Paragon

Paragon was founded in 2019 by Ehud Schneorson and Idan Nurick — though the name most consistently attached to the company's founding and strategic direction in press coverage from 2021 onward is Ehud Schneorson, a former senior officer in IDF intelligence cyber units, alongside co-founder Isaac Zack, who serves as chairman. The founding team assembled from veterans of IDF Unit 8200 and related classified technology programs, applying military-grade offensive cyber expertise toward a commercial product aimed squarely at democratic governments seeking lawful-intercept capabilities on mobile devices.

Paragon's registered and operational headquarters are in Herzliya, Israel, in the same cluster of technology parks that houses dozens of Israeli cybersecurity companies. The company maintains a North American operational presence, with personnel reported in the Washington, D.C. area, primarily focused on U.S. government relations and sales. No secondary Israeli R&D center has been publicly reported.

Paragon is a private company. In December 2024, AE Industrial Partners — a U.S. private-equity firm specializing in aerospace, defense, and government technology — completed a significant investment in Paragon that valued the company at approximately $900 million according to reporting by Reuters and the Financial Times in late 2024. Earlier funding rounds in 2021 and 2022 were not publicly sized, though the company confirmed external investment at that time.

Employee headcount has not been officially disclosed. Industry estimates from 2024, drawn from LinkedIn headcount data and Israeli press, suggest a workforce of between 200 and 350 people, with the substantial majority — primarily the R&D and exploit-research organization — based in Israel. Business development, government affairs, and sales personnel operate out of the United States. The company has remained tightly staffed by design, in line with its decision to serve a limited number of vetted government clients rather than scale broadly.

Paragon's core product is Graphite, a government-facing mobile surveillance platform that enables court-authorized or intelligence-mandate-authorized extraction of data from iOS and Android devices, including content from end-to-end encrypted messaging applications such as WhatsApp and Signal. The single most consequential event of the twelve months ending mid-2025 was the Citizen Lab report published in February 2025, which documented a Graphite-linked spyware campaign targeting at least 90 individuals — including journalists and civil society members in Germany, Italy, and other countries — and which prompted WhatsApp to issue legal proceedings against Paragon and the FBI to reportedly discontinue its use of Graphite.

Paragon is not a subsidiary. AE Industrial Partners holds a significant equity stake but Paragon operates independently, with its Israeli founders and management team retaining operational control.

Paragon's primary and only publicly known product line is Graphite, a zero-click mobile exploitation platform. "Zero-click" means the compromise of the target device requires no interaction whatsoever from the device's owner — no link to click, no file to open, no call to answer. According to the Citizen Lab analysis published in February 2025, Graphite achieves initial access by exploiting vulnerabilities in WhatsApp's processing of shared media or documents delivered to group chats, after which it installs a persistent agent that provides full device access.

The domain-specific problem Graphite solves is the "going dark" problem that has plagued law-enforcement and intelligence agencies since the mass adoption of strong end-to-end encryption. Apps such as Signal, WhatsApp, and iMessage use E2EE protocols that make network-layer interception by a third party cryptographically infeasible under current technology. Graphite bypasses this by compromising the device itself at the OS level, allowing data to be extracted before it is encrypted on departure or after it is decrypted on arrival.

Paragon's customers are exclusively government entities: domestic intelligence services, federal law-enforcement agencies, and defense ministries. Verified customers include the U.S. Federal Bureau of Investigation, which signed a contract with Paragon reported by the New York Times in January 2024 and valued at approximately $2 million, and agencies of the Italian government, whose use was disclosed through the Citizen Lab report and subsequently raised in questions before the Italian Parliament in March 2025. The FBI confirmed in early 2025 that it had discontinued use of the tool following the Citizen Lab disclosure.

Paragon's sales model is entirely direct, government-facing, and sales-led. There is no self-serve procurement channel, no app marketplace listing, and no channel reseller network. Contracts are won through government procurement processes, often classified tender procedures, and are governed by terms-of-service agreements that Paragon has publicized as prohibiting use against journalists, politicians, and human-rights activists. This contractual restriction is a deliberate commercial and reputational differentiator from NSO Group.

Pricing is not publicly disclosed. The $2 million figure reported in connection with the FBI contract is the only pricing data point that has entered the public record as of mid-2025. Analyst estimates for similar government-surveillance tool contracts from competing vendors suggest annual licensing arrangements in the range of $1 million to $5 million per client agency, with additional fees for training and operational support.

