Doti
Last updated: Apr 27, 2026
Doti is an Israeli cybersecurity startup developing granular browser session control and policy enforcement technology for high-security enterprise and defense-adjacent organizations handling sensitive workflows in cloud-native environments.
Visit WebsiteCompany Overview
Doti develops browser-layer security controls designed to enforce policy and mitigate token, session, and data exfiltration risks in web-native enterprise environments. The core technology stack targets browser session compromise, which represents a critical attack surface in organizations that rely on cloud SaaS, identity platforms, and web-based collaboration tools. Rather than enforcing device-level lockdown (which is brittle in hybrid and remote work), Doti operates at the session and policy layer to control what browser-mediated actions are permitted, what data can be extracted, and how identity context flows across web applications.
The commercial problem is well-defined: enterprises increasingly handle sensitive data and mission-critical workflows in browser-mediated cloud applications (Slack, Google Workspace, Microsoft 365, Figma, GitHub, etc.), yet browser compromise (phishing, malware, insider threats, SIM swap into federated identity) bypasses traditional endpoint and network controls. Security teams face a choice between blocking cloud tool adoption entirely (operationally infeasible) or accepting residual browser-layer risk. Doti's positioning addresses this gap with session-aware policy enforcement, reducing breach surface without requiring wholesale replacement of modern application ecosystems.
The dual-use and strategic defense relevance is substantive. Defense contractors, intelligence agencies, and government-adjacent organizations increasingly operate on cloud platforms for operational speed and cost efficiency, but carry regulatory and security obligations that exceed commercial enterprise requirements. Browser security controls that can enforce segregation of duties, prevent token exfiltration, and log/audit session activity at fine granularity are directly applicable to defense supply chain security (Federal Acquisition Regulation requirements, CMMC, NIST SP 800-171 implementation), intelligence community secure access, and law-enforcement digital forensics workflows. The technology is not defense-specific, but the regulatory and operational context creates meaningful strategic value.
Competitively, the browser-security space is nascent but consolidating. Established firms like Cloudflare and Okta have added browser-isolation features; specialized browser-security vendors (Island, Surf Security) have raised capital and are scaling. Doti's differentiation rests on early-mover architecture optimized for session-level granularity and policy orchestration rather than general-purpose browser isolation. The company's Israeli origin provides access to both the talent pool and regional investment ecosystem (Israeli cyber has produced Island, Wiz, SentinelOne, among others), though competitive advantage depends on product-market traction and customer proof points rather than geography alone.
Market adoption signals remain to be demonstrated. Seed-stage startups in enterprise security face long sales cycles and require proof of enterprise deployment, regulatory alignment, and integration with existing SIEM/SOAR platforms. The company's ability to acquire and retain customers, particularly in defense-adjacent segments, will determine viability. Key diligence questions include current customer count and revenue stage, product roadmap alignment with CISO priorities, integration maturity with existing enterprise security tools, and clarity on whether the core thesis (session-level control plus policy) delivers meaningful risk reduction relative to browser isolation or endpoint detection-and-response alternatives.
Dual-Use Assessment
Browser-layer session and policy controls have strong dual-use applicability: commercial enterprises need protection against phishing and token theft in cloud workflows, while defense contractors and government agencies require granular session auditability, segregation of duties, and data control to meet CMMC, NIST, and intelligence-community compliance. Session-level controls are not inherently attack-oriented but enforce defensive policy, making the technology firmly dual-use rather than defense-primary. The commercial base (cloud SaaS enterprise) is substantially larger than defense segments, but strategic value accrues from the credible defense applicability and potential for government procurement.
Strategic Fit Assessment
Priority signal means this entry may be worth researching within the Claw & Talon thesis. It does not mean investable, suitable, endorsed, available, or likely to produce returns.
Doti operates at a high-leverage point in the enterprise security stack: browser-mediated compromise bypasses traditional endpoint and network defenses, yet organizations cannot practically eliminate cloud SaaS usage. The seed-stage timing allows early positioning in a consolidating market (browser-isolation vendors are raising large rounds; incumbent platforms are adding browser controls). Strategic fit is strong for dual-use thesis because the core technology (session-level policy and audit) is operationally essential for both commercial enterprises and defense-adjacent compliance requirements. Key investment contingencies are: (1) demonstration of enterprise customer traction beyond proof-of-concept, (2) credible product differentiation relative to browser isolation and endpoint detection, (3) clarification of go-to-market strategy (whether pursuing direct enterprise sales or channel partnerships), and (4) evidence that the team has prior experience shipping security products and scaling enterprise sales.
