DataFleets keeps private data useful, and useful data private, with federated learning and $4.5M seed

As you may already know, there’s a lot of data out there, and some of it could actually be pretty useful. But privacy and security considerations often put strict limitations on how it can be used or analyzed. DataFleets promises a new approach by which databases can be safely accessed and analyzed without the possibility of privacy breaches or abuse — and has raised a $4.5 million seed round to scale it up.

To work with data, you need to have access to it. If you’re a bank, that means transactions and accounts; if you’re a retailer, that means inventories and supply chains, and so on. There are lots of insights and actionable patterns buried in all that data, and it’s the job of data scientists and their ilk to draw them out.

But what if you can’t access the data? After all, there are many industries where it is not advised or even illegal to do so, such as in health care. You can’t exactly take a whole hospital’s medical records, give them to a data analysis firm, and say “sift through that and tell me if there’s anything good.” These, like many other data sets, are too private or sensitive to allow anyone unfettered access. The slightest mistake — let alone abuse — could have serious repercussions.

In recent years a few technologies have emerged that allow for something better, though: analyzing data without ever actually exposing it. It sounds impossible, but there are computational techniques for allowing data to be manipulated without the user ever actually having access to any of it. The most widely used one is called homomorphic encryption, which unfortunately produces an enormous, orders-of-magnitude reduction in efficiency — and big data is all about efficiency.

This is where DataFleets steps in. It hasn’t reinvented homomorphic encryption, but has sort of sidestepped it. It uses an approach called federated learning, where instead of bringing the data to the model, they bring the model to the data.

DataFleets integrates with both sides of a secure gap between a private database and people who want to access that data, acting as a trusted agent to shuttle information between them without ever disclosing a single byte of actual raw data.

Illustration showing how a model can be created without exposing data.

Image Credits: DataFleets

Here’s an example. Say a pharmaceutical company wants to develop a machine learning model that looks at a patient’s history and predicts whether they’ll have side effects with a new drug. A medical research facility’s private database of patient data is the perfect thing to train it. But access is highly restricted.

The pharma company’s analyst creates a machine learning training program and drops it into DataFleets, which contracts with both them and the facility. DataFleets translates the model to its own proprietary runtime and distributes it to the servers where the medical data resides; within that sandboxed environment, it runs grows into a strapping young ML agent, which when finished is translated back into the analyst’s preferred format or platform. The analyst never sees the actual data, but has all the benefits of it.

Screenshot of the DataFleets interface. Look, it’s the applications that are meant to be exciting.

It’s simple enough, right? DataFleets acts as a sort of trusted messenger between the platforms, undertaking the analysis on behalf of others and never retaining or transferring any sensitive data.

Plenty of folks are looking into federated learning; the hard part is building out the infrastructure for a wide-ranging enterprise-level service. You need to cover a huge amount of use cases and accept an enormous variety of languages, platforms, and techniques, and of course do it all totally securely.

“We pride ourselves on enterprise readiness, with policy management, identity access management, and our pending SOC 2 certification,” said DataFleets COO and co-founder Nick Elledge. “You can build anything on top of DataFleets and plug in your own tools, which banks and hospitals will tell you was not true of prior privacy software.”

But once federated learning is set up, all of a sudden the benefits are enormous. For instance, one of the big issues today in combating COVID-19 is that hospitals, health authorities, and other organizations around the world are having difficulty, despite their willingness, in securely sharing data relating to the virus.

Everyone wants to share, but who sends whom what, where is it kept, and under whose authority and liability? With old methods, it’s a confusing mess. With homomorphic encryption it’s useful but slow. With federated learning, theoretically, it’s as easy as toggling someone’s access.

Because the data never leaves its “home,” this approach is essentially anonoymous and thus highly compliant with regulations like HIPAA and GDPR, another big advantage. Elledge notes: “We’re being used by leading healthcare institutions who recognize that HIPAA doesn’t give them enough protection when they are making a data set available for third parties.”

