Attack surface management platform RapidFort raises $8.5M seed round

RapidFort, a startup that helps developers reduce the potential attack surface of their applications by automatically removing unused software components from their containers, today announced that it has raised an $8.5 million seed round. The round was led by Felicis, with ForgePoint Capital, Bloomberg Beta, Global Founders Capital, Plug & Play Ventures, GIT1K Club and a group of investors from RapidFort’s earlier rounds also participating.

In addition to announcing the new funding, RapidFort today launched its free tier.

The company was co-founded by Mehran Farimani and Rajeev Kumar Thakur. “He was working at Palo Alto Networks about three years ago,” Farimani said of Thakur when I asked him how the company got started. “He came to me with a long list of grievances about how this new DevOps thing and vulnerability management and so on was affecting his product launch.”

As Thakur’s team was modernizing a part of Palo Alto’s firewall service to scale to more hits per day, the security team stopped them in their tracks because of the thousands of potential vulnerabilities in the application — mostly from third-party open source components that were being used.

And that’s where RapidFort comes in. The service reduces the overall attack surface by analyzing which components in a container are actually needed to run an application. Development teams run them as normal in dev, test or production, while RapidFort figures out which components it can remove. The company says its improvements are typically in the range of 60 to 90%, so that in the end, security and developer teams can focus on the vulnerabilities that actually matter.

Image Credits: RapidFort

Aydin Senkut, founder and managing partner at Felicis, noted that on top of the team’s experience and a rapidly growing market, he was especially attracted to the company because it already had a lot of interesting users, including a lot of government customers.

“We are excited about security because, despite the big tech pullback in the market overall, security seems to be the most resilient sector,” Senkut noted. “We get excited about it because I think overall, software that is deployed everywhere — government and private — is only growing larger and I think there will be many vectors that security companies will need to address. So given that software is not getting smaller but getting much bigger, we felt that it was actually a very pragmatic and smart thing to back RapidFort. We really liked their approach.”

Farimani also added that while infrastructure today isn’t where many organizations are focusing their security budgets, that’s quickly changing.

Image Credits: RapidFort

He also noted that while we often talk about Software Bills of Materials (SBOMs) today, the analogy doesn’t quite work, because in manufacturing, Bills of Materials are carefully crafted. “In software, we don’t work like that,” he said. “The bandwidth is cheap, storage is cheap — and I just want my application to work. But now it’s becoming very apparent that there is a cost to all that garbage that we leave in these applications. There is a running cost for the enterprise, for us to maintain it as vendors, and so on. And so I think that the problem is getting more visibility.” So instead of just assembling SBOMs from existing applications, he believes that the focus has to be on building clean SBOMs and optimizing them.

In its current iteration, RapidFort focuses on working with containers. Those can run pretty much anywhere, including standard Kubernetes clusters or managed services like AWS Fargate. But the company is also working on making its service work for virtual machines, which tend to be much larger and consist of far more components. The team believes that’s a problem it can solve, though.