The “next frontier” in cybersecurity, according to Traceable CEO Jyoti Bansal, is the code and software layer. And this, he says, represents a $10 billion or more market opportunity for his API security company.
“This systems and infrastructure layer is where all the cybersecurity focus has been for the last 15, 20 years,” Bansal said. “Now, the next frontier becomes all about code and software.”
Of course, he has a vested interest in saying this. His most recent startup, Traceable, which he launched about a year ago, focuses on cloud-native API and application security.
It’s a particularly hot sector of the larger security market due, in part, to the COVID-19 pandemic, which sped up companies’ already-in-progress moves to microservices and cloud-native applications. This magnified the importance of security at the code and workload level, and so did the SolarWinds hack, where Russian hackers inserted malicious code into a SolarWinds update and used a trusted vendor’s software to breach upwards of 18,000 organizations.
Organizations’ migrations to cloud-native, microservices, and serverless architectures provide more agility — but also present new security risks, Bansal said. “They are doing DevOps, they’re doing CI/CD, and this creates a lot of velocity and innovation very rapidly,” he added. “ But it comes with a major security challenge. How do you secure all of this, how do you track all of this?”
Microservices, Sophisticated Attacks on the Rise
Companies’ potential attack surfaces used to be a handful of large, monolithic software systems, and they protected these systems by putting a network firewall out in front of them.
“But now, the way the new architecture works is that you take those five monolithic software systems, you break it into 500 microservices, and you enable every developer to ship it out in parallel,” Bansal said. “Now you have 500 things to secure and they are changing every day or even every few hours. So for a security team, that becomes a big challenge that they’re all worried about.”
Some of these microservices run in public clouds, and some are exposed to partners and other third-party systems via APIs. “The boundaries are completely blurred, and network security it not enough,” he said.
“And the other factor: cybersecurity challenges are growing,” Bansal added. “You have state actors doing more sophisticated attacks like SolarWinds, which came in through the software development process. People are worried about more sophisticated attacks that will come in, and a lot of them will be at the software layer, not at the systems or the infrastructure layer.”
Infrastructure and larger security vendors, as well as investors, are also taking note of these changing architectures and increasingly sophisticated security threats. Four cloud-native security unicorns — Snyk, Aqua Security, Orca Security, and Wiz, announced massive funding rounds all in excess of $100 million over the last three weeks. Additionally, last month Palo Alto Networks paid $156 million for DevOps security startup BridgeCrew. And just last week, VMware bought API security startup Mesh7 for an undisclosed amount.
All of this bodes well for Traceable and Bansal, who sold another one of his startups, AppDynamics, to Cisco for $3.7 billion three years ago, a day before AppDynamic’s planned IPO.
Traceable’s Application Security Platform
Traceable launched last July with $20 million in series A funding and an application security platform that uses distributed tracing technology to trace end-to-end application activity — from the user and session through the application code. Meanwhile, TraceAI, the platform’s artificial intelligence (AI) and machine learning technology, analyzes this data to learn normal application behavior and to detect activity that deviates from the norm. Businesses can then use Traceable’s forensic data and insights to analyze attack attempts and perform root cause analysis.
The startup now has about 15 customers using the platform. These include fintech unicorn Marqeta, digital advertising company NextRoll, real estate broker Houwzer, and DevOps startup Harness. Bansal also founded Harness and serves as its CEO. In January Harness announced an $85 million Series C round on a $1.7 billion valuation.
“People really like our ability to detect all the APIs that are there, and our ability to use AI and machine learning to automatically stop breaches when they’re happening,” Bansal said, about Traceable’s customers. “They also like our approach of feeding it back to the software developers directly, because many times you don’t want to just stop the breach on these APIs, but you also want to tell the developers where the problem is and how to fix it.”
What’s Next for Traceable in 2021
Last month, Silicon Valley CISO Investments announced a strategic partnership with and investment in Traceable. The investment group includes more than 55 CISOs from Credit Karma, Splunk, Palo Alto Networks, Microsoft Azure, Hewlett Packard Enterprise, and Whole Foods. As partners, these CISOs will help Traceable shape its product roadmap and strategy, Bansal said.
Looking ahead, Traceable plans to “significantly expand” how its technology understands API risks in a continuous, automated way for customers. “Giving people risk scores, and risk dashboards on their API security posture,” Bansal explained. “We are also expanding our coverage of different kinds of threats and attacks that can happen on APIs including behavioral attacks and financial fraud. Our machine learning and AI is getting smarter around building this kind of behavioral model to stop fraud.”
Later in 2021, Traceable plans to introduce capabilities that move its vulnerability-detection technology earlier into the software delivery lifecycle. “So we can catch a lot of these problems in production before you even deploy your code and your APIs,” Bansal said.
CEO Eyes $10B Market Opportunity
And while selling his earlier application performance management startup to Cisco for $3.7 billion in 2017 was a huge deal, Traceable’s market opportunity is even bigger than AppDynamics’, Bansal says. “If the whole world is going to run on lines of code and connected to APIs, then you’ve got to secure that door properly,” he explained.
Traceable competes against both web application firewalls (WAFs) and run-time application self protection (RASP) tools. Bansal says the two combined represent a $4 billion-per-year market. “And we think the market is just getting started,” he added. “The amount of software code people are building, the migration to cloud-native architectures, the migration to more and more APIs that you have to protect — we think the market is massive. It could become a $10 billion-plus market for us to address. There has to be a platform for protecting software code all the time, so the opportunity here is to build a massive platform company, an independent platform company, and that’s what we are shooting to build at Traceable.”
Or Will Cisco Buy Traceable for Its Security Stack?
On the flip side, Traceable’s technology would add a much-needed tool to a larger cloud security stack. And vendors including Cisco and VMware have said that application security ranks high on their list of acquisition targets.
“It’s hard for me seeing Traceable existing on its own for a long time,” said Zeus Kerravala, principal analyst at ZK Research. “They do a piece of security, but you want to orchestrate that with the rest of the security stack.”
Additionally, companies want to consolidate their security environments. “CISOs are starting to understand that you don’t have to have best of breed everywhere,” Kerravala added. “In fact, best of breed everywhere, doesn’t often lead to best-in-class threat protection.”
While organizations probably won’t downsize to just one security platform or vendor, “the days of it being 200 are over,” he said. “And so that would again warrant Traceable being part of somebody else’s stack.”
Kerravala says a handful of vendors would benefit from buying Traceable. “Cisco’s certainly been dancing around this area. Palo Alto, Fortinet, VMware — any company that’s trying to play even remotely up the stack from the network, which I think all the vendors are now.”