This Startup Secretly Detects Fraud For Fortune 500s

Why does it matter? Because the most powerful fraud defense in the world is one you've never heard of.

A 12-person startup — with only 5 engineers — is quietly making fraud decisions for Fortune 500s at petabyte scale. Their customers can't name them. That's by design. What this episode reveals is how the architecture of modern fraud defense has been completely rebuilt around AI agents, why secrecy is a strategic asset rather than a PR gap, and what a near-death founder experience exposed about the kind of conviction that actually keeps companies alive.

• Transparency is a vulnerability in fraud detection — advertising your methods trains your adversaries
• AI agents can now uncover state-sponsored fraud rings that no human analyst or classifier ever could, because they reason across entire entity graphs
• Petabytes of enterprise data scattered across legacy UIs is a harder technical problem than the AI reasoning itself
• Five engineers operating like 25 is no longer a hypothetical — it's Variance's production reality

Variance stays in the shadows on purpose — and their customers prefer it that way

"We're in the shadows. I think it's good." That's co-founder Karine's summary of a deliberate, multi-year positioning decision that runs completely counter to how most startups operate.

Variance has been building for three years without marketing its capabilities, and many of its largest Fortune 500 customers can't be named publicly. The logic is airtight: Variance is "building the systems that are often used by the bad guys, but building them for the good guys." If you publicize exactly how a fraud ring gets detected, you're handing the fraud ring a manual.

This creates a strange business dynamic where success is measured in silence. GoFundMe uses Variance to validate every fundraiser — including the wave of fake "Charlie Kirk family" campaigns that spiked after his death. A Fortune 50 uses it to verify sellers and untangle complex beneficial ownership structures across shell company graphs. None of these customers want their fraud defense strategy written up in a press release.

Karine is explicit that this won't change post-Series A: "Even far beyond the Series A, we'll always be a company that's a little bit more in the shadows." The secrecy isn't a growth-stage limitation — it's a permanent feature of the product category. Security infrastructure that advertises its own mechanisms creates asymmetric risk. Obscurity, here, is the moat.

AI agents detected state-sponsored fraud rings that rule engines and classifiers were structurally blind to

During the 2024 elections, a Fortune 500 content platform processing massive volumes of politically exposed content faced a fraud problem no traditional system could crack. Variance's agents cracked it.

The reason classical approaches fail at this isn't performance — it's architecture. A classifier evaluating one piece of content after another has no way to see that ten accounts, across different sessions, from different apparent origins, are coordinating to push a single narrative. The graph is invisible to it.

Variance's agents work differently: they query data stores directly, materialize features on the fly, and — critically — use each reasoning step to decide what the next query should be. That recursive, graph-aware reasoning is what exposed "really complex fraud rings of especially state-sponsored actors that were pushing one narrative." Karine is direct: "I don't think this would have been possible if you had one classifier in isolation."

The implications go beyond election integrity. Variance has flagged coordinated threats of physical violence at scale — cases that ultimately went to law enforcement. The system isn't just faster than human analysts; it's detecting threat categories that human analysts working sequentially through a content queue could never assemble into a coherent pattern. The adversaries already operate at the graph level. The defense now does too.

The real engineering bottleneck wasn't the AI — it was dragging data out of decade-old human-facing UIs

Petabytes of unstructured data. Five to ten internal systems per customer. No consistent schema. And sometimes, the only way to access the data is to spin up a browser and scrape an interface built for a human analyst in 2011.

That's the actual infrastructure problem Variance had to solve before any agent-level reasoning could happen. Karine puts it plainly: "The data problem was really the core hardest technical challenge." For a GoFundMe fundraiser review, agents need the user's identity data, login history, device fingerprints, PII from onboarding, the fundraiser's content and history, and behavioral signals — all living in different datastores, none of it structured the same way.

The most surprising piece: web access was one of the last capabilities Variance finished building, because it turned out to be load-bearing. Human fraud analysts spend a significant portion of their time Googling names and applying judgment to what surfaces. Without that capability, an agent tracing a complex abuse graph hits a dead end the moment a key signal lives on an unstructured web page rather than inside an enterprise database.

Variance now supports three integration paths: reverse ETL, API, and direct browser-based UI scraping. The third one — the most technically unglamorous — is what unlocked full automation for customers whose internal tooling was never designed to be programmatically accessible. Infrastructure, not model quality, was the actual bottleneck.

