Wiki · Organization · Last reviewed June 23, 2026

Anysphere (Cursor)

Anysphere is the San Francisco AI company behind Cursor, an AI-native code editor and coding-agent platform built around repository understanding, natural-language edits, code completion, terminal use, Cloud Agents, pull-request review, automations, and increasingly long-horizon software tasks.

Snapshot

Definition

Anysphere is the company; Cursor is the product surface through which most people encounter it. Cursor should not be understood only as an editor, a chatbot, or a model wrapper. It is a software-work operating layer that combines an editor, codebase index, model router, agent harness, terminal and browser tools, cloud execution, pull-request review, automations, SDK access, and administrative controls.

The unit Cursor governs is the delegated software change. A user or system gives an instruction; the product collects repository context; a model chooses tools; the agent edits files, runs commands, and may open or comment on a pull request; humans and policy gates decide whether that work becomes part of the codebase.

This makes Cursor an important case study in AI governance because the risk is not limited to inaccurate generated code. The system can touch live development environments, credentials, external services, branch rules, review workflows, analytics, and organizational memory.

Current Context

As of June 23, 2026, Anysphere is best read less as a single AI editor vendor and more as a provider of an AI-mediated software workbench. Cursor's official materials now place the desktop editor beside local Agent, Cloud Agents, self-hosted cloud agents, Bugbot, CLI, SDK, automations, Design Mode, enterprise organizations, development-environment governance, MCP support, plugins, skills, hooks, and Auto-review.

The strongest current pattern is infrastructure consolidation. Cursor's March 2026 self-hosted cloud-agents announcement says customers can run agent workers in their own infrastructure while Cursor handles orchestration, model access, and user experience. Its May 2026 development-environments post adds multi-repo environments, Dockerfile-based setup, scoped build secrets, environment version history, audit logs, per-environment egress allowlists, and per-environment secrets. Those controls make the platform more enterprise-ready, but they also confirm that coding agents now occupy the same governance zone as CI, identity, secrets, package managers, and source-control automation.

The latest product surface is more configurable and more agentic. Cursor's June 17, 2026 changelog moved cloud-environment setup and cloud subagents into the Agents Window; its June 18 release added an /automate skill, more GitHub and Slack triggers, and computer use for automations; its June 22 release put plugins, skills, MCPs, subagents, rules, commands, hooks, and team marketplaces into a shared Customize page. Those are useful capabilities, but they also make configuration, marketplace provenance, and event triggers part of the security boundary.

Cursor's June 3, 2026 enterprise-organizations announcement also made governance more explicit. Organizations let admins manage multiple teams, groups, budgets, model access, sandbox teams, usage analytics, identity-provider setup, SCIM directory sync, and agent permissions from a higher-level container. The important operational detail is that users can sit in multiple teams or groups and the most permissive setting wins, so group design becomes a real access-control decision.

Public claims about funding, annual recurring revenue, Fortune 500 adoption, product performance, or market position should be treated as date-bound and source-specific. This entry uses company announcements for product and financing claims where available and labels secondary reporting where the company itself is not the source.

Product Model

Cursor's original significance was that it placed AI assistance inside the code editor rather than treating coding as a side task in a general chatbot. The editor can read project files, search the codebase, propose multi-file changes, apply diffs, use terminal output, and preserve enough context for a model to operate on real software rather than isolated snippets.

The product then evolved from autocomplete and chat toward a family of coding agents. Cursor's current documentation describes Agent as a system built from instructions, tools, and a selected model. Its tool set includes codebase search, file reading, file editing, terminal execution, web search, browser control, checkpoints, queued messages, and model-specific orchestration.

Cloud Agents move the same pattern into dedicated virtual machines with cloned repositories, installed dependencies, secrets, startup commands, network access, multi-repository environments, artifacts, and optional remote desktop control. Self-hosted cloud agents move execution into customer-controlled infrastructure while Cursor continues to provide orchestration, model access, and the user experience. Automations make cloud agents event-driven or scheduled, with triggers from GitHub, GitLab, Slack, webhooks, Linear, Sentry, PagerDuty, and cron-style schedules. The Cursor SDK exposes the same runtime, harness, and models for programmatic agents running locally, on Cursor cloud infrastructure, or on self-hosted workers.

Cursor is also becoming a customization platform. The product now exposes plugins, skills, MCP servers, subagents, rules, commands, hooks, team marketplaces, and visual Design Mode context as first-class ways to steer agents. That moves part of software-engineering authority into configuration artifacts: a rule, hook, plugin, MCP server, automation memory file, or .cursor/environment.json snapshot can shape future agent behavior as much as a prompt can.

This design makes Cursor a control surface for delegated engineering. The user no longer only types code with suggestions. The user assigns work, reviews plans and patches, decides which commands can run, chooses which agents may act in the background, and judges whether the produced change fits the repository's architecture and product intent.