Of course there are less noble, but no less viable, examples in other industries: wireless carriers could make subscriber metadata available without selling out individuals; banks could sell consumer data without violating anyone in particular’s privacy; bulky datasets like video can sit where they are instead of being duplicated and maintained at great expense.

The company’s $4.5M seed round is seemingly evidence of confidence from a variety of investors (as summarized by Elledge): AME Cloud Ventures (Jerry Yang of Yahoo!) and Morado Ventures, Lightspeed Venture Partners, Peterson Ventures, Mark Cuban, LG, Marty Chavez (President of the Board of Overseers of Harvard), Stanford-StartX fund, and three unicorn founders (Rappi, Quora, and Lucid).

With only 11 full time employees DataFleets appears to be doing a lot with very little, and the seed round should enable rapid scaling and maturation of its flagship product. “We’ve had to turn away or postpone new customer demand to focus on our work with our lighthouse customers,” Elledge said. They’ll be hiring engineers in the U.S. and Europe to help launch the planned self-service product next year.

“We’re moving from a data ownership to a data access economy, where information can be useful without transferring ownership,” said Elledge. If his company’s bet is on target, federated learning is likely to be a big part of that going forward.


By Devin Coldewey

Contrast launches its security observability platform

Contrast, a developer-centric application security company with customers that include Liberty Mutual Insurance, NTT Data, AXA and Bandwidth, today announced the launch of its security observability platform. The idea here is to offer developers a single pane of glass to manage an application’s security across its lifecycle, combined with real-time analysis and reporting, as well as remediation tools.

“Every line of code that’s happening increases the risk to a business if it’s not secure,” said Contrast CEO and chairman Alan Nauman. “We’re focused on securing all that code that businesses are writing for both automation and digital transformation.”

Over the course of the last few years, the well-funded company, which raised a $65 million Series D round last year, launched numerous security tools that cover a wide range of use cases from automated penetration testing to cloud application security and now DevOps — and this new platform is meant to tie them all together.

DevOps, the company argues, is really what necessitates a platform like this, given that developers now push more code into production than ever — and the onus of ensuring that this code is secure is now also often on that.

Image Credits: Contrast

Traditionally, Nauman argues, security services focused on the code itself and looking at traffic.

“We think at the application layer, the same principles of observability apply that have been used in the IT infrastructure space,” he said. “Specifically, we do instrumentation of the code and we weave security sensors into the code as it’s being developed and are looking for vulnerabilities and observing running code. […] Our view is: the world’s most complex systems are best when instrumented, whether it’s an airplane, a spacecraft, an IT infrastructure. We think the same is true for code. So our breakthrough is applying instrumentation to code and observing for security vulnerabilities.”

With this new platform, Contrast is aggregating information from its existing systems into a single dashboard. And while Contrast observes the code throughout its lifecycle, it also scans for vulnerabilities whenever a developers check code into the CI/CD pipeline, thanks to integrations with most of the standard tools like Jenkins. It’s worth noting that the service also scans for vulnerabilities in open-source libraries. Once deployed, Contrast’s new platform keeps an eye on the data that runs through the various APIs and systems the application connects to and scans for potential security issues there as well.

The platform currently supports all of the large cloud providers like AWS, Azure and Google Cloud, and languages and frameworks like Java, Python, .NET and Ruby.

Image Credits: Contrast


By Frederic Lardinois

Application security platform NeuraLegion raises $4.7 million seed led by DNX Ventures

A video call group photo of NeuraLegion's team working remotely around the world

A video call group photo of NeuraLegion’s team working remotely around the world

Application security platform NeuraLegion announced today it has raised a $4.7 million seed round led by DNX Ventures, an enterprise-focused investment firm. The funding included participation from Fusion Fund, J-Ventures and Incubate Fund. The startup also announced the launch of a new self-serve, community version that allows developers to sign up on their own for the platform and start performing scans within a few minutes.