Paragon's technical moat rests on two pillars: a deep pool of zero-day vulnerability research talent capable of finding and weaponizing previously unknown flaws in Apple's iOS kernel, WebKit, and iMessage stack, and in Android's equivalent components; and a reputation for operational security and client discretion that has, until February 2025, kept the company largely out of public reporting. The combination of elite talent — almost exclusively drawn from IDF cyber units — and a disciplined client-selection policy constitutes a barrier to entry that is human-capital-intensive rather than capital-expenditure-intensive.

Paragon's engineering organization works day-to-day on kernel-level vulnerability research for iOS and Android, binary analysis using tools such as IDA Pro and Ghidra, development of memory-corruption exploits in C and C++, construction and maintenance of covert command-and-control (C2) infrastructure, and continuous adaptation to Apple and Google security patches. Apple's introduction of Lockdown Mode in iOS 16 (2022) and Google's ongoing hardening of the Android kernel represent persistent engineering headwinds that require continuous re-exploitation of new attack surfaces.

Graphite is the sole named product that has been confirmed in public reporting. According to Citizen Lab's February 2025 technical analysis, Graphite is delivered via a zero-click vector exploiting WhatsApp's handling of PDF files shared within group conversations. Once the initial exploit succeeds, Graphite installs a persistent implant that operates at privilege levels sufficient to access the device's keychain, file system, camera, microphone, GPS data, and the plaintext content of encrypted messaging applications. The implant communicates with a remote C2 infrastructure operated by Paragon or its licensed government client.

Graphite is Paragon's flagship and, as far as public information reveals, its only product. Unlike NSO Group, which by 2021 had a portfolio encompassing Pegasus for mobile devices and the Landmark cell-tower location product for telecom-level surveillance, Paragon has publicly concentrated its product investments on a single deep capability rather than a breadth play. This single-product focus reflects the company's stated philosophy of doing one thing with exceptional precision rather than building a surveillance conglomerate.

The most recent public documentation of Graphite's capabilities is the Citizen Lab report from February 2025, which constitutes the de facto public product specification, though Paragon has neither confirmed nor denied the technical details within it. Prior to that, the Israeli technology press and a 2021 article in Haaretz represented the earliest public documentation of the company and its product direction. No formal product launch event, press release, or changelog has been made public by Paragon at any point in its history.

No Paragon products have been sunset. The company's short operating history since 2019 and its narrow product focus make a deprecation history implausible at this stage.

Graphite is not listed on AWS Marketplace, Azure Marketplace, Salesforce AppExchange, Snowflake Native App Catalog, or any commercial SaaS distribution channel. The product is delivered and operated under bespoke government contracts, and its deployment architecture is not publicly described beyond what Citizen Lab's forensic analysis has revealed.

Paragon has not published SOC 2, FedRAMP, or ISO 27001 certifications. FedRAMP authorization would theoretically be relevant for U.S. government use, but no public record of such certification exists. The company's security posture is enforced through contractual controls and operational discretion rather than third-party compliance frameworks.

The most direct competitor to Paragon is NSO Group, founded in Herzliya in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio, and developer of the Pegasus spyware platform. NSO was placed on the U.S. Department of Commerce Entity List in November 2021 following evidence of widespread misuse of Pegasus against journalists, human-rights defenders, and heads of state. That designation effectively locked NSO out of U.S. government procurement and severely damaged its relationships with European allies. Paragon was positioned — whether by design or fortune — to absorb the demand that NSO could no longer satisfy among Western government buyers.

The second direct competitor is Intellexa Alliance, a consortium assembled by former Israeli military officer Tal Dilian and operating through corporate vehicles in Ireland, Cyprus, and Greece, which markets the Predator spyware. Intellexa and five affiliated entities were added to the U.S. Entity List in February 2024, and the U.S. Treasury Department sanctioned Dilian personally in March 2024. Predator was documented by Citizen Lab and Meta as having been used against a U.S. Congressman and journalists in multiple countries. Intellexa's regulatory isolation mirrors NSO's, and Paragon again benefits from this competitive elimination.

A third Israeli competitor, Candiru (also known as Saito Tech), was added to the U.S. Entity List in November 2021 alongside NSO. Candiru focuses on Windows and macOS endpoint surveillance, differentiating from Paragon's mobile-first approach. Candiru's placement on the Entity List further narrowed the field of compliant vendors available to U.S. and allied government buyers.

