RevEng.AI has raised a $15 million Series A led by the NATO Innovation Fund, with In-Q-Tel, Sands Capital, IQ Capital and Episode One joining — a defense-heavy syndicate backing a thesis that the software supply chain now has to be verified at the binary level because nobody can keep up with reading the source.
The UK-based company (legal name Binary AI Ltd., founded 2023) sells binary-native security analysis: its proprietary model, BinNet, ingests compiled artifacts — executables, firmware, closed-source and third-party binaries — and flags vulnerabilities, backdoors and unexpected components without ever touching source code. The pitch is that it automates work historically gated behind scarce, expensive reverse-engineering talent.
Why a binary-first bet, now
Founder and CEO James Patrick-Evans frames the timing bluntly: "In a world where AI increasingly writes the code, the only universal source of truth is the executable binary files that actually run on machines." That is the load-bearing claim. Coding agents are now generating, modifying and deploying software faster than any human review process can audit, and a growing share of what enterprises ship is assembled from dependencies and vendor artifacts they never inspect. Source review — already incomplete — doesn't scale to agent-speed output. The compiled binary is the one artifact that reliably reflects what executes in production.
BinNet was trained alongside cybersecurity units from allied governments and commercial security firms, which is both a capability signal and a go-to-market one: the model has seen real adversarial binaries, not just open-source corpora.
The investor signal
The cap table is the story as much as the money. NATO Innovation Fund leading, with In-Q-Tel — the strategic investor tied to the U.S. intelligence community — riding along, marks software supply-chain integrity as a stated national-security priority, not a niche AppSec line item. NATO Innovation Fund's David Ordonez said RevEng.AI "gives organizations the ability to understand what is actually inside the software they rely on, even when that software is closed-source or delivered by third parties," calling it a "critical gap" in supply-chain security.
What changes for security teams
For practitioners, the actionable shift is where verification sits in the pipeline. Static analysis and SCA operate on source and manifests; BinNet operates on the artifact that actually deploys, so it can catch tampering, implants or drift introduced after the source looked clean — including by an agent. RevEng.AI positions it as something teams can wire into existing workflows to check newly written code before release.
The broader read: as AI agents become primary code authors, trust is migrating from "we reviewed the diff" to "we verified the binary." $15M is a small round by 2026 standards, but the buyers it targets — defense, critical infrastructure, regulated enterprises — are exactly the ones who will mandate that shift first.