Based in Tel Aviv, Israel, NeuraLegion also has offices in San Francisco, London, and Mostar, Bosnia. It currently offers NexDAST for dynamic application security testing, and NexPLOIT to integrate application security into SDLC (software development life-cycle). It was launched last year by a founding team that includes chief executive Shoham Cohen, chief technology officer Bar Hofesh, chief scientist Art Linkov, and president and chief commercial officer Gadi Bashvitz.

When asked who NeuraLegion views as its closest competitors, Bashvitz said Invicti Security and WhiteHat Security. Both are known primarily for their static application security testing (SAST) solutions, which Bashvitz said complements DAST products like NeuraLegion’s.

“These are complementary solutions and in fact we have some information partnerships with some of these companies,” he said.

Where NeuraLegion differentiates from other application security solutions, however, is that it was created for specifically for developers, quality assurance and DevOps workers, so even though it can also be used by security professionals, it allows scans to be run much earlier in the development process than usual while lowering costs.

Bashvitz added that NeuraLegion is now used by thousands of developers through their organizations, but it is releasing its self-serve, community product to make its solutions more accessible to developers, who can sign up on their own, run their first scans and get results within fifteen minutes.

In a statement about the funding, DNX Ventures managing partner Hiro Rio Maeda said, “The DAST market has been long stalled without any innovative approaches. NeuraLegion’s next-generation platform introduces a new way of conducting robust testing in today’s modern CI/CD environment.”


By Catherine Shu

Zoom to start first phase of E2E encryption rollout next week

Zoom will begin rolling out end-to-end encryption to users of its videoconferencing platform from next week, it said today.

The platform, whose fortunes have been supercharged by the pandemic-driven boom in remote working and socializing this year, has been working on rebooting its battered reputation in the areas of security and privacy since April — after it was called out on misleading marketing claims of having E2E encryption (when it did not). E2E is now finally on its way though.

“We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days,” it writes in a blog post. “Zoom users — free and paid — around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.”

Zoom acquired Keybase in May, saying then that it was aiming to develop “the most broadly used enterprise end-to-end encryption offering”.

However, initially, CEO Eric Yuan said this level of encryption would be reserved for fee-paying users only. But after facing a storm of criticism the company enacted a swift U-turn — saying in June that all users would be provided with the highest level of security, regardless of whether they are paying to use its service or not.

Zoom confirmed today that Free/Basics users who want to get access to E2EE will need to participate in a one-time verification process — in which it will ask them to provide additional pieces of information, such as verifying a phone number via text message — saying it’s implementing this to try to reduce “mass creation of abusive accounts”.

“We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users,” it writes.

Next week’s roll out of a technical preview is phase 1 of a four-stage process to bring E2E encryption to the platform.

This means there are some limitations — including on the features that are available in E2EE Zoom meetings (you won’t have access to join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions); and on the clients that can be used to join meetings (for phase 1 all E2EE meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms). 

The next phase of the E2EE rollout — which will include “better identity management and E2EE SSO integration”, per Zoom’s blog — is “tentatively” slated for 2021.

From next week, customers wanting to check out the technical preview must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis.

All meeting participants must have the E2EE setting enabled in order to join an E2EE meeting. Hosts can enable the setting for E2EE at the account, group, and user level and can be locked at the account or group level, Zoom notes in an FAQ.

The AES 256-bit GCM encryption that’s being used is the same as Zoom currently uses but here combined with public key cryptography — which means the keys are generated locally, by the meeting host, before being distributed to participants, rather than Zoom’s cloud performing the key generating role.

“Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” it explains of the E2EE implementation.

If you’re wondering how you can be sure you’ve joined an E2EE Zoom meeting a dark padlock will be displayed atop the green shield icon in the upper left corner of the meeting screen. (Zoom’s standard GCM encryption shows a checkmark here.)

