NeuraLegion becomes Bright Security and raises $20M Series A

NeuraLegion, a startup that focuses on dynamic application security testing and identifying business logic issues, today announced that it has changed its name to Bright Security. In addition, the company also said that it has raised $20 million in a Series A round led by Evolution Equity Partners. Previous investors DNX Ventures, J-Ventures, Fusion Fund and Incubate Fund also participated in this round.

When NeuraLegion/Bright Security launched in 2018, the company’s focus was on an AI-powered fuzzer that would help developers find and mitigate potential security exploits in their code.

While the team found some potential customers for the service, it was almost too good. “The people who love it really love it,” Gadi Bashvitz, who became Bright Security’s CEO this January, explained. “But there are very few people that can actually implement it, because it is a very harmful product that essentially, because it looks for zero days — and finds zero days — creates havoc. It crashes any target that it runs against, which means that if you were running it against a production or a close-to-production environment, you would have to have the facility to recreate that target again and again and again and again.” That requires a lot of coordination between different teams — not something most enterprises excel at — and so many of the company’s potential users weren’t able to adapt.

By the time the team raised its $4.7 million seed round in 2020, it had already shifted its focus to dynamic application security testing; that is, finding vulnerabilities in web applications and APIs by simulating attacks by outside users. That’s still what Bright Security focuses on today and, as Bashvitz noted, the company has no intention to branch out into related fields like static application security testing. The company says more than 4,000 oreganizations now use its products.

Image Credits: Bright Security

As developers are increasingly tasked with security testing (on top of everything else that comes with the DevOps model), the Bright Security team put an emphasis on making its tools as easy to use and frictionless as possible. It integrates with existing CI/CD pipelines and can scan anything from web apps to Rest, SOAP and GraphQL APIs. The team prides itself in avoiding false positives, something that often leads developers down unnecessary and time-wasting rabbit holes.

As for the name change, Bashvitz noted that there were a lot of companies with similar names and that “Bright” better represents what the company does. “We’re trying to provide illumination for all these teams — both visibility into vulnerabilities and try to provide a guiding light on how you can actually do [dynamic application security testing] correctly,” he said. He also noted that DAST had fallen a bit out of favor in recent years (he called it a “C.Y.A.” tool), despite the need for these kinds of tools.

Image Credits: Bright Security

“Application Security is ready for an overhaul to meet the demands of the current market,” said Karthik Subramanian, a partner at Evolution Equity Partners. “Tools that were built exclusively for the AppSec team are already antiquated if they aren’t usable by developers and the DevOps team, and our tools must evolve to ensure security isn’t the job of one team, but rather a joint mission with shared and distributed responsibilities.” Subramanian will join Bright Security’s board.