Traceable, a startup developing an end-to-end cloud app security solution, today emerged from stealth with $20 million in funding. CEO Jyoti Bansal plans to focus on acquiring customers globally while growing Traceable’s team and accelerating R&D.
Cloud-native apps are often built with hundreds or even thousands of API microservices (i.e., loosely coupled services), making them difficult to protect at scale. Gartner predicts that by 2022 API abuses will be the most frequent attack vector, which isn’t surprising, considering API calls represented 83% of web traffic as of 2018.
Traceable works to protect these APIs with machine learning algorithms that analyze app activity from the user and session all the way down to the code. These algorithms learn to distinguish between normal and anomalous behavior with a false positive rate of less than 1%, Bansal claims, and to provide alerts for activity that might deviate from the norm.
“Cloud-native applications have clearly become hackers’ favorite targets. These applications are all API-driven, with APIs exposing business logic to the outside world. Existing application security approaches aren’t built for modern application architectures and use data in a narrow context to detect threat activity,” Bansal told VentureBeat. “Traceable’s approach is to feed TraceAI, our machine learning technology, with extremely rich and highly useful distributed tracing data directly from the application. This combination of real-time trace data and machine learning uniquely enables Traceable to distinguish between legitimate and malicious users and application activity with a high degree of accuracy.”
Bansal, the founder and former CEO of AppDynamics, cofounded Traceable with former AppyDynamics VP Sanjay Nagaraj. (Cisco acquired AppDynamics in 2017 for roughly $3.7 billion.) While at AppDynamics, Bansal had a prime view of the growing adoption of cloud-native architectures. He says he soon realized existing approaches to cloud app security fell short — most only provided limited visibility into the app layer and suffered from high false-positive rates, while others were designed to protect traditional apps with well-understood protocols, as opposed to distributed apps using custom APIs.
“One of our customers has approximately 700 API endpoints. These sessions ranged anywhere from 10 API calls to 100 API calls,” explained Nagaraj. “Theoretically, this would come down to 700 to the power of 10, or 700 to the power of 100 possible personas. But like in natural language, applications have their own grammar, where APIs are akin to words in natural language and API interaction is based on a latent grammar. Each of these endpoints had as many as 6,000 response body keys and around 100 request keys and hundreds of headers. The combinatorial complexity of validating this intricate relationship at scale is something that cannot be solved by brute-force analysis or a rules-based engine. Instead, it requires advanced and scalable machine learning techniques.”
Bansal says Traceable has a number of paying customers, but to spur adoption of the platform, he and Nagaraj made the underlying distributed tracing technology available in open source. Dubbed Hypertrace, it enables DevOps teams to observe and monitor production applications with the same tracing and observability features powering Traceable.
Bansal’s own Unusual Ventures led Traceable’s $20 million series A round. This is one of the venture firm’s largest commitments since April 2019, when it participated in a $60 million round in Bansal’s Harness.io, a startup that leverages AI to detect the quality of app deployments and automatically roll back failed attempts.
Traceable’s exit from stealth follows the launch of Salt Security, which is also developing a protection solution that discovers APIs and spots vulnerabilities. Salt and Traceable take an approach that is similar — but not identical — to that of Elastic Beam, an API cybersecurity company that was acquired by Denver, Colorado-based Ping Identity in June 2018. Other rivals include Spherical Defense, which adopts a machine learning-based approach to web application firewalls, and Wallarm, which provides an AI-powered security platform for APIs, as well as websites and microservices.