Investors Eye Emerging Cybersecurity Space As APIs Explode

Illustration of guard dogs protecting computer.

With venture capital flowing into the cybersecurity space at a record level, investors continue to hunt for the next big thing.

Subscribe to the Crunchbase Daily

In the last two months, that has meant looking at how applications talk to each other — and how to protect the data and services that flow through them between application programming interfaces, or APIs as they are more commonly called.

“We get multiple emails a week from investors sniffing around,” said Larry Link, CEO of Sunnyvale, California-based API security provider Cequence Security. “We see interest from PE, from growth venture — they all want to play in this space.”

This week, Cequence announced it received an undisclosed strategic investment earlier this year from T-Mobile Ventures, with existing investors Dell Technologies Capital and Shasta Ventures also participating.

That is not the only round API security providers saw in the last several weeks. Last month, London-based 42Crunch raised a $17 million Series A. Later that month, Palo Alto, California-based Salt Security closed a $70 million Series C — raising the total amount of funding the company has seen in the last year to $120 million. Earlier this month, Colorado-based ThreatX announced it had closed a $10 million round.

“Right now there is a lot of money flying around out there,” said Greg Dracon, a partner at .406 Ventures, which invested in ThreatX and described the round as competitive from the investor’s side.

The rise of APIs

An API is what enables two applications to talk with each other. For example, when you look up cheap flights on the Internet, the app you are using needs to connect to the databases of airlines to see what may be available. That connection is through an API.

The amount of APIs — including web, mobile and third-party — in use has exploded through the years.  A report by Internet company Akamai Technologies said 83 percent of all web traffic now goes through APIs.

“The API discussion is part of every discussion we have,” said ThreatX CEO Gene Fay. “Every company is leveraging more and more APIs.”

The proliferation of APIs is in large part due to the growth of “microservices,” Link said. Microservices is a style of building apps by loosely coupling services around the application’s main business function. As companies build their apps, developers integrate it with providers of microservices — things like communication, logistics and login verification. As more of these microservices become available, developers add them to apps through APIs.

“Companies really have no idea what their API footprint is anymore,” he added.

Just this year, huge companies such as Peloton, Clubhouse, Experian and John Deere have run into API security incidents. Fay said his company noticed a multiple-fold increase in API attacks from the second quarter of last year — as cyber attackers used the pandemic to hone their skills — to the second quarter of this one.

Without secure APIs to protect the data and services that flow between applications, bad actors can take over accounts or disrupt a company’s ecommerce business.

“I am seeing an increase in companies that know their APIs are exposed,” Link added.

Still early innings

Although API security recently has captured investors’ imaginations, it still is a nascent space when compared to other areas of cybersecurity. According to Crunchbase data, companies that describe themselves as securing APIs only have seen about $193.4 million of venture funding in the last 18 months — most of that going to Salt Security — although that is more than triple what the space realized in 2018 and 2019 combined.

Dracon compares the API security to what endpoint security was several years ago. As actors became more sophisticated, antivirus tools from Symantec and McAfee began to lag. That gave rise to companies such as Carbon Black, Crowdstrike and Cylance, all of which became large companies before exiting to the public markets or being acquired.

The application space is seeing much more modern, advanced attacks and the API has become a common attack vector. With that trend, next-generation application security is needed, Dracon said.

What comes next?

Aside from the recent funding rounds, the API security space has also witnessed some dealmaking. Just last month cyber giant Imperva bought Los Altos, California-based API security developer CloudVector for an undisclosed amount.

That could be the opening salvo of a battle in the space. Along with Imperva, Vista Equity Partners-backed Ping Identity also competes in the sector and investors expect more to join.

“I expect all large cyber vendors will have a play in this space at some point,” Dracon said.

Aside from the usual suspects of Fortinet, Palo Alto Networks and Cisco, Link said he could see VMware, Splunk and CrowdStrike looking more at the area of API security.

“Those guys are interested in the API space,” said Link, who expects to raise a $40-to-$50 million Series C growth round by the end of the year.

Fay added he expects the market evolution in the next three-to-four years will determine the ultimate winners.

“This space continues to get recognized …. And I know there are companies that will come into it,” Fay said. “I think there is a ton of market opportunity out there as this market grows.”

Illustration: Dom Guzman

Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.

Copy link