Shape Security, a shape-shifting cybersecurity startup that helps websites and apps prevent automated attacks through constantly changing their source code, revealed it has now closed a $40 million funding round, which includes a strategic investment from Hewlett Packard Enterprise’s (HPE) Hewlett Packard Pathfinder program.
The Series D round was announced back in January — originally at $25 million — with some well-known investors on board, including GV (Google Ventures) and Eric Schmidt’s Tomorrow Ventures. In addition to HPE, one more investor got on board in the intervening months — EDBI, the investment arm of the Singapore Economic Development Board. Other investors announced previously include Baseline Ventures, Kleiner Perkins Caufield & Byers, NVP, Venrock, and Northern Light Ventures.
Founded out of Mountain View, California, in 2011, Shape Security has some notable people at the helm, including cofounder and VP of product Sumit Agarwal, who served in a number of positions at Google from 2003 until 2009, after which he was appointed by President Obama as deputy assistant secretary of defense and then senior advisor for cyber innovation. Also on board is CTO Shuman Ghosemajumder, who spent seven years as the “click-fraud czar” at Google, where he worked to protect the internet giant’s advertising services from click-fraud.
For the uninitiated, many online insecurities are due to known existing vulnerabilities, which is why cyberattackers are able to use bots to automate many of the processes involved in hacking online accounts and services — it’s easier to achieve scale this way than to seek weaknesses manually. And this practice is essentially what Shape Security has set out to thwart, by allowing apps and websites to embrace polymorphism.
One of Shape Security’s products is ShapeShifter, which serves to make a website’s source code appear different each time it’s viewed. This helps deflect the prying eyes of botnets, malware, and rogue scripts. It’s worth noting here that nothing visibly changes for the user, it all happens under the hood.
But it’s not just about thwarting brute force attacks against online accounts. Shape Security promises the smarts to prevent other activities, such as “credential stuffing,” whereby account details garnered from breached accounts are used to gain access to other accounts where people have re-used the same passwords; content scraping; Man the in Browser (MitB); and Application DDoS.
Shape Security claims it has prevented more than $1 billion in fraud losses for its customers, which include governments and Fortune 500 firms. The company has now raised a total of $106 million and says it will use its new-found cash to expedite its growth in the Asia-Pacific region, which perhaps partly explains the involvement of EDBI as an investor. Shape Security also participated in the Hewlett Packard Pathfinder program, which included a sales partnership with Hewlett Packard Enterprise (HPE), who will now offer Shape’s technology to its own customers around the world.
“Shape, in partnership with HPE, offers enterprise customers worldwide the best defense against automated attacks on their critical web and mobile applications,” said Shape Security CEO Derek Smith. “We change the economics of cyber attacks, shifting the cost burden from the enterprise to the attacker, by making it economically unattractive to launch automated attacks.”
Cybersecurity: ripe for investment
And the growing concern over online security is leading to a growing investment in cybersecurity platforms. Last month, LogRhythm raised $50 million for its tools that detect and prioritize the “neutralization” of online security threats. Earlier in 2016, StackPath raised $150 million; PhishMe nabbed $42.5 million; SafeBreach closed down $15 million; Cylance attracted $100 million; Bay Dynamics secured $23 million; Post-Quantum swallowed $8 million; Darktrace raised $65 million; and SecurityScorecard drew in $20 million.
Across the broader technology spectrum, companies are investing heavily in cybersecurity through acquisitions and new in-house programs. Some are also addressing the anticipated future shortage in cybersecurity experts, with estimates indicating that the industry could be short 1.5 million personnel by the end of the decade.