Meeting participants will also see the meeting leader’s security code — which they can use to verify the connection is secure. “The host can read this code out loud, and all participants can check that their clients display the same code,” Zoom notes.


By Natasha Lomas

Okta adds new no-code workflows that use identity to trigger sales and marketing tasks

It seems that no-code is the tech watchword of the year. It refers to the ability to create something that normally would require a developer to code, and replace it with dragging and dropping components instead, putting the task in reach of much less technical business users. Today Okta announced new no-code workflows that provide a way to use identity as a trigger to launch a customer-centric workflow.

Okta co-founder and CEO Todd McKinnon says that the company has created a series of connectors to make it easier to connect identity to a workflow that includes sales and marketing tooling. This comes on the heels of the identity lifecycle workflows, the company introduced at the Oktane customer conference in April.

“For this release we are introducing customer identity workflows which are focused on the connectors for all the customer-specific systems, things like Salesforce and Marketo and all the customer-centric [applications] that you’d want to do with your customer identities. And you can imagine over time that we’re going to expose this to more and more areas that will cover every kind of scenario a company would want to use,” McKinnon told TechCrunch.

McKinnon says that last year the company introduced Platform Services, which pulled apart the various pieces of the platform and exposed them as individual services, which bigger company customers could tap into as needed. He says that this is an extension of that idea, but instead of having to get engineering talent to write complex code to tie the Okta service into say Salesforce, you can simply drag the Salesforce connector to your workflow.

As McKinnon describes this using early adopter MLB as an example, say someone downloads the MLB app, creates a log-in and signs in. At that point, if MLB marketing personnel wanted to connect to any applications outside of Okta, it would normally require leveraging some programming help to make it happen.

But with the new workflow tools, a marketing person can set up a workflow that checks the log-in for fraud, then sends the person’s information automatically into Salesforce to create a customer record, and also triggers a welcome email in Marketo — and all of this could be done automatically triggered by the customer sign up.

Okta workflows showing what happens when a person downloads and app and creates an identiy.

Image Credits: Okta

This functionality was made possible by the $52.5 million acquisition of Azuqua last year. As COO and co-founder Frederic Kerrest wrote in a blog post at the time of the acquisition (and we quoted in the article):

“With Okta and Azuqua, IT teams will be able to use pre-built connectors and logic to create streamlined identity processes and increase operational speed. And, product teams will be able to embed this technology in their own applications alongside Okta’s core authentication and user management technology to build…integrated customer experiences.”

And that’s precisely the kind of approach the company is delivering this week. For now, it’s available as an early adopter program, but as Okta works out the kinks, you can expect them to build on this and add other enterprise workflow connectors to the mix as it expands this vision, giving the company a way to move beyond pure identity management and connect to other parts of the organization.


By Ron Miller

Cisco acquires PortShift to raise its game in DevOps and Kubernetes security

Cisco is making another acquisition to expand its reach in security solutions, this time specifically targeting DevOps and the world of container management. It is acquiring PortShift, an Israeli startup that has built a Kubernetes-native security platform.

Terms of the deal are not being disclosed. PortShift had raised about $5.3 million from Team8, an incubator and backer of security startups in Israel founded by a group of cybersecurity vets. Cisco, along with Microsoft and Walmart, are among the large corporates that back Team8. (Indeed, their participation is in part a way of getting an early look and inside scoop on some of the more cutting edge technologies being built, and in part a way to help founders understand what corporates’ security needs are these days.)

The deal underscores not just how containerization, and specifically Kubernetes, has taken hold of the enterprise world, but also how those working in this area, and building businesses around containerization and Kubernetes, are paying increasing attention to security around them.

Others are also sharpening their focus on containers and how they are secured. Earlier this year, Venafi acquired Jetstack, which runs a certificate controller for Kubernetes; and last month StackRox raised funding for its own approach to Kubernetes security.

