti-ransomware startup Halcyon reaches unicorn status after $100M Series C 2026-06-07
SRC-010 Halcyon Halcyon homepage 2026-06-07
SRC-011 Halcyon Halcyon platform overview 2026-06-07
SRC-012 Halcyon Halcyon anti-ransomware product page 2026-06-07
SRC-013 Halcyon Halcyon data exfiltration protection page 2026-06-07
SRC-014 Halcyon Halcyon encryption detection and key capture page 2026-06-07
SRC-015 Halcyon Halcyon customers page 2026-06-07
SRC-016 Halcyon Halcyon partner program page 2026-06-07
SRC-017 Halcyon Halcyon + Dell partnership page 2026-06-07
SRC-018 Halcyon Halcyon company and leadership page 2026-06-07
SRC-019 Halcyon Halcyon careers page 2026-06-07
SRC-020 Greenhouse / Halcyon Halcyon Greenhouse job board 2026-06-07
SRC-021 Halcyon Halcyon privacy policy 2026-06-07
SRC-022 Halcyon Halcyon platform subscription services agreement 2026-06-07
SRC-023 Halcyon Halcyon service level agreement 2026-06-07
SRC-024 Halcyon Halcyon data processing addendum 2026-06-07
SRC-025 Halcyon Halcyon ransomware research center 2026-06-07
SRC-026 CrowdStrike CrowdStrike ransomware protection page 2026-06-07
SRC-027 SentinelOne SentinelOne Singularity XDR platform page 2026-06-07
SRC-028 Sophos Sophos Endpoint product page 2026-06-07
SRC-029 Rubrik Rubrik ransomware recovery page 2026-06-07
SRC-030 DuckDuckGo DuckDuckGo search results for Halcyon Tech trademark records 2026-06-07
SRC-031 USPTO USPTO TSDR API access notice for serial-number lookups 2026-06-07
SRC-032 DuckDuckGo DuckDuckGo search results for Halcyon Tech lawsuit/court records 2026-06-07
SRC-033 Halcyon Halcyon ServiceNow / support and contact links observed in site navigation 2026-06-07

Disclaimer

This report is a public-evidence diligence snapshot, not investment advice. Important financial, legal, technical, and contractual facts remain non-public and should be verified directly with management and primary documents before any investment decision.