Shape Security, a cybersecurity startup that helps businesses prevent fraudulent use of their online systems, has raised $51 million in a round of funding led by C5 Capital, with participation from Kleiner Perkins, HPE Growth, Norwest Ventures Partners, Focus Ventures, JetBlue Technology Ventures, Top Tier Capital Partners, and Epic Ventures.
As a result of this latest investment, Shape Security has also now entered the much-coveted “unicorn” club, claiming a valuation of $1 billion.
Founded in 2011, Mountain View-based Shape Security’s core raison d’être is to help big businesses such as banks prevent fraud from so-called “imitation attacks,” whereby bots attempt to access other people’s accounts through credential stuffing, creating fake accounts, scraping data, and more. So this is less stopping someone from sneaking in through the backdoor under an invisible cloak, and more spotting someone strolling through the front door with a fake beard and prosthetic nose.
Many cyberattacks center around automated techniques that prod and poke at online systems until they find a way in. An attacker may have a trove of stolen credit card details, for example, but to test them each out manually for validity would take too long — so they perform the check once themselves, and then train a bot to carry out that same check on other card details until they have found out which ones are usable. Malware can also be used to hijack devices remotely, or an attacker may steal various pieces of someone’s identity to try to apply for a new credit card.
The bottom line is, it’s relatively easy to carry out large-scale cyberattacks through imitation and automation, which is why Shape Security is also using automation to detect such attacks.
The AI effect
Working across websites, native mobile apps, and API endpoints, Shape Security leverages historical data, machine learning, and artificial intelligence (AI) to figure out whether a “user” is real or fraudulent, and if it determines that it’s the latter, it puts blocks in place. Attackers will often try again by changing their methods, to which Shape Security also has to adapt.
The company doesn’t divulge all the signals it uses to separate bot from human, as it said this would give cybercriminals too much information, but it does monitor things like keystrokes and mouse movements, in addition to system details such as whether a device has been rooted. The information it uses ultimately depends on the nature of the attack.
“We use some signals to detect known attack tools, others to detect bot-like behavior, and still others to amass a list of lies the user agent is trying to tell,” Jarrod Overson, Shape Security’s director of engineering, told VentureBeat. “Thousands of features get processed by Shape’s decision engine to determine if traffic is legitimate or fraudulent.”
Shape Security said that it thwarts as many as 2 billion fraudulent or “unwanted” transactions each day, and claims that more than half of all online banking customers in North America are protected by its technology.
Moreover, the more that companies use Shape Security’s technology, the better it should get as it is exposed to increasingly more data. That, after all, is what any good machine learning system is designed to do.
“Shape has multiple machine learning systems, and all the data comes from Shape’s telemetry and the network metadata,” Overson continued. “Some systems learn from other customers’ data to build preventative countermeasures; other systems learn from good user behavior and identify anomalies from there.”
Prior to now, Shape Security had raised north of $130 million from big-name backers including Alphabet’s GV and former Google CEO Eric Schmidt’s Tomorrow Ventures. With another $51 million in the bank, it said that it plans to grow its platform globally and double down on its AI capabilities.
“This investment will help us scale our international operations and fuel our AI development,” Shape Security cofounder and CEO Derek Smith added in a statement. “Our new and returning investors, coupled with our continued track record of growth, underscore our vision to protect all enterprises from fraudulent Internet transactions.”
The global cybersecurity market was pegged at sizable $152 billion in 2018, and it’s expected to grow to $250 billion within a few years. With more and more business taking place online, every company is effectively becoming a software company, which means all the more targets for cybercriminals — barely a day goes by without some form of data breach, hack, or security lapse making headlines around the world.
Automation meshed with cybersecurity also sits in a very sweet spot both for investors and larger companies looking to bolster their product through acquisitions. Indeed, much has been said about a projected cybersecurity workforce shortfall, which is one of the reasons why automated tools are particularly appealing to enterprises and investors. Back in June, CrowdStrike — an AI-powered cybersecurity platform that offers endpoint protection and threat intelligence — went public, and so far it has performed well, with shares currently sitting at more than double the IPO price. And last year, BlackBerry snapped up AI-enabled security startup Cylance for more than $1 billion.
As a new entrant to the unicorn brigade, does this mean that Shape Security has one eye on an exit? Apparently so — “preparation for an IPO is part of our plan,” Shape Security CMO Mike Plante told VentureBeat, without elaborating on a timescale.