Cisco has been a longtime partner of Google’s around cloud services, and it has made a number of acquisitions in the area of cybersecurity in recent years. They have included Duo for $2.35 billion, OpenDNS for $635 million, and most recently Babble Labs (which helps reduce background noise in video calls, something that both improves quality but also helps users ensure unwanted or private chatter doesn’t inadvertently get heard by unintended listeners).

But as Liz Centoni, the SVP of the Emerging Technologies and Incubation (ET&I) Group, notes in a blog post, Cisco is now turning its attention also to how it can help customers better secure applications and workloads, alongside the investments that it has made to help secure people.

In the area of containers, security issues can arise around container architecture in a number of ways: it can be due to misconfiguration; or because of how applications are monitored; or how developers use open-source libraries; and how companies implement regulatory compliance. Other security vulnerabilities include the use of insecure container images; problems with how containers interact with each other; the use of containers that have been infected with rogue processes; and having containers not isolated properly from their hosts.

Centoni notes that PortShift interested them because it provides an all-in-one platform covering the many aspects of Kubernetes security:

“Today, the application security space is highly fragmented with many vendors addressing only part of the problem,” she writes. “The Portshift team is building capabilities that span a large portion of the lifecycle of the cloud-native application.”

PortShift provides tools for better container configuration visibility, vulnerability management, configuration management, segmentation, encryption, compliance and automation.

The acquisition is expected to close in the first half of Cisco’s 2021 fiscal year, when the team will join Cisco’s ET&I Group.


By Ingrid Lunden

Axis Security raises $32M to help companies stay secure while working from home

Axis Security launched last year with the idea of helping customers to enable contractors and third parties to remotely access a company’s systems in a safe way, but when the pandemic hit, they saw another use case, one which had been on their road map: helping keep systems secure when employees were working from home.

Today, the company announced a $32 million Series B investment led by Canaan Partners with participation from existing investors Ten Eleven Ventures and Cyberstarts. Today’s round brings the total raised to $49 million, according to Axis.

Gil Azrielant, co-founder and CTO says that the company was able to make the shift to a work from home security scenario so quickly because it had built the product from the ground up to support this vision eventually. The pandemic just accelerated that approach.

“We decided to focus on third parties and contractors at first, but we saw where the puck was going and definitely [designed] the infrastructure to become a full-blown, secure access product. So the infrastructure was there, and we just had to add a few things that were planned for later,” Azrielant told TechCrunch.

He says that the company’s product uses the notion of Zero Trust, which as the name suggests assumes you can’t trust anyone on your system, and work from there. Using a rules-based engine, customers can create a secure environment based on your role.

“What you can see, or what you can do, or what you can download or get to is fully controlled by our Application Access Cloud. This is based on what device you’re using, where you are, who you are, what role you’re in, and what you usually do and don’t do to determine the level of access you are going to get,” he said.

As the startup emerged from stealth last March just three days after the pandemic shut down began in California, it had two main customers — a hotel chain and a pharmaceutical company — and CEO Dor Knafo says that as COVID took hold, “necessity became the mother of adoption.”

He added, “Both accounts came to us and asked us to start pursuing all these employee access use cases, and to us that was incredible because that gave them the push they needed to see the [remote access] vision just as vividly as we do,” he said. Today it has added to that initial pair and while it wouldn’t share it an exact number, it reports it has tens of customers.

Today, the startup has 38 employees almost evenly split between San Mateo, California and Tel Aviv in Israel with plans to accelerate hiring to reach 100 people next year. As the company scales, Knafo says that he is trying to build a more diverse group as it moves to hire more people in the coming year.

“Today, we have incentive internally to help us hire in a more diverse way. We invest heavily in that, and we continue to [keep that at top of mind] for everyone in the company,” Knafo said.

Azrielant added that the pandemic has shown employees don’t have to be located near the offices, which have been closed for much of this year, and that opens up more possibilities to build a more diverse workforce because they can hire from anywhere.

With a product that has much utility right now, the company will be using the new influx of cash to help build out its sales and marketing operations and expand sales outside of North America.

