Castle, a San Francisco-based startup that’s setting out to help businesses keep their customers’ online accounts safe from fraud, has raised $9.2 million in a series A round of funding from Index Ventures, with participation from Y Combinator, First Round Capital, F-Prime Capital Partners, and a host of individual angel investors.
Founded in 2015, Castle works with web and app developers who want to offer greater security inside their consumer-facing apps. Castle’s technology helps prevent all manner of account takeover (ATO) efforts, both through manual attempts and automated methods including credential stuffing.
In 2017, identify fraud cost 17 million U.S. consumers $17 billion, according to a report by Javelin Strategy & Research, with “account takeover” constituting more than $5 billion of the losses. A separate report last year by Shape Security noted that credential stuffing, specifically, costs U.S. businesses around $5 billion a year. While all the big banks and major technology companies such as Apple, Amazon, and Google are well-resourced to protect users’ online accounts from third-party chicanery, the same can’t always be said for smaller companies who may not be able to offer the same kinds of protection. And that is the problem that Castle is looking to fix.
“It’s getting increasingly harder and more complex to keep users’ online accounts and data safe,” noted Castle CEO and cofounder Johan Brissmyr. “The onus is often on the consumer to come up with complex passwords and other security measures. We want to flip that responsibility to businesses and empower every one of them to offer bank-grade account security without compromising user experience.”
For third-party developers to integrate Castle’s security smarts into their mobile apps and websites, they just need to insert a little bit of code — and Castle does the rest. Its approach is pretty much entirely automated, meaning there is no supervision by teams of expensive security personnel. Artificial intelligence (AI) and machine learning is the name of the game, but its technology is very much led by end-user behavior and feedback. It improves and responds based on how someone typically interacts with the app, including how they usually log-in and reset their passwords.
In short, Castle monitors user behavior over time, and if anything happens out-of-the-ordinary — such as an unusual login from a new location — Castle kicks into action.
The platform also serves up data and insights into every threat and security event it detects, at a device-specific level.
“We want to enable companies to make qualified decisions about security,” Brissmyr continued. “At every point, we want to help companies reduce friction for their users, so that security is embedded into the overall user experience. To do that, companies need to have a deep understanding of how users react to different security measures. Castle provides that insight.”
Prior to now, Castle had raised just $2.4 million in funding, and with another $9.2 million in the bank, it will be better financed to grow its platform and keep apace with other well-financed players in the automated cybersecurity realm.
Sift Science, for example, meshes big data and machine learning to detect fake accounts, payment fraud, account takeover, and more — last year it raised $53 million from some big-name investors. Elsewhere, Shape Security helps websites and apps prevent automated attacks through constantly changing their source code — it raised a further $26 million just a few months ago. And last year, PayPal paid $120 million to buy out machine learning-powered fraud detection startup Simility.
2019 is continuing on the cybersecurity funding trajectory of recent years, with some big rounds raised so far this year. One of the reasons is the increasing amount of data-breaches and hacks that are infiltrating both the consumer and enterprise spheres. Some studies also suggest that the global cybersecurity workforce will be short by around 2 million people in the coming years, so platforms that bring more automation to the fold can only help plug this gap.
“Security is the primary concern on everyone’s mind today and the Castle team has figured out an approachable way to make the online world more secure for everyone,” added Index Ventures’ partner Shardul Shah, who also now joins Castle’s board of directors. “In a short amount of time, they’ve built a strong technology platform and onboarded some great customers because of their accessible, yet disciplined approach. I think they have the opportunity to become one of the most trusted names in security.”
Castle was founded originally out of Malmö, Sweden, but its two founders moved to the Bay Area in 2016 to participate in Y Combinator. The company’s headquarters remains in the U.S. today, but it still maintains offices in Sweden, in addition to Poland.