Bot protection firm Kasada lands $23M to abolish the CAPTCHA

Kasada, which today announced a $23 million series C funding round, said it’s finding growing demand from large enterprises for its “modern” bot protection technologies, which are used to halt automated attacks without the need for annoying CAPTCHA challenges. The New York- and Sydney, Australia-based company has added a number of Fortune 50 customers and seen an 80% increase in its customer count in the past 18 months, and has begun eyeing a possible expansion of its technology into other areas of application security as well, Kasada founder and CEO Sam Crowther told VentureBeat.

Bot attacks—such as distributed denial of service (DDoS), content scraping, and online fraud—have grown even more prevalent in 2021, with the volume of automated attacks up 41% during the first half of the year, a report from LexisNexis Risk Solutions found. Bot attacks now cost businesses 3.6% of their revenue on average, according to a recent report from Netacea—and there are indicators that automated attacks are increasing in sophistication, too.

“Bot attacks have evolved – and first-generation bot mitigation solutions simply cannot keep up,” Crowther said in an email.

Stopping bots

Such solutions rely on IP addresses, device fingerprinting, and behavioral analytics, which “have become ineffective,” he said. “Modern bots look and act just like humans. They disguise themselves with residential proxy networks, new developer tools such as Puppeteer and Playwright, anti-detect browsers, customized stealth plugins, and digital harvesting techniques – all which make them even more difficult to detect.”

To defend against today’s bots, Kasada has developed a solution focused on rapidly adapting to new automated threats—without the need for manual intervention—which is ultimately more effective at detecting and stopping malicious automation, Crowther said.

“We are the first to apply a zero-trust philosophy to mitigating bots, allowing us to stop new, never seen before bots, without having to analyze their behavior,” he said. “We’ve also eliminated the need for CAPTCHAs, which humans hate and fraudsters can easily work their way around.”

Driven in part by machine learning (ML) capabilities, Kasada’s platform provides protection against bot attacks across web, mobile, and API channels. The product stops automated attacks in real-time—prior to their entering a customer’s infrastructure, according to the company.

In addition to not depending on CAPTCHAs, Kasada says it also differs from other bot mitigation products by not requiring risk scores or configuring rules.

Additionally, Kasada’s product stands out because it’s easier to use than competing platforms, which often require specialized resources to manage, Crowther said.

Version 2 of the company’s platform, released in March, included enhancements such as 15 times more client interrogation sensors to help ensure detection of particularly stealthy automation tools.

Customer traction

Kasada now counts “many of the largest Fortune 50 and ASX 50 businesses in the U.S. and Australia” as customers, Crowther said. The majority of the company’s revenue now derives from the U.S., he said.

The company’s 80% increase in customers has come since raising its series B round in June 2020, though the total number of customers was not disclosed. Altogether, Kasada says that its customer base does more than $20 billion in e-commerce transactions annually and has hundreds of millions of associated account logins.

Customers that have been disclosed include Hyatt, Empire Cat, AGL, True Alliance, and the Sydney Opera House.

Kasada is “rapidly capturing market share because [stopping bots] is our singular focus”—unlike anti-bot competitors that have an array of different product offerings—”and our modern architecture is more agile,” Crowther said.

Eighty-five percent of the company’s customers were using a different anti-bot provider prior to contacting Kasada, he said.

Product plans

While AI and ML are important tools for bot detection—and are deployed to help power Kasada’s product—they are not the full solution because they rely on historical data, meaning “they simply cannot stop bots on the first request,” Crowther said. “This makes systems that rely fully on AI and ML vulnerable to bots that mimic human traffic, as they can easily trick machine learning models.”

As a result, Kasada has taken a hybrid approach that combines server-side data analytics and real-time, client-side protection, adding multiple layers of protection, he said.

In 2022, the company plans to release new functionality that will strengthen its defenses even further on both the client side and server side, according to Crowther.

“The data we collect can also provide additional insights for our customers – strengthening decision making within their security and other departments – so that is an area we’re looking at as well,” he said.

Meanwhile, many Kasada customers have reported that the traffic traveling across their web application firewall (WAF) has been reduced as a result of using the company’s product, Crowther said.

“This opened our eyes to the possibility of applying our anti-automation competency towards other areas of AppSec, as we’re simpler to use and more effective than what’s out there today,” he said.

Growth funding

Kasada plans to use the funding from its series C round to ramp up sales in the U.S. and expand its development, support, and marketing departments teams worldwide. The company currently employs 70.

The series C round was led by StepStone Group, an investment firm that acquired venture capital firm Greenspring Associates in September. Existing investors that took part in the round were Ten Eleven Ventures, Main Sequence Ventures, Reinventure, Our Innovation Fund, and Turnbull & Partners.

Kasada has now raised $39 million in funding since it was founded in 2015. Crowther previously worked on a red team at an Australian investment bank, Macquarie Group, and earlier worked for the Australian government’s cybersecurity agency.

“These roles inspired me to found Kasada in 2015 with the goal of making application security easy to use for defenders, but difficult for bad actors to reverse engineer,” he said.