Strategic Value to U.S.-Israel Alliance
Session-level browser controls directly improve resilience of web-native operations in defense and high-security commercial contexts. Unlike device-level or network-level controls, session-layer enforcement can prevent token theft and data exfiltration without requiring employees to abandon modern collaboration tools or sacrifice productivity. Strategic value for the broader dual-use ecosystem: if successful, Doti provides a technology bridge that allows defense contractors and government agencies to operate on cloud platforms (cost, agility, talent access) while maintaining security posture compliant with CMMC, NIST SP 800-171, and other regulatory frameworks. This unblocks cloud adoption in segments that currently default to on-premises or air-gapped solutions.
Key Technologies
- Browser session policy enforcement
- Identity-context aware access controls
- Token and credential leak prevention
- Session-level data exfiltration mitigation
- Cloud SaaS application-aware policy orchestration
- Audit and compliance logging at session layer
Use Cases & Applications
- CMMC-compliant contractor access to cloud SaaS in defense supply chain
- Phishing and credential compromise mitigation for financial services and healthcare
- Token exfiltration prevention for high-security user groups (executives, R&D, ops)
- Segregation of duties and multi-user session audit for regulated environments
- Ransomware lateral-movement containment at the browser/web-application layer
- Compliance logging and session forensics for incident response and government audit
- Insider threat detection via session-level behavioral anomaly and data-access patterns
Sources and verification
This profile is based on public-source research, Claw & Talon curation, and editorial judgment. Inclusion does not imply endorsement, partnership, investment, or a recommendation to transact. Readers should still confirm current status, customers, funding, and product claims before relying on this profile.
Public sources
The links below are visible public references used for source discipline around company identity, status, funding, customer, acquisition, public-company, or other material claims where available.
- Doti Startup Nation Finder profile Verified public ecosystem profile used for Doti identity and source provenance.
- Official website Primary public reference for company identity, positioning, and current web presence.
- Profile update timestamp Last updated in the Claw & Talon database on Apr 27, 2026.
Investor Lens
What this entry is
Private startup
Why it may matter
Doti may matter as a Cybersecurity entry with not currently an investable standalone company for Israeli technology research.
How an independent investor should read this
Not currently an investable standalone company. Read this profile as a starting point for independent verification, not as a recommendation or suitability assessment.
Evidence to verify
- Verify current status
- Verify traction
- Verify cap table/funding
- Verify technical claims
- Verify regulatory/export-control issues
- Verify customer concentration
Main investor questions
- Is the company currently active, independently financeable, and raising or not raising on terms you can verify?
- What customer, revenue, product, and technical evidence supports the company story?
- What valuation, cap table, rights, and follow-on assumptions would govern any private exposure?
- Does the dual-use claim map to actual commercial and government/defense/resilience buyer evidence?
- What evidence would change the thesis or show that the profile is stale?
What not to infer
- Inclusion does not imply endorsement.
- Inclusion does not imply allocation availability or current fundraising.
- Scores do not indicate investment suitability or expected returns.
- Strategic importance does not automatically imply venture return potential.
Diligence questions
- What evidence verifies Doti's current customer traction, deployment status, and revenue concentration?
- Which technical claims are independently demonstrable today, and which remain roadmap or pilot-stage assertions?
- Where does the product create real defense, intelligence, critical-infrastructure, or emergency-response value beyond ordinary commercial adoption?
- How does the platform integrate into existing SOC, cloud, identity, or compliance workflows without adding operational burden?
- What would disconfirm the priority signal: weak customer references, thin technical differentiation, poor capital efficiency, or limited allied-market access?
Related sector
See the Cybersecurity sector page for market context, related subcategories, and other Israeli companies in this part of the database.
Related companies
Need a diligence readout?
Use the profile and related checklists as a starting point. If the decision needs more context, request a company screen, founder-call prep, diligence memo, or sector readout.