The entire compliance automation architecture reduces to three things: documents, tools, and data

Strip away the complexity and Variance's system is surprisingly lean. "There's really only three building blocks that you need," Karine explains. Compliance documents — the standard operating procedures that define what must be verified. Tools — the agent capabilities to query, scrape, and reason. Data — internal customer systems plus over 100 external business registries and the open web.

That's it. Feed an agent a company's KYC policy, give it the right tool access, point it at the relevant data, and it can conduct the same investigation a human compliance analyst would spend 45 minutes on — consistently, at scale, across wildly different industries.

The elegance of this architecture is what makes Variance horizontally extensible without rebuilding core infrastructure for every new vertical. Content moderation, identity verification, KYB, gig economy driver onboarding — each one uses the same three-component pattern with different policy documents and different data sources plugged in. The temptation in compliance automation is to over-engineer proprietary models for each domain. Variance's bet is the opposite: the AI reasoning is general-purpose; the policy document is what makes it industry-specific.

A broken spine, a hospital bed, and a Norman Foster book — and neither founder thought it was over

In July 2024, Variance's revenue was doubling month over month. The day after TrustCon, their CEO got hit by a truck.

Karine broke her spine, broke her leg, and spent 10 days hospitalized. The entire sales function was her. Every customer relationship ran through her. Michael visited the hospital, sat in silence holding a Norman Foster architecture book, and — eventually — laughed: "This is going to make a really good scene in our IPO movie."

Michael told her the Steve Wozniak story. The one where Wozniak survives a plane crash, leaves Apple, and never comes back at full force. The implication was real: maybe this was the end.

But for both of them, it didn't feel that way. Karine attributes this directly to how they chose the problem in the first place. They didn't start Variance to find a company-sized problem to solve — they started it because they had rare, paired skill sets in fraud engineering and felt "a strong sense of duty to put those skill sets to the good of the industry." That framing — duty over opportunity — is what made the obstacle feel like a hurdle rather than a terminal event. Founders optimizing for problem-market fit can pivot when things collapse. Founders who feel called to a specific problem don't have a pivot to make.

Automating 99% of cases was the easy part — building the dashboard for the remaining 1% nearly broke the product

Variance's first instinct was to be a pure decisioning layer — a black-box API that spits out fraud verdicts. They were wrong.

AI agents handle 99% of cases automatically. The remaining 1% are the most complex, ambiguous, high-stakes decisions in the queue — exactly the ones that require a human investigator with excellent tooling to make a defensible call. Without a world-class dashboard for that 1%, enterprise buyers don't trust the system, and the whole product breaks down at the exact moment it matters most.

This is why Variance is now hiring front-end engineers — something Karine admits she and Michael underestimated. The investigative visual interface isn't a nice-to-have; it's the product's credibility layer for every case that falls outside the automation envelope. B2B automation startups that treat the human escalation experience as an afterthought will get killed by it in enterprise evaluations.

Five engineers. Petabytes of data. Fortune 500 customers. Coding agents made this math work.

Variance has five software engineers. They process petabytes of data. They serve some of the largest companies in the world. This is not a future state — it's current production reality.

"In terms of AI output, we're probably closer to a 25-people team," Karine says. Every engineer runs coding agents across three monitors simultaneously. Everyone functions as a manager of a small AI team rather than an individual contributor. Two former founders are on the engineering staff. The team owns entire domains independently — one engineer understands LLM evals better than most people in the industry.

The ratio matters: 5 engineers doing the output of 25 means the labor economics of software startups have genuinely shifted, not just in theory but in the hardest-to-serve enterprise segment imaginable. The right hiring question is no longer how many engineers a problem requires — it's how many managers of AI agents.

Where this is all heading: fraud defense is becoming an invisible infrastructure layer, and that invisibility is the point

Variance coming out of stealth after three years isn't really a marketing moment — it's a proof point that critical infrastructure can be built entirely in the dark and still reach Fortune 500 scale. The next generation of security and compliance infrastructure may never be marketed at all. The companies that need it will find it through networks, not demos. The adversaries won't know it exists until it's already caught them.

The cat-and-mouse game doesn't end. It just gets faster, more automated, and more invisible on both sides. Variance is betting that the side that stays quieter wins.

---

Topics: fraud detection, AI agents, compliance automation, fintech, trust and safety, enterprise SaaS, founder story, YC, KYC/KYB, agentic AI