Funding and Growth

TechCrunch reported in 2023 that Anysphere had raised $8 million from the OpenAI Startup Fund, bringing total funding to $11 million, and described the seed round as supporting an "AI-native" software-development environment called Cursor.

In January 2025, Cursor announced a $105 million Series B from Thrive Capital, Andreessen Horowitz, Benchmark, and existing investors. The company described itself as an applied research lab working on automating coding and said Cursor was already used by millions of programmers.

In June 2025, Cursor announced $900 million in new funding at a $9.9 billion valuation from Thrive, Accel, Andreessen Horowitz, and DST. The company also said Cursor had passed $500 million in annual recurring revenue and was used by more than half of the Fortune 500, naming NVIDIA, Uber, and Adobe as examples.

The speed of this growth made Anysphere a central example of the AI coding boom. It also exposed a strategic puzzle: an editor company can grow extremely quickly when model capability improves, but it must maintain product advantage while depending on frontier models, cloud infrastructure, enterprise trust, and developer willingness to route high-value source code through an AI workbench.

By 2026, the business was no longer only about individual developer adoption. Cursor's enterprise materials emphasized hooks, team rules, analytics, audit logs, sandbox controls, organizations, service accounts, cloud-agent governance, and usage measurement. That shift matters because the buyer is not just purchasing a faster editor. It is adopting a managed layer for AI-mediated software work.

Agentic Coding

Cursor is one of the companies that normalized the shift from AI-assisted coding to agentic software work. In late 2024, its changelog described agents that could see terminal exit codes, read linter errors, run commands in the background, auto-save changes, and edit multiple locations in parallel. By Cursor 1.0 in June 2025, the company highlighted Bugbot for pull-request review, memories, one-click MCP setup, Jupyter support, and general availability of Background Agent.

Cloud Agents move the workflow from local pair programming into remote delegation. Cursor's documentation says cloud agents run in isolated VMs with full development environments, can build and test changed software, support MCP servers, use multi-repo environments, and work without the user's laptop staying online. Cursor's June 2026 engineering post framed the hard part as building an operating layer around the agent: durable execution, environment setup, network policy, credential management, checkpointing, and self-healing environments.

Bugbot turns review into an agentic surface. It can analyze pull-request diffs, read existing PR comments as context, leave findings, publish a GitHub check, apply team and repository rules, run before code is pushed, and optionally spawn a Cloud Agent to autofix reported issues. Cursor's June 2026 update said most Bugbot runs were then completing in under three minutes while the system found more bugs per review, but the governance point is broader than speed: review itself becomes partially model-mediated.

In 2026, Cursor pushed further into cloud agents, automations, long-running agents, PR review, computer-use testing, plugins, team marketplaces, Design Mode, Microsoft Teams integration, the Cursor SDK, and its own Composer model line. Composer 2.5 was presented as better at sustained long-running work and complex instruction following, while Cursor's SDK beta made the agent harness available as programmable infrastructure rather than only as an interactive editor feature.

Security and Privacy

Cursor's own security documentation names prompt injection, hallucination, and unexpected AI behavior as security concerns. It says file reads and code search generally do not require approval, while actions that could expose sensitive data require explicit approval. Agents can modify workspace files without approval except for configuration files, and terminal commands require approval by default unless the user chooses a broader run mode or allowlist.

In June 2026, Cursor described Auto-review as a default for new users. The product blog says Auto-review uses a classifier agent to review actions in context before they run, with allowlists and sandboxing handling many lower-risk calls. That is a meaningful governance move, but it should be treated as a convenience and risk-reduction layer, not as proof that an agent run is safe for production secrets, destructive commands, or unreviewed deployment paths.

Privacy Mode narrows training and retention risks but does not mean no data leaves the machine. Cursor's June 9, 2026 data-use page says Privacy Mode prevents customer data from being used for training by Cursor and says Cursor maintains zero-data-retention agreements with providers. The same page also says model providers may run risk classifiers, that some abuse-triggered data may be stored for investigation under provider policies, that user API-key requests still pass through Cursor's backend for final prompt building, that code indexing uploads code chunks to compute embeddings, and that temporary encrypted file caching may occur to reduce latency.

Cloud Agents introduce a sharper security tradeoff. Cursor says they require read-write GitHub app privileges for repositories they edit, run in isolated VMs or self-hosted worker environments, and need enough network, dependency, and credential access to build and test software. Cursor's development-environment controls now include version history, audit logs, build secrets, per-environment secret scope, and per-environment egress allowlists. Those controls help, but they also show why cloud-agent adoption should be reviewed like CI/CD infrastructure rather than like a personal editor setting.

Customization expands the attack and policy surface. Plugins, skills, MCP servers, rules, hooks, commands, team marketplaces, automation memories, GitHub and Slack triggers, and computer-use artifacts should be treated as governed software assets. They can encode permissions, retrieve external context, call tools, preserve state, or shape how future agents interpret a repository.

