Harfang Lab (commercially branded Harfang Cyber) is a French cybersecurity company specializing in threat intelligence, endpoint detection and response (EDR), and advanced malware analysis for critical infrastructure, defense, and government clients. Operating within France’s sovereign digital security ecosystem, Harfang is an approved partner of ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), France’s cybersecurity agency, and has received Bpifrance funding under France 2030’s digital sovereignty pillar. With more than €20 million raised and a client base spanning French defense contractors, nuclear operators, and government agencies, Harfang represents France’s commitment to building sovereign cybersecurity capability that does not depend on US or Israeli technology for the nation’s most sensitive installations.
Company Overview
Harfang Lab was founded in Paris by former ANSSI researchers and defense cybersecurity specialists who identified a critical gap: France’s most sensitive operational technology (OT) environments — nuclear plants, defense factories, critical infrastructure — needed a threat detection and response capability developed entirely under French control, with no source code dependencies on foreign suppliers, no data transmission to non-French cloud infrastructure, and no regulatory conflicts with French intelligence law.
The company’s founding rationale is directly aligned with France 2030’s digital sovereignty objective. The plan explicitly identifies digital sovereignty as a strategic priority — not just for economic competitiveness, but for national security. A nuclear power plant’s industrial control systems, a defense manufacturer’s engineering network, or a government ministry’s communications infrastructure cannot use cybersecurity products whose source code, update servers, or telemetry destinations are subject to US CLOUD Act jurisdiction or foreign intelligence service access.
Harfang’s name references the snowy owl (harfang des neiges) — a symbol of vigilance in challenging environments. The metaphor is apt: the company’s products are designed for high-threat, operationally sensitive environments where conventional commercial security tools are inadequate or prohibited.
The company has approximately 80-100 employees, predominantly former military cyber operators, ANSSI analysts, and academic researchers from INRIA and Sorbonne computer science programs. This talent profile reflects France’s mature offensive and defensive cyber capability and the France 2030 objective of retaining elite cyber talent in French companies rather than losing it to US firms offering higher salaries.
France 2030 Funding & Digital Sovereignty Context
Harfang received Bpifrance funding under France 2030’s digital sovereignty component, which funds French companies developing cybersecurity products that can replace foreign tools in sensitive environments. The funding complements ANSSI’s qualification process: ANSSI’s technical evaluation provides market credibility (procurement teams can buy ANSSI-qualified products with confidence), while Bpifrance funding provides the capital to build the product to qualification standard.
The France 2030 cybersecurity investment thesis is grounded in a concrete strategic problem. France operates 56 nuclear reactors, hundreds of defense manufacturing facilities, a national rail network, water treatment infrastructure, and government communications systems — all of which use industrial control systems and OT networks that are targets of state-sponsored cyber operations. The 2020 SolarWinds attack, which compromised US government networks via a trusted software update mechanism, crystallized European governments’ concerns about supply chain cyber risk. France responded by accelerating investment in French-developed, ANSSI-qualified security tools.
The competitive geopolitical dynamic is equally significant. EU cybersecurity frameworks (NIS2 directive, EU Cybersecurity Act) increasingly require operators of essential services to demonstrate supply chain security — which in practice means assessing the national security implications of security tool vendors. French nuclear and defense operators face the strongest version of this requirement. Harfang’s positioning as a sovereign alternative to US (CrowdStrike, SentinelOne) and Israeli (Check Point, CyberArk) EDR vendors is directly enabled by France 2030 funding.
Technology & Innovation
Harfang’s product portfolio spans three interconnected capabilities designed for high-security OT and IT environments.
OpenEDR / HAL9TH: Harfang’s endpoint detection and response platform is built around an open-source telemetry agent (OpenEDR, which Harfang contributed to the community) with a proprietary detection engine. The architecture allows security teams to verify exactly what data is collected — critical for environments where data sovereignty is a hard requirement. The detection engine uses behavioral analytics, memory analysis, and knowledge graph-based threat hunting to identify advanced persistent threat (APT) activity characteristic of nation-state attackers.
Threat Intelligence Platform: Harfang’s threat intelligence capability includes both commercial threat feeds and internally developed intelligence on threat actor groups targeting French critical infrastructure. The company’s ANSSI partnerships provide access to national-level threat intelligence that commercial vendors cannot replicate, creating a competitive advantage for French government and defense clients.
OT Security: Industrial control system security requires fundamentally different approaches than IT security: legacy protocols (Modbus, DNP3, IEC 61850), air-gapped networks, decades-old hardware that cannot run conventional endpoint agents, and operational constraints that prohibit the active scanning or aggressive remediation actions standard in IT environments. Harfang has developed OT-specific passive monitoring and anomaly detection capabilities tuned for French critical infrastructure environments.
Malware Analysis: The company operates a French-sovereign malware analysis sandbox — a controlled environment for executing and analyzing malicious code without transmitting samples to foreign cloud infrastructure. This capability is essential for organizations that cannot upload potentially sensitive malware samples to VirusTotal, Cuckoo, or other services subject to foreign data access.
Competitive Landscape
In the global EDR and threat intelligence market, Harfang competes against US giants CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. These companies dominate by market share, have vastly larger R&D budgets, and benefit from network effects (global threat telemetry) that French-only players cannot match in general commercial markets.
Harfang’s defensible competitive position is the sovereign security niche: French critical infrastructure, defense contractors under French government security requirements, and EU institutions where non-US supply chains are a procurement preference or requirement. In this segment, CrowdStrike’s US headquarters and data processing creates structural competitive disadvantages that Harfang directly exploits.
The closest French competitors are TEHTRIS (XDR platform, Bordeaux), Stormshield (Airbus subsidiary, network security), and Sekoia (threat intelligence). Each occupies a slightly different position in the French sovereign security stack; Harfang’s differentiation is its OT specialization and its malware analysis capability.
The ANSSI qualification framework is the key competitive moat. Fewer than 50 products hold ANSSI qualification at any given time; achieving and maintaining qualification requires sustained investment in product security and documentation. The qualification creates a formal procurement preference in French public sector and regulated industry that no foreign competitor can easily overcome.
Investor Perspective
Harfang is a strategic investment in French digital sovereignty rather than a pure-play commercial cybersecurity growth story. The addressable market within France is bounded — French critical infrastructure is large but finite. The upside comes from three vectors: expansion into EU markets where NIS2-driven sovereign security demand mirrors the French situation; potential acquisition by a French defense or aerospace group (Thales, Airbus Defence & Space) seeking to integrate sovereign EDR into their security services portfolio; and the possibility that France 2030-driven sovereign cybersecurity becomes an export product as other European nations face similar supply chain security pressures.
The France 2030 funding reduces dilution risk in the development phase. ANSSI qualification provides procurement credibility. The founding team’s government cyber backgrounds create both technical depth and sales access to the most restricted (and highest-value) procurement programs.
Related Companies
- TEHTRIS — French XDR cybersecurity platform, Bordeaux
- Stormshield — Airbus subsidiary, ANSSI-certified network security
- Wallix — French Privileged Access Management (PAM), Euronext-listed
- Atos — French IT services with cybersecurity division
- Thales — Defense electronics group with major cybersecurity services