INSIGHT

Why we invested in Escape

close button
Why we invested in Escape
Investment thesis

by François Kergaravat, Associate, and Julien-David Nitlech, Managing Partner

Why we invested in Escape
INSIGHT

Why we invested in Escape

close button

Escape is enabling developers to secure their APIs at any stage of the development process

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

Read the full article
Read the full article
Why we invested in Escape
Investment thesis

by François Kergaravat, Associate, and Julien-David Nitlech, Managing Partner

Escape is enabling developers to secure their APIs at any stage of the development process
Why we invested in Escape
INSIGHT

Why we invested in Escape

close button

Escape is enabling developers to secure their APIs at any stage of the development process

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

We are thrilled to announce Escape's €3.6m Seed round as the startup is a Security company on a mission to make Dynamic Application Security Testing cool again, with a focus on Attack SurfaceManagement and APIs.
What makes us so excited about Escape is the quality ofthe tech platform, combined with a strong conviction on the team and the approach, enabling developers to secure their APIs at any stage of thedevelopment process

API Security is a key component ofApplication Security

APIs are facilitating the shift from monolithic applications (app conceived as one unified entity) to micro services(a set of smaller, independently deployable services): API usage is thus skyrocketing. 51% of respondents to Postman 2022 State of API report assessed that more than half of their organization's development effort is spent on APIs. Consequently, APIs have become a large part of the application attack surface, as an entry point to massive amounts of information and systems. Google Cloud 2022 API Security Research Report states that 62% of IT Decision Makers reported an API security incident in the past 12 months.

Google Cloud’s survey on 500 leadingtech companies in the US.

Some examples of API security incidents:

  • T-Mobile revealed in January that a threat actor stole the personal information of 37 million customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023)
  • A vulnerability report on Gorillas’ systems identified critical issues: on top of personal data leaks, the API keys for SendGrid’s email service could be obtained, enabling attackers to send emails on behalf of Gorillas.

The need to “shift left” API security

The later a security issue isdiscovered, the more costly it is to remediate. API security should thus bedealt with as early as possible, integrated in the continuous integration/continuous delivery (CI/CD) flow.

Current API security solutions operate lengthy “brute-force” scans, preventing it from being embedded in the development process. As a consequence, current API security testing practices:

(1) slow down the development process: NoName 2022 API Security report states that among the 350 IT leaders interviewed, 87% believe a more effective integration of API security testinginto developer pipeline activities could have prevented project delays.

(2) lack efficiency: according to SaltSecurity’s State of API Security (Q1 2023), 94% of survey respondents experienced security problems in production APIs within the past year.

Escape’s technology tests APIs during the development process

Escape’s product relies on 4 pillars:

- It automatically lists and updates an organization’s APIs;

- It uses AI and reinforcement learning to understandthe business logic of an API and to learn how to interact with it (Escape’s secret sauce, called feedback-driven exploration);

- Every time an API is updated / exposed, it launches abatch of scans, based on sequences of legitimate queries - integrated in thedevelopment pipeline;

- It warns the security teams when vulnerabilities aredetected, and assists the developers in remediation.

Escape is thus faster than brute-forceand manually designed scans - unlocking the ability to be embedded in thedevelopment process. The feedback-driven exploration also makes the detectionmore exhaustive and accurate, with a great security coverage and a limited rateof false positives. The team decided to focus first on GraphQL APIs forgo-to-market and R&D reasons. Escape is currently expanding its coverage tosupport REST (which is more widespread than GraphQL across organizations).

“Escape was able to find and help usfix security flaws that human security auditors have not seen. By doing so asearly as during the development process, Escape allows us to always stay secureand ahead of hackers.” Adrien Montfort, CTO, Sorare

This technology was explained to us by a team of brilliant founders, who built Escape freshly out-of-school, and who yet keep behaving as experienced security and machine learning experts - and entrepreneurs. It is this combination of a strong market need, a unique technology and a great team which convinced us to join Tristan and Antoine in this journey.

Exciting challenges lie ahead for Escape, which is starting to generate a strong commercial momentum, and has a solid roadmap to deliver. We are proud and happy to pursue this path with Tristan and Antoine!

 

Sources:

Salt Security - Q1 2023 State of API Security

https://content.salt.security/state-api-report.html

NoName & 451 Research – 2022 API Security Trends Report

https://nonamesecurity.com/api-security-trends-report

Google Cloud – 2022 API Security Research Report

https://cloud.google.com/resources/api-security-research-report

Postman – 2022 State of the API Report

https://www.postman.com/state-of-api/

Rapid7 – DAST Tools Explained

https://www.rapid7.com/fundamentals/dast/

FULL CONTENT HERE
FULL CONTENT HERE
`javascript:history.back(-1);