Introducing Impart Security
It's been such an exciting time for us here at Impart Security! We've got so much great stuff in the works and have hit a number of milestones as we continue along our journey. As Co-founder and CEO, I've gotten asked many times about why we started Impart, what we're about, and how we're different. Now that we've gotten past some major milestones (including closing a seed round led by CRV, launching our private BETA, and onboarded our first customers), the time is right for me to share a little bit more about our story!
Focusing on the Practitioner Experience is a Winning Strategy
Before Impart Security, I was an early team member and VP of Product at Signal Sciences, which was the leading Web Application Firewall (WAF) vendor that reinvented the stale WAF category by bringing together real time analytics and a relentless focus on practitioner experience. At Signal Sciences, my co-founders and I worked closely with Andrew Peterson, Nick Galbreath, and Zane Lackey to transform the decades old WAF market, generated new interest and excitement in the stale category, and changed the expectations of security practitioners everywhere who realized that they could actually love their security tooling.
Our hyper focus on practitioner experience and execution allowed us to build the most effective and beloved WAF in the market by practitioners everywhere. Even today, you can see indicators of this enthusiasm on Gartner Peer Insights, with over 250 5 star reviews from real, verified security practitioners. This resulted in a successful exit to Fastly for $825M.
APIs are the next big thing
After our success in the WAF market, my co-founders and I started to realize that the next big thing was going to be API security. From our experience in WAF working with the biggest tech companies in the industry, we saw a clear view into the API future driven by three overarching market trends:
First, the adoption curve of Cloud Native architectures. The adoption curve of cloud native tech stacks has reached a tipping point. At this point, almost every new application is built in the Cloud first, which is driving a host of subsequent technology changes into modern API infrastructures. Service Mesh, Serverless, and Microservices architectures are the new standard which are extremely API intensive with the trend only accelerating. Most of my previous customers were already well on their way down this journey and we saw that key technologies (for example, Istio and Envoy) were clearly overtaking traditional tech stacks in even the more traditional enterprise space.
Second, the change in business norms. In addition to making developer’s lives easier, the cloud has also enabled the rapid deconstruction and reconstruction of entire industries from a business standpoint. Applications which used to built entirely in-house are now largely being stitched together from free open source software, third party partner APIs, and SaaS providers. Most of my customers in financial services were seeing these changes disrupt their core business model, which had a number of second and third degree effects in their technology and security stacks.
Third, the change in Attacker Behavior - Unfortunately, the consumers are not the only ones whose behavior is changing as a result of these technology and business trends - attackers have also noticed and are exploiting not only the increasingly large attack surface, but also the fuzzy boundaries between a customer’s data and their services with increasing frequency. Gone are the days of simple. brute force attacks, and in their place are more sophisticated, targeted attacks that exploit the business logic of APIs themselves.
The API Security Experience Hasn’t Improved
When looking at the API security market, we saw many parallels between the API Market and the WAF market we had come from.
Like the WAF market, the API security market has been around for many years - and like the WAF market, the API security market has seen very little innovation or new approaches to solving the growing industry challenges. For example, in our early research, one of the things we were surprised to discover that tools that can generate documentation from API specifications have existed, and largely been unchanged for the last decade without any significant innovation despite the massive increase in documentation drift in the industry.
We saw the lack of attention paid to the overall user experience in API security as an opportunity for us to disrupt the API security market with the same approach that made us successful in disrupting the WAF space.
API Security is a Different Problem to Solve
Although APIs have been around for a long time, the way that modern applications are built using APIs has introduced a a fundamental gap between the API security space and the traditional web application security market.
The first difference is that APIs require practitioners to answer different questions. With traditional application security, practitioners merely needed to focus on answering WHAT, WHERE, and HOW questions. Filter out the bad WHAT, WHERE, and HOW answers and you were mostly secure. For example, you could filter out the SQLI payloads (the what) coming from a bad ASN or IP (the where) that were spamming your entire web application (the how).
The difference with API security is that practitioners also need to answer WHO and WHY questions as well. Should this user be accessing this data? Should they be accessing this data in this specific situation? Getting the answers to these questions in an easy to use way is a much more tricky process that requires a deeper empathy for the experience of a security practitioner and we see this as a significant opportunity and unsolved problem.
The second difference is that API attacks are different. With traditional web applications, attacks are fairly easy to spot using signatures, lists of IPs, or regex rules. With an API attack, all of those methods start to break down, as attackers can use completely normal looking requests and responses to recon and compromise critical systems and data. Only by understanding design and intent of an API can this type of attack be identified and prevented.
The last key difference is that APIs are, for the most part, built by other people than yourself. This means that there is even less knowledge about the intent and behavior of the APIs that comprise your application than there would be in traditional web application, where you would at least have the opportunity to examine the source code for an open source component. With an API, you are reliant on self attestations and compliance claims from any third party API that you’re using, and have limited abilities to guarantee or even evaluate the veracity or effectiveness of these claims.
We have a Great Team to Tackle This Problem
When thinking about the problem and the opportunity, what excited us the most was that we have the perfect team to solve these problems the right way.
The first thing you need to solve these problems is world class product and technology execution capabilities, which is a strength of our founding team. Coming from product and technology backgrounds, our team brings a proven track record of building winning security products from companies like Signal Sciences, Edgecast, Verizon, and more. Because our team has been successful building products for over a decade already, we are extremely confident in our ability to execute on an amazing security experience again for our end users.
The second thing you need to solve this problem is advanced data capabilities in order to be able to analyze large volumes of data in real time, and to be able to build extremely intelligent machine learning models to classify and make decisions on this data that doesn’t require additional maintenance. Our CTO, Marc Harrison, was the Chief Architect at Signal Sciences and with over 25 years of data engineering experience, is the perfect fit for our team and the problem space.
The last ingredient is deep security expertise who have seen the ins and outs of the security industry and have a proven track record of building security programs and security companies. Through our prior experiences, we’ve been able to build a deep network of security practitioners and leaders at some of the world’s best companies and who wanted to help, which we'll be announcing soon!
We’re just getting started
Bringing it all together, it made perfect sense to start a new company to solve tackle this industry wide problem. I’m thrilled to be working with my co-founders, Brian and Marc, as well as the early team members, investors, and advisors who have joined us along the way. We’ve been hitting milestone after milestone and I’m so excited to begin to start telling our story.
Going forward, I’m super excited about the future of Impart Security. We have a massive industry problem to solve in front of us, we have an amazing team, and we’ve been firing on all cylinders building our our company and our product. I’d love the chance to tell you more - learn more at our website at www.impart.security or sign up for the BETA if you’d like to try us out.
We have so much more to share about our story, and this is just the beginning. Stay tuned for more, and thanks for being part of the journey!
JD