Why we invested in Escape

Why did Julien-David Nitlech and Fran?ois Kergaravat lead Escape's €3.6m Seed round with IRIS , alongside Frst , Y Combinator , Kima Ventures , Tiny Supercomputer Investment Company and great business angels, announced last week?

Because Escape is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack Surface Management and APIs. What makes us so excited about Escape is the quality of the tech platform, combined with a strong conviction on the team and approach, enabling developers to secure their APIs at any stage of the development process ??

API Security is a key component of Application Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to microservices -a set of smaller, independently deployable services: API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Some examples of API security incidents:

• T-Mobile?revealed in January that a threat actor stole the?personal information?of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
• A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue is discovered, the more costly it is to remediate. API security should thus be dealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testing into developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to Salt Security’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- it automatically lists and updates an organization’s APIs;

- it uses AI and reinforcement learning to understand the business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- every time an API is updated / exposed, it launches a batch of scans, based on sequences of legitimate queries - integrated in the development pipeline;

- it warns the security teams when vulnerabilities are detected, and assists the developers in remediation.

Escape is thus faster than brute-force and manually designed scans - unlocking the ability to be embedded in the development process. The feedback-driven exploration also makes the detection more exhaustive and accurate, with a great security coverage and a limited rate of false positives. The team decided to focus first on GraphQL APIs for go-to-market and R&D reasons. Escape is currently expanding its coverage to support REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help us fix security flaws that human security auditors have not seen. By doing so as early as during the development process, Escape allows us to always stay secure and ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

?

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

?