No Gartner Magic Quadrant or Forrester Wave covers the commercial government spyware category; the sector is too sensitive and too dominated by classified procurement for commercial analyst firms to publish comparative rankings. Paragon does not appear in any publicly available analyst positioning document.

Paragon's pricing positioning is premium by definition — it sells exclusively to nation-state buyers on multi-million-dollar annual contracts, without any free-tier or SMB segment. The market is one of the most price-inelastic that exists: governments pay for capability, not cost-efficiency.

The most significant publicly reported customer win was the FBI contract disclosed in the New York Times in January 2024. The most significant publicly reported customer loss was the FBI's reported discontinuation of Graphite use in early 2025 following the Citizen Lab report. The Italian government's use, disclosed in February 2025, triggered parliamentary questions in Rome but has not been formally confirmed as terminated as of mid-2025.

Paragon's competitive trajectory had been strongly positive through 2023 and into 2024 as Entity List designations removed its primary competitors from Western markets. The February 2025 Citizen Lab report represents the first serious public-relations and potential regulatory setback: WhatsApp filed a lawsuit against Paragon in February 2025 in the Northern District of California, and European civil-society organizations called for EU-level investigation of the company's Italian client relationships. Whether this trajectory reversal is durable or temporary depends on the outcome of the WhatsApp litigation and any EU regulatory response.

Paragon has not made any acquisitions. The company is not known to have divested any unit.

Paragon occupies offices in Herzliya, in the Tel Aviv metropolitan technology corridor that also houses NSO Group, CyberArk (whose Israeli headquarters is in Petah Tikva), and dozens of other security firms. Herzliya's Park HaMada and surrounding office parks have become the default address for Israeli offensive-cyber and intelligence-technology companies, providing proximity to a dense talent pool of IDF cybersecurity veterans.

The Israel headcount represents the majority of Paragon's total workforce. Core R&D, exploit research, platform engineering, and technical operations are all headquartered in Israel. Based on LinkedIn-derived estimates from 2024, approximately 150 to 250 of the company's estimated 200–350 total employees are Israel-based. U.S.-based headcount — focused on government relations, business development, and legal affairs — is estimated in the dozens.

No expansion, downsizing, or office relocation in Israel has been reported in the 24-month window ending mid-2025. The AE Industrial Partners investment, completed in December 2024, is not known to have triggered any headcount restructuring. Paragon has not announced a second Israeli R&D site or any opening in Beer Sheva, Jerusalem, or Haifa — cities that host other defense-tech expansions.

The founders of Paragon are Israeli. Ehud Schneorson served in senior roles within IDF intelligence and cyber units before co-founding the company. Isaac Zack, who serves as chairman, has a background in Israeli venture and defense-technology circles. The technical leadership of the company, while not publicly named in detail, is understood to be composed almost entirely of IDF veterans with backgrounds in Unit 8200, Unit 81, and Mamram — the IDF's computing and information systems unit. This founding DNA is not coincidental: the specific skill set required to develop zero-click mobile exploits is almost uniquely concentrated among graduates of these units.

Paragon's Israel-based hiring in the 2022–2025 period has concentrated on vulnerability researchers specializing in iOS and Android, reverse-engineering specialists, low-level C and C++ developers working at the kernel and hypervisor layer, and infrastructure engineers maintaining covert C2 network infrastructure. Product management roles of a traditional commercial nature are not prominent in Paragon's Israel hiring profile; the company recruits engineers and researchers, not UX designers or growth marketers.

The primary investor with publicly confirmed involvement is AE Industrial Partners, a U.S.-based private equity firm, not an Israeli venture fund. No participation by Israeli institutional investors — such as Viola Ventures, Pitango, JVP, Sequoia Israel, or 83North — has been reported in connection with any Paragon funding round. Strategic partnerships with Israeli defense primes such as Elbit Systems or Rafael have not been disclosed.

Paragon's organizational culture, as reconstructed from rare public statements, former employee profiles, and Israeli press coverage, is characterized by extreme operational confidentiality, small and autonomous engineering teams, an ethos directly descended from elite military intelligence culture, and a deliberate low public profile. The company has given fewer than five on-the-record media interviews since its founding in 2019. Its recruitment approach relies heavily on the informal network of Unit 8200 and Unit 81 alumni — a pipeline that is self-reinforcing, deeply trusted, and nearly invisible to candidates who did not serve in those units. The challenge for Paragon following the February 2025 Citizen Lab exposure is whether that low-profile strategy remains viable in a climate of increasing legal and regulatory scrutiny of commercial spyware vendors.