At 23, after earning $800,000 by identifying vulnerabilities at Google, Amazon, and Netflix, Roni Carta raises €5.4 million from 20VC and Seedcamp.

Cybersecurity is still protecting systems that attackers have already learned to bypass. This gap is something Roni Carta observed firsthand. Before founding Lupin & Holmes, he built his reputation as a bug bounty hunter, identifying vulnerabilities for major companies.

At just 23, he claims nearly $800,000 in cumulative rewards, notably from Google, Amazon, and Netflix, and was twice recognized as a “Most Valuable Hacker” at Google hacking events.

Attacks no longer follow the paths that security tools are designed to monitor.

In most organizations, security is still structured around entry points (applications, networks, identities) an approach that assumes intrusions occur through identifiable interfaces.

However, exploitable vulnerabilities are often located upstream, whether in open-source dependencies, build pipelines, or interconnected configurations. These less visible technical layers are rarely treated as priority attack surfaces.

This makes part of the traditional security stack only partially effective: while tools can detect vulnerabilities, they struggle to reconstruct real intrusion paths.

Reconstructing attack paths rather than listing vulnerabilities

This is precisely where Lupin & Holmes positions itself. The startup has developed Depi, a platform designed to map attack paths within a software system. Its objective is not to identify an isolated flaw, but to understand how multiple vulnerabilities can be combined to create an exploitable access point.

This shift in perspective is structural. In complex environments, not all vulnerabilities carry the same level of risk, their criticality depends on their position within the architecture and their interactions with other components.

An approach rooted in hacking culture

While part of the market remains focused on compliance or auditing, Lupin & Holmes is grounded in a hacking culture from which it directly originates. This is not a marketing narrative but a core element of its DNA, leading the company to approach security from an exploitation logic rather than from control frameworks.

A €5.4 million pre-seed round backed by investors operating outside traditional frameworks

Lupin & Holmes announces a €5.4 million pre-seed round led by 20VC (Alexandre Dewez) and Seedcamp (Carlos Eduardo Espinal), with participation from Kima Ventures, Purple Ventures, and several business angels. The round aligns with the company’s positioning, where attention is placed on the founder’s distinctive profile and operational track record, as well as early traction with multiple Fortune 500 companies and clients such as Ledger.

Founded in 2023, Lupin & Holmes plans to hire around ten employees and increase its investment in research and development to further strengthen its platform.