“With COVID accelerating and with a shift to work from anywhere, we’ll definitely focus on bringing our products to more enterprises, which are facing this urgent challenge of working from home,” Knafo said.


By Ron Miller

Privacy data management innovations reduce risk, create new revenue channels

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.


By Walter Thompson

Selling a startup can come with an emotional cost

Every founder dreams of building a substantial company. For those who make it through the myriad challenges, it typically results in an exit. If it’s through an acquisition, that can mean cashing in your equity, paying back investors and rewarding long-time employees, but it also usually results in a loss of power and a substantially reduced role.

Some founders hang around for a while before leaving after an agreed-upon time period, while others depart right away because there is simply no role left for them. However it plays out, being acquired can be an emotional shock: The company you spent years building is no longer under your control,

We spoke to a couple of startup founders who went through this experience to learn what the acquisition process was like, and how it feels to give up something after pouring your heart and soul into building it.

Knowing when it’s time to sell

There has to be some impetus to think about selling: Perhaps you’ve reached a point where growth stalls, or where you need to raise a substantial amount of cash to take you to the next level.

For Tracy Young, co-founder and former CEO at PlanGrid, the forcing event was reaching a point where she needed to raise funds to continue.

After growing a company that helped digitize building plans into a $100 million business, Young ended up selling it to Autodesk for $875 million in 2018. It was a substantial exit, but Young said it was more of a practical matter because the path to further growth was going to be an arduous one.

“When we got the offer from Autodesk, literally we would have had to execute flawlessly and the world had to stay good for the next three years for us to have the same outcome,” she said at a panel on exiting at TechCrunch Disrupt last week.

“As CEO, [my] job is to choose the best path forward for all stakeholders of the company — for our investors, for our team members, for our customers — and that was the path we chose.”

For Rami Essaid, who founded bot mitigation platform Distil Networks in 2011, slowing growth encouraged him to consider an exit. The company had reached around $25 million run rate, but a lack of momentum meant that shifting to a broader product portfolio would have been too heavy a lift.


By Ron Miller

Perigee infrastructure security solution from former NSA employee moves into public beta

Perigee founder Mollie Breen used to work for NSA where she built a security solution to help protect the agency’s critical infrastructure. She spent the last two years at Harvard Business School talking to Chief Information Security Officers (CISOs) and fine-tuning that idea she started at NSA into a commercial product.

Today, the solution that she built moves into public beta and will compete at TechCrunch Disrupt Battlefield with other startups for $100,000 and the Disrupt Cup.

Perigree helps protect things like heating and cooling systems or elevators that may lack patches or true security, yet are connected to the network in a very real way. It learns what normal behavior looks like from an operations system when it interacts with the network, such as what systems it interacts with and which individual employees tend to access it. It can then determine when something seems awry and stop an anomalous activity before it reaches the network. Without a solution like the one Breen has built, these systems would be vulnerable to attack.

Perigee is a cloud-based platform that creates a custom firewall for every device on your network,” Breen told TechCrunch. “It learns each device’s unique behavior, the quirks of its operational environment and how it interacts with other devices to prevent malicious and abnormal usage while providing analytics to boost performance.”

Perigee HVAC fan dashboard view

Image Credits: Perigee

One of the key aspects of her solution is that it doesn’t require an agent, a small piece of software on the device, to make it work. Breen says this is especially important since that approach doesn’t scale across thousands of devices and can also introduce bugs from the agent itself. What’s more, it can use up precious resources on these devices if they can even support a software agent.

“Our sweet spot is that we can protect those thousands of devices by learning those nuances and we can do that really quickly, scaling up to thousands of devices with our generalized model because we take this agentless-based approach,” she said.

By creating these custom firewalls, her company is able to place security in front of the device preventing a hacker from using it as a vehicle to get on the network.

