Shape Security

 

“Defense against malicious automated cyber-attacks on web and mobile applications”

Founded: 2011 in California, USA

Category: Cybersecurity

Primary office: Santa Clara, California (USA)

Core technical team: Santa Clara, California (USA)

Status: Private

Employees: 251-500

Amount raised: $183 million (6 rounds – 12 September 2019)

OVERVIEW

  • Provides defense against malicious automated cyber attacks on web and mobile applications.
  • Shape has deflected over $1B in fraud losses for major retailers, financial institutions, airlines, and government agencies

 

PERFORMANCE METRICS

  • Valuation – $1 billion (2019)
  • Revenue – $120 million/year (2018)

 

ACHIEVEMENTS

  • Shape protects more accounts from fraud than everyone else in the world combined
  • Shape protects over 4 Billion transactions per week from imitation attacks
  • Shape protects over 1.4 Billion online accounts from credential stuffing attacks
  • Shape blocks more than 2 Billion fraudulent log-in attempts and other transactions while ensuring more than 200 million legitimate human transactions are kept safe (without any user friction – e.g., no CAPTCHA nor multi-factor authentication)
  • Identified that a single attacker created a fraudulent account on a retailer’s website every 3 seconds for a week
  • Shape prevented over $3 million in fraud in the first month of deployment of advanced fraud detection product at Top 5 US Bank
  • Shape Enterprise Defense identified that 98.5% of all traffic on a luxury retailer’s gift card balance web application was automated; attackers were using the card balance lookup application 100x more often than real customers. Product deployment stopped the automated attacks.
  • Reduced unwanted scraping (25% of all search traffic) at a specific URL
  • Protects attacks against financial institutions and aggregators.
  • Shape sees over 30 million credential stuffing attacks per day and protects over 100 million real human logins per day
  • Shape protects over 50% of US banking online transactions

Sells

Solutions (All solution names trademarked):

  • SHAPE DEFENSE – Artificial Intelligence (AI) powered web and mobile fraud protection for organizations of all sizes
    • Problem: Attackers on website and mobile apps drive fraud, risk, and bad experiences
    • Solution: Company benefits from the visibility, detection and mitigation of outcomes they need to slash fraud, reduce cloud hosting, bandwidth and compute costs, improve user experiences, and optimize their business based on real human traffic. Focuses on account takeover, scraping, carding, gift card attacks, inventory hoarding, and marketing fraud. Two stages: SHAPE realtime component  (identifies and stops bad users in real-time) and SHAPE AI cloud (analyzes all transactions)
  • SHAPE ENTERPRISE DEFENSE – Comprehensive, bespoke implementation and web and mobile fraud protection
    • Problem: Attackers use company’s web and mobile apps as designed
    • Solution: Shape differentiates between good users and bad actors. Fully managed service so that attacks are deflected with virtually no effort from enterprise employees
  • BLACKFISH – Proactive user credential defense
    • Problem: Recycling of passwords
    • Solution: Blackfish alerts company in real-time if and when malicious actors are actively using customer or employee credentials elsewhere
  • API DEFENSE – Visibility and migration options to protect HTTP-based Application Program Interfaces (APIs)
    • Problem: Attacks on HTTP APIs compromise site security and performance
    • Solution: Inoculate HTTP APIs from data harvesting and malicious attacks.
  • MANUAL-ATTACK DEFENSE – Protection against manual labor farm attacks on web applications
    • Problem: Criminals are launching manual fraud against digital properties
    • Solution: Add-on service for Shape Enterprise Defense; such attacks target high-value targets

Channels

  • Sectoral channels
  • Solutions designed especially for banks and credit card issuers – fulfill Payment Card Industry Data Security Standard (PCI DSS) 6.6, eliminate visible multi-factor authorization, reduce manual reviews
  • Solutions designed with e-commerce in mind – fulfill PCI DSS 6.6, reduce friction during checkout, save fraud analyst time
  • Why Silicon Valley chooses shape – flexible deployment models, frictionless user interface, the dataset (trained on 500 million transactions per day, including 100 million real human logins)
  • high-tech defense for the public sector – maintain public trust, meet accessibility requirements, benefit from fully managed services
  • Travel – reduce call center volume, meet accessibility requirements, scale fraud team
  • Events – e.g., regular briefings

Competencies

  • Leverages artificial intelligence and machine learning to defeat attackers and prevent fraud
  • Through years of defending the world’s largest companies, Shape has developed the expertise to both identify if a request was made by a bot or human, but also whether it is with malicious or benign intent.
  • Experts on fraud – attack vectors and mitigation
  • Leverage intelligence collected across the entire Shape network
  • Use supervised machine learning to detect and mitigate human-powered credential stuffing attacks – construct fraud signatures

Resources

Assets

  • Shape’s SDK (Software Development Kit) is deployed on more than 200 million iOS and Android devices worldwide
  • SHAPE DEFENSE is Payment Card Industry Data Security Standard compliant
  • Shape’s artificial intelligence cloud deploys new countermeasures based on learning from across Shape’s customer network
  • Huge dataset that is used to develop machine learning models

Processes

  • Collective customer defense – once an attack technique is observed all other Shape customers are also protected
  • Shape Enterprise Defense is architecturally agnostic – unified security posture across all channels
  • Shape defense engine can be on-premise, Shape hosted, or on the Shape cloud

Priorities

  • Defense against malicious automated cyber-attacks on web and mobile applications
  • 0-friction to end users (e.g., no CAPCHAs)

Assertions That Best Describe What the Company Did to Scale Early, Rapidly & Securely

  1. Increase profitability by learning to make well-reasoned decisions or conclusions about how to scale from own experience and others
  2. Increase demand of products and services by combining two or more resources in a way that the value created from them exceeds the sum of the value created from each resource separately
  3. Develop and sell products that address a problem, job to be done or a need that is shared by a large and growing number of individuals and organizations in various regions to increase sales
  4. Increase sales by offering a variety of products and services to each market
  5. Increase demand by using scientific and technological advances to develop innovative products and services
  6. Increase profitability by applying processes that make products and services easier to understand, produce and deliver
  7.  Increase the company’s value by continuously seeking and receiving funding to support the company’s plan to scale and improve its image in the marketplace

References


Contributors

  • Dan Craigen