Shape Security — the enterprise startup that emerged from stealth last month with an enterprise product that fights automated malware and bots by way of a firewall (or ‘botwall’ in its words) that shifts its shape depending on what is trying to scale it — has picked up another $40 million in funding.
The Series C round will be used to help the startup continue to develop its technology (which today works through a piece of hardware that a client installs on its premises, but may in the future move further into a virtualised solution in the cloud); and it will also be used to help build up its salesforce globally, now that Shape is openly marketing itself.
The round was led by new investors Norwest Venture Partners and Sierra Ventures, with participation from Kleiner Perkins, Venrock, Google Ventures, Eric Schmidt’s TomorrowVentures, and Allegis Capital. It brings the total raised by Shape to $66 million.
If you have ever wondered why it is that some startups are able to raise enormous amounts of capital before they’ve even gotten a product out the door (or have just started to), look to Shape as one example of how VCs like to back a strong horse.
The company was co-founded by Sumit Agarwal, Derek Smith (Shape’s CEO) and Justin Call (who is the CTO): Agarwal was Google’s first mobile project manager and was later appointed by President Obama as the Assistant Deputy Secretary of Defense at the Pentagon; Smith used to be the CEO of Oakley Networks, which was eventually acquired by Raytheon; Call is also an alum of the latter. Among Shape’s senior staff is Shuman Ghosemajumder, Shape’s VP of Strategy who had been the “Click Fraud Czar” at Google.
There is also the issue of what Shape is attempting to tackle: as cybersecurity threats continue to grow, so do the number of ways that tech companies try to fight them. In the case of Shape, it’s taking an approach that it calls “real-time polymorphism.”
The problem, as Shape sees it, is this: every web app in the world has a user interface, but that interface effectively becomes an inherent point of vulnerability into a company’s network, with botnets created to effectively learn the code. What Shape does is send out code that effectively changes access to a web page. “By changing the code coming from the web server, it becomes capable of resisting the commands sent from endpoints,” Agarwal told me in an interview.
It’s not, he says, a “silver bullet” to combat malicious hacking, but a solution to deal with the reality of today: “There are about half a billion compromised endpoints out there today. That’s what enabled these attacks to happen and so easily bypass existing technology.” In other words, Shape is fighting fire with fire, going after automated botnets with automated code changes.
The company tells me that this doesn’t compromise how normal and legitimate visitors are able to access sites.
The solution, you can imagine, complements the sorts of defenses that are offered by other security companies — which whitelist and blacklist known threats, for example. As the price for botnets becomes increasingly cheap ($1,000 for 10,000 zombies, according to one study), and the cost of dealing with malware continues to rise, this seems to have resulted in a perfect storm for Shape.
“Since our launch last month, we have been inundated with inquiries from customers all over the world,” said Smith in a statement. “We have worked with early adopters in financial services, healthcare, and retail, and our goal with this new funding is to scale quickly to protect every industry.”