Why we invested in Infrawatch

We’re excited to announce our co-lead investment in the $3m pre-seed round of Infrawatch, an internet infrastructure intelligence platform, alongside our friends at TriplePoint Ventures.

At Outward, we are drawn to founders who have spent years immersed in a problem, building deep expertise long before deciding to build a company. Lloyd Davies, Infrawatch’s founder, is the embodiment of this. What began as a passion project over a decade in the making has become a piece of technology that the world’s largest enterprises, governments and security teams are now actively seeking out, and we are thrilled to be backing him at this exciting inflection point.

Cybercrime is one of the largest and fastest-growing cost lines in the global economy, with annual impact estimated in the trillions of dollars against an enterprise security spend of $200–300bn per year. Despite that investment, the gap between attackers and defenders is widening, and two structural forces are driving the acceleration.

The first is the proliferation of anonymised internet infrastructure. Residential proxy networks – services that route traffic through legitimate consumer broadband connections to mask its origin – have become a mainstream commodity, with adoption in the UK alone surging 428% in 2024 according to Digital Element. While they have legitimate applications, threat analysis from hCaptcha indicates that anywhere from 30% to 95% of traffic on major residential proxy networks is associated with grey or illegal activity, from account takeovers and credential stuffing to ad fraud.

The second is the collapse in the cost and skill barrier to running sophisticated attacks, driven by generative AI. Phishing-as-a-Service platforms now produce near-perfect replicas of any brand for a few hundred dollars a month, and agentic tooling can mimic human behaviour convincingly enough to bypass many telemetry-based fraud defences.

The combination of both means adversaries can easily, cheaply and programmatically spin up new attack infrastructure in minutes; whilst defenders still take months to discover a breach.

A range of threat intelligence tools have emerged to address this by providing the data and signals required to take cyber defense from reactive to proactive. Ove the course of our diligence, it became clear the market remains poorly served. Existing solutions tend to be noisy, slow and reliant on repackaged third-party feeds, leaving analysts to triage low-context alerts and stitch together multiple point solutions. The result is a category that has grown into a multi-billion dollar segment without delivering on its promise of helping prevent malicious activity before it occurs.

Infrawatch is rebuilding the foundations of internet infrastructure intelligence from the ground up. Its platform processes tens of billions of events per day, including the entire public IPv4 and selected IPv6 address space, alongside domains, certificates and other proprietary signals, building a live, primary-source map of the infrastructure behind cyberattacks, fraud and online abuse.

For each piece of infrastructure it observes, Infrawatch generates a unique digital fingerprint, known as a “signature”, capturing how the asset behaves and what it is likely being used for. This allows the platform to attribute and connect infrastructure across the internet: identifying not just that an IP belongs to a VPN for instance, but which VPN, who operates it, and whether it is associated with malicious activity. Customers receive attributed, contextual signals in real time – via platform, API or firehose data feed – allowing them to block threats inline or route them into existing investigation workflows.

The differentiation is sharp on four fronts: signals surfaced in real time rather than days or weeks later; contextual reasoning and connected assets behind it, reducing analyst triage time; high-fidelity, primary-source data rather than repackaged third-party feeds; and the ability for clients to author their own signatures to detect organisation-specific threats.

Applications for the technology are broad and only increasing in the AI age. Beyond fraud prevention, account takeover and pre-emptive threat blocking, an interesting new use case has emerged at the intersection of AI and cybersecurity: protecting frontier model providers from distillation attacks, where competitors create thousands of fake accounts, almost always routed through residential proxy networks, to train cheaper models on the outputs of more sophisticated ones. In one case uncovered by Anthropic, a single proxy network was found to be operating more than 20,000 fraudulent accounts simultaneously, mixing attack traffic with unrelated requests to evade detection. At the heart of nearly every one of these attack vectors is adversary-controlled infrastructure that defenders cannot see clearly.

When we first met founder Lloyd Davies, what stood out immediately was a level of domain obsession that cannot be faked and demonstrably pre-dated any notion of a company. Immersed in cyber threat intelligence since the age of 15, Lloyd holds a degree in Computer Security and Forensics, and spent the majority of his career to date at PwC and CrowdStrike specialising in threat intelligence and counter adversary operations. Infrawatch’s core IP is the combination of years of independent research, bootstrapping to a production-grade system before deciding to take it full-time.

His research, published periodically using findings from the Infrawatch platform, is widely read and frequently cited across the cyber threat intelligence community. In August 2025, KrebsOnSecurity published a detailed investigation into DSLRoot, one of the oldest residential proxy networks, leaning heavily on Lloyd’s reverse-engineering of its installer software. More recently, a widely covered investigation into SIM-Farm-As-A-Service offerings revealed a single provider operating 87 physical SIM farms across 17 countries, enabling industrial-scale fraud and abusive automation.

This is the kind of credibility that cannot be bought or accelerated, and it has translated directly into commercial pull. Without a single piece of outbound sales activity, Lloyd has built an inbound pipeline of several hundred organisations spanning big tech, finance, MSSPs, defence and national security – an extraordinary signal of both the urgency of the problem and the differentiation of the solution.

From a character perspective, Lloyd exhibits an attribute that we gravitate toward strongly, particularly given how rare it is becoming. That is a complete disinterest in the vanity, public profile and signalling that is unfortunately becoming commonplace in the world of VC-backed entrepreneurship. This is his life’s work, and whether funded or not, is where he will continue to dedicate all of his time and energy. He has attracted an exceptional founding team around him across engineering, research and GTM, drawn largely from his deep network within the threat intelligence community, all of whom share this same energy.

Most companies are built by founders looking for a problem worth solving. The rare ones are built by people who spent years inside a problem and eventually realised the solution had to be a company. At Outward, these are the founders we gravitate toward strongly, because the depth of understanding they bring is almost impossible to replicate, regardless of how much capital sits behind a competing effort. Infrawatch is unmistakably this kind of company, and we are proud to be backing Lloyd and team on their mission to build the future of internet infrastructure intelligence.