Every major platform shift produces an unanticipated security crisis. The internet gave us phishing and malware. Mobile gave us app-layer vulnerabilities. Cloud gave us misconfiguration and identity sprawl. In each case, the winning security category was built by people who understood the new attack surface at a fundamental level; they were not security generalists retrofitting old tools onto new infrastructure.
AI is proving no different, except the attack surface is stranger and more porous than anything we've seen before.
The problem is architectural. When you deploy a large language model, you're deploying a probabilistic system whose behavior emerges from training, not from rules you wrote. Traditional security tools such as classifiers, pattern matchers, and static guardrails are structurally blind to this. They scan for known-bad inputs. But a sufficiently motivated adversary doesn't need known-bad inputs. They probe the model's learned generalizations, find the gap between what it was trained to do and what it can be induced to do, and exploit it. Increasingly, that adversary is not a human, it's another model, running automated attack campaigns at a speed and scale no human red team can match. Gray Swan was built on the recognition that the only way to secure a probabilistic system is with another probabilistic system — one trained on adversarial data at a scale no static tool can match.
The founders
Gray Swan co-founders Matt Fredrikson and Zico Kolter are Carnegie Mellon faculty who have spent the better part of a decade mapping exactly how AI systems fail under adversarial conditions. Matt’s research spans security and privacy, trustworthy AI, and formal methods, with a focus on the unique failure modes that arise in data-driven systems. He is among the researchers who established foundational techniques for model inversion attacks, and it’s this work that helped define adversarial machine learning as a discipline before the current wave of LLMs made it an enterprise problem.
Zico's work focuses on AI safety, alignment, and the robustness of machine learning classifiers including developing the first methods for deep learning models with guaranteed robustness and pioneering automated techniques for evaluating the safety of large language models. In 2024, his expertise landed him a board seat at OpenAI, where he chairs the Safety and Security Committee, a four-person panel with the authority to halt the release of new AI systems if they are deemed unsafe.
This combination of co-founders — a CEO who mapped the attack surface from first principles and a Chief Scientist embedded at the center of frontier AI governance — is not something you can construct, nor is it something you can replicate through hiring or partnerships. It exists because these two people built the intellectual foundation for this problem before there was a commercial market for the solution.
The research pedigree, translated into product
Gray Swan didn't start by building a product. It started by publishing the research that defined how the AI security field measures itself. The benchmarks the team created for evaluating harmful outputs, measuring hazardous knowledge in LLMs, and automating jailbreak detection are now the standard infrastructure that frontier labs and governments use to determine whether a model is safe to deploy.
That research credibility is what kickstarted the commercial moat. Gray Swan's platform operates as a self-reinforcing system across three products: Arena, a community of red teamers generating millions of real adversarial attack trajectories; Shade, a custom LLM trained on Arena's data that automatically probes and adapts attacks against specific AI systems; and Cygnal, a runtime firewall that uses the same adversarial intelligence to block threats in production. The flywheel between Arena, Shade, and Cygnal is the moat, but the defensible asset is what that community has produced over time: millions of real attack trajectories accumulated across years of engagements with the most scrutinized AI deployments in the world. Algorithms generalize from known patterns; the human adversaries Gray Swan has cultivated find the ones no one anticipated.
Why now
Frontier labs have quietly established a new evidentiary bar for AI deployment. AI system cards, now standard practice, require explicit documentation of how models have been tested against adversarial misuse, and enterprise security and compliance teams are beginning to apply the same standard to every AI system in production, whether procured or built in-house. While other security vendors count Anthropic and OpenAI among their customers, Gray Swan is named in the documents those labs publish to demonstrate their models are safe. That is a different category of trust entirely.
That relationship with frontier labs is now becoming a wedge into the enterprise. As the cost of training and fine-tuning models has collapsed, enterprises are no longer just deploying AI, they are building it. Companies using and building AI systems, ranging from simply using coding assistants to running continuous pretrains, domain-specific fine-tunes, or proprietary agent stacks face the same adversarial risks the labs do, with far less internal infrastructure to address them. The tooling Gray Swan built to harden GPT-5 and Claude before release is now what a bank or healthcare system needs before they ship a fine-tuned model or deploy an autonomous agent into production.
Wing has been investing in enterprise security infrastructure long before it collided with AI, and we understand what it takes to build a security category — the long sales cycles, the need for deep technical credibility, the moment when an industry standard changes a tool from a "nice to have" into a required budget line item. We also understand AI infrastructure, and what it looks like when a research-led team has built something with a defensible data advantage that compounds over time.
Gray Swan has both. We're proud to partner with Matt, Zico, Chief Strategy Officer Rob Jenks, and Chief Product Officer Spencer Whitman as they build the security infrastructure that enterprise AI runs on.