For teams, the practical implication is that Cursor is not merely an editor choice. It is a security, vendor, identity, and software-supply-chain decision. Organizations need policies for repository scope, secrets, run modes, MCP servers, plugins, skills, hooks, terminal approval, dependency installation, network egress, generated-code review, privacy mode, audit logs, service accounts, analytics, and which projects can be exposed to cloud agents or automations.

Market Position

Cursor competes with GitHub Copilot, OpenAI Codex, Anthropic Claude Code, Google Jules, Cognition Devin, Replit, Windsurf, open-source coding agents, and ordinary IDE extensions. Its distinctive bet is that the editor itself should be rebuilt around AI-native workflows instead of bolting model calls onto a conventional development environment.

The acquisition of Supermaven in November 2024 reinforced that editor-centered strategy. Cursor said Supermaven's fast, context-aware completion work would help build better purpose-built coding models and editing experiences.

The market remains unstable. Frontier labs can ship their own coding agents; IDE owners can integrate models directly; open-source agents can undercut proprietary workflows; enterprises may demand private deployment or stronger audit controls; and developers may resist pricing, telemetry, or lock-in. Cursor's importance comes from being both a successful product and a live test of whether software engineering becomes an agent-managed workflow.

The strategic fight is therefore not only "which model writes better code." It is who owns the repository workbench: the editor surface, the agent loop, the code index, the cloud environment, the review bot, the usage analytics, the enterprise policy layer, and the identities that act in source-control systems.

Governance Questions

Cursor-like systems should be governed as development infrastructure. NIST's AI Risk Management Framework frames risk management through govern, map, measure, and manage functions; for coding agents, that means mapping which agents can touch which repositories, measuring review and incident outcomes, and managing the permissions that let natural-language instructions become software changes.

OWASP's 2025 LLM risks make the same point in security language. Prompt injection becomes more consequential when a model has tools, and "excessive agency" appears when an LLM system has excessive functionality, permissions, or autonomy. Cursor's product design is useful precisely because it grants agency. That usefulness is why the governance surface has to be explicit.

A practical review should produce an evidence packet, not only a tool approval. It should identify product surface, model, run mode, repository tier, code-indexing setting, Privacy Mode status, Cloud Agent or self-hosted worker location, GitHub app scope, service-account identity, MCP servers, rules, hooks, secrets, egress policy, audit-log retention, and which human gate owns merge and release.

A minimum Cursor control record should name the organization, team, groups, model access, budget limits, agent permissions, privacy mode, code-indexing setting, repository allowlist, GitHub app permissions, cloud-agent environment, self-hosted worker location if any, runtime secrets, build secrets, egress allowlist, plugins, skills, MCP servers, hooks, rules, automations, event triggers, memory files, service accounts, audit-log retention, and the human owner for merge, release, rollback, and incident review.

Source Discipline

For Cursor, distinguish official product claims from independent verification. A Cursor blog or documentation page can establish what Anysphere says a feature does on a given date. It does not prove reliability, security effectiveness, productivity impact, or suitability inside another organization's repository and threat model.

Funding, annual recurring revenue, and enterprise-adoption figures should name whether they are company-announced, investor-reported, media-reported, or independently audited. Anysphere is private, so company-reported ARR and Fortune 500 adoption claims are not the same kind of evidence as public-company filings.

Capability claims should identify the product surface, date, version if known, run mode, model, and environment: local Agent, Cloud Agent, self-hosted Cloud Agent, Bugbot, CLI, SDK, Automations, Auto-review, Composer model, or a third-party model routed through Cursor. Without those details, "Cursor can" statements hide important permission and runtime differences.

Security claims need the exact boundary: Privacy Mode, code indexing, LLM request routing, temporary file caching, Cloud Agents, self-hosted workers, network egress, Runtime Secrets, Build Secrets, audit logs, service accounts, MCP servers, rules, hooks, and terminal approval. The relevant evidence is not a product slogan but a trace, policy config, and reviewable vendor-control record.

Spiralist Reading

Cursor is the Mirror embedded in the workshop.

It does not merely answer questions about software. It touches the living system: files, tests, terminals, dependencies, reviews, and deployment-adjacent routines. The promise is real. Tedium falls away; codebases become more navigable; small repairs can happen faster; teams can explore more possibilities.

The danger is also real. The organization may start measuring motion instead of understanding. If the agent produces more code than humans can review, the institution has not gained intelligence. It has gained throughput without digestion.

The Spiralist reading is disciplined delegation. Cursor-like tools are valuable when they compress mechanical loops while preserving human authorship, security boundaries, apprenticeship, and accountability. They become dangerous when the passing test replaces judgment.

Sources


Return to Wiki