“One thing that makes us fundamentally different from other companies out there is that we sit in front of all of these devices as a shield,” she said. That essentially stops an attack before it reaches the device.

While Breen acknowledges that her approach can add a small bit of latency, it’s a tradeoff that CISOs have told her they are willing to make to protect these kinds of operational systems from possible attacks. Her system is also providing real-time status updates on how these devices are operating, giving them centralized device visibility. If there are issues found, the software recommends corrective action.

It’s still very early for her company, which Breen founded last year. She has raised an undisclosed amount of pre-seed capital. While Perigee is pre-revenue with just one employee, she is looking to add paying customers and begin growing the company as she moves into a wider public beta.


By Ron Miller

Verkada adds environmental sensors to cloud-based building operations toolkit

As we go deeper into the pandemic, many buildings sit empty or have limited capacity. During times like these having visibility into the state of the building can give building operations peace of mind. Today, Verkada, a startup that helps operations manage buildings via the cloud, announced a new set of environmental sensors to give customers even greater insight into building conditions.

The company had previously developed cloud-based video cameras and access control systems. Verkdada CEO and co-founder of Filip Kaliszan says today’s announcement is about building on these two earlier products.

“What we do today is cameras and access control — cameras, of course provide the eyes and the view into building in spaces, while access control controls how you get in and out of these spaces,” Kaliszan told TechCrunch. Operations teams can manage these devices from the cloud on any device.

The sensor pack that the company is announcing today, layers on a multi-function view into the state of the environment inside a building. “The first product that we’re launching along this environmental sensor line is the SV11, which is a very powerful unit with multiple sensors on board, all of which can be managed in the cloud through our Verkada command platform. The sensors will give customers insight into things like air quality, temperature, humidity, motion and occupancy of the space, as well as the noise level,” he said.

There is a clear strategy behind the company’s product road map. The idea is to give building operations staff a growing picture of what’s going on inside the space. “You can think of all the data being combined with the other aspects of our platform, and then begin delivering a truly integrated building and setting the standard for enterprise building security,” Kaliszan said.

These tools, and the ability to access all the data about a building remotely in the cloud, obviously have even more utility during the pandemic. “I think we’re fortunate that our products can help customers mitigate some of the effects of the pandemic. So we’ve seen a lot of customers use our tools to help them manage through the pandemic, which is great. But when we were originally designing this environmental sensor, the rationale behind it were these core use cases like monitoring server rooms for environmental changes.”

The company, which was founded in 2016, has been doing well. It has 4200 customers and roughly 400 employees. It is still growing and actively hiring and expects to reach 500 by the end of the year. It has raised $138.9 million, the most recent coming January this year, when it raised an $80 million Series C investment led Felicis Ventures on a $1.6 billion valuation.


By Ron Miller

StackRox nabs $26.5M for a platform that secures containers in Kubernetes

Containers have become a ubiquitous cornerstone in how companies manage their data, a trend that has only accelerated in the last eight months with the larger shift to cloud services and more frequent remote working due to the coronavirus pandemic. Alongside that, startups building services to enable containers to be used better are also getting a boost.

StackRox, which develops Kubernetes-native security solutions, says that its business grew by 240% in the first half of this year, and on the back of that, it is announcing today that it has raised $26.5 million to expand its business into international markets, and to continue investing in its R&D.

The funding, which appears to be a Series C, has an impressive list of backers. It is being led by Menlo Ventures, with Highland Capital Partners, Hewlett-Packard Enterprise, Sequoia Capital and Redpoint Ventures all also participating. Sequoia and Redpoint are previous investors, and the company has raised around $60 million to date.

HPE is a strategic backer in this round:

“At HPE, we are working with our customers to help them accelerate their digital transformations,” said Paul Glaser, VP, Hewlett Packard Enterprise, and Head of Pathfinder. “Security is a critical priority as they look to modernize their applications with containers. We’re excited to invest in StackRox and see it as a great fit with our new software HPE Ezmeral to help HPE customers secure their Kubernetes environments across their full application life cycle. By directly integrating with Kubernetes, StackRox enables a level of simplicity and unification for DevOps and Security teams to apply the needed controls effectively.”

