APIs have been one of the biggest trends over the past decade in reshaping the way the web works. Developers have embraced them with a vengeance, making them fundamental to the way applications are built and how they interoperate.
A few years ago, Tristan Kalos was building chatbots leveraging APIs when a client called to complain that their chatbot was no longer working because it couldn't access the data. Kalos began to investigate, peeked inside the database, and sure enough, all the data had vanished.
Instead, he found a ransom note from someone who had hacked the database via the API that it used to communicate. Fortunately, Kalos had a backup so no ransom was paid. But it did get him thinking: Surely there must be a tool to prevent such things from happening.
"It made me realize that as a developer when I was exposing applications online and creating APIs connected to the internet, I was putting myself at risk of waking up one morning with every single one hacked because I had introduced a vulnerability or a security flaw inside what I'm building," he said.
Though he searched for such a solution, he couldn't find one that didn't require massive resources to deploy and was fast enough for modern programming needs.
"It should exist, right?" he said.
It didn't. So he built it.
What is Escape?
Escape is an API security platform that helps developers find and fix the security flaws in their APIs. The AI-driven cybersecurity platform offers attack surface monitoring (ASM) and dynamic application security testing (DAST). In layman's terms, that means the platform scans for flaws, proposes fixes, and then keeps an eye out for attacks.
According to Gartner, 91% of APIs lack the most basic security features to fend off hackers, a terrifying prospect given their prevalence.
The reasons for this vulnerability can be traced back to both technical and cultural reasons. Companies are demanding continuous updates to applications and have ceded tremendous influence to developers to ensure that happens. But security is not often central to this process, which focuses instead on speed and new features. Anything that impedes that flow is seen as a roadblock.
That means that security teams are often scrambling after something has been deployed to assess its potential flaws.
Escape addresses this dynamic with a platform that can conduct proactive assessments of a system to identify flaws, and can also be integrated directly into the development phase to spot vulnerabilities in a way that doesn't slow deployment. It can then continuously monitor the APIs and applications after they are live to spot any flaws that may emerge.
Kalos and co-founder Antoine Carossio met in 2019 when they were both studying at the University of California at Berkeley's Haas School of Business. This French Silicon Valley connection proved to be the right balance of skills and interests.
Kalos had a strong background in machine learning and had originally gone to Berkeley in 2017 to be a research intern, applying ML to environmental policy. Carossio had a security background, having worked as a data scientist for the French Army, and then later moving to Silicon Valley to intern at Apple on machine learning projects.
"I was like, 'Hey, I'm an expert in machine learning and you're an expert in cybersecurity," Kalos said. "I've had this problem as a developer that I couldn't secure what I was building. So why don't build a solution together? We started Escape to solve a problem that I had myself."
Under The Hood
Securing APIs is complex because it's difficult to assess the business logic (the part of the program that contains the business rules that govern which data is created and how it can be stored and modified). That "logic" is created by people who establish those rules which are not always, well, logical, and so it's hard to create an automated tool to test that business logic with the same thoroughness as a human reviewer, Kalos said.
And then there is that question of speed. With DevOps pushing daily updates, any automated tool has to be powerful and fast to not slow that process.
"This is a very hard technical problem," Kalos said. "How do you simulate the behavior of a human auditor on an application in less than three minutes? That was basically how we started. The previous solutions that existed needed 24 hours of computation to work. We needed to get that down to three minutes."
The co-founders recruited a small team of engineers to start experimenting. They attracted outsider interest, and Escape raised a $1 million pre-seed round from VCs and Business Angels.
Development took 1.5 years. Old school security auditing tools would be run on applications and return 1,000 results, of which 900 weren't relevant, and then only a smaller subset that were actual problems. Someone would then need to research and find a solution.
Escape's AI is more precise when it comes to identifying relevant problems. And then it generates a snippet of code to fix it.
"We needed to create a system that will be able to generate solutions on any security flaw, which is super complicated if you think about it," he said. "It took us one year and a half to make this AI-powered technology work to simulate the behavior of a human auditor."
But that functionality is now in place. Anyone can go to the Escape website, enter the URL of their site, and generate an audit. Each result comes with a fix.
That ease of use and the clarity of the roadmap for fixing the flaws, Kalos said, have been the keys.
The platform now works with GraphQL and OpenAPI, and earlier this year SecureGPT which is designed for ChatGPT APIs.
The Full Scoop...
Subscribe to get its customer acquisition strategy, an overview of the roadmap to a Series A, and a video interview with co-founder Kalos.