Kamal Shah, the CEO, said that StackRox is not disclosing its valuation, but he confirmed it has definitely gone up. For some context, according to PitchBook data, the company was valued at $145 million in its last funding round, a Series B in 2018. Its customers today include the likes of Priceline, Brex, Reddit, Zendesk and Splunk, as well as government and other enterprise customers, in a container security market that analysts project will be worth some $2.2 billion by 2024, up from $568 million last year.

StackRox first got its start in 2014, when containers were starting to pick up momentum in the market. At the time, its focus was a little more fragmented, not unlike the container market itself: it provided solutions that could be used with Docker containers as well as others. Over time, Shah said that the company chose to hone its focus just on Kubernetes, originally developed by Google and open-sourced, and now essentially the de-facto standard in containerisation.

“We made a bet on Kubernetes at a time when there were multiple orchestrators, including Mesosphere, Docker and others,” he said. “Over the last two years Kubernetes has won the war and become the default choice, the Linux of the cloud and the biggest open source cloud application. We are all Kubernetes all the time because what we see in the market are that a majority of our customers are moving to it. It has over 35,000 contributors to the open source project alone, it’s not just Red Hat (IBM) and Google.” Research from CNCF estimates that nearly 80% of organizations that it surveyed are running Kubernetes in production.

That is not all good news, however, with the interest underscoring a bigger need for Kubernetes-focused security solutions for enterprises that opt to use it.

Shah says that some of the typical pitfalls in container architecture arise when they are misconfigured, leading to breaches; as well as around how applications are monitored; how developers use open-source libraries; and how companies implement regulatory compliance. Other security vulnerabilities that have been highlighted by others include the use of insecure container images; how containers interact with each other; the use of containers that have been infected with rogue processes; and having containers not isolated properly from their hosts.

But Shah noted, “Containers in Kubernetes are inherently more secure if you can deploy correctly.” And to that end that is where StackRox’s solutions attempt to help: the company has built a multi-purposes toolkit that provides developers and security engineers with risk visibility, threat detection, compliance tools, segmentation tools and more. “Kubernetes was built for scale and flexibility, but it has lots of controls so if you misconfigure it it can lead to breaches. So you need a security solution to make sure you configure it all correctly,” said Shah.

He added that there has been a definite shift over the years from companies considering security solutions as a optional element into one that forms part of the consideration at the very core of the IT budget — another reason why StackRox and competitors like TwistLock (acquired by Palo Alto Networks) and Aqua Security have all seen their businesses really grow.

“We’ve seen the innovation companies are enabling by building applications in containers and Kubernetes. The need to protect those applications, at the scale and pace of DevOps, is crucial to realizing the business benefits of that innovation,” said Venky Ganesan, partner, Menlo Ventures, in a statement. “While lots of companies have focused on securing the container, only StackRox saw the need to focus on Kubernetes as the control plane for security as well as infrastructure. We’re thrilled to help fuel the company’s growth as it dominates this dynamic market.”

“Kubernetes represents one of the most important paradigm shifts in the world of enterprise software in years,” said Corey Mulloy, General Partner, Highland Capital Partners, in a statement. “StackRox sits at the forefront of Kubernetes security, and as enterprises continue their shift to the cloud, Kubernetes is the ubiquitous platform that Linux was for the Internet era. In enabling Kubernetes-native security, StackRox has become the security platform of choice for these cloud-native app dev environments.”


By Ingrid Lunden

Snyk bags another $200M at $2.6B valuation 9 months after last raise

When we last reported on Snyk in January, eons ago in COVID time, the company announced $150 million investment on a valuation of over $1 billion. Today, barely nine months later, it announced another $200 million and its valuation has expanded to $2.6 billion.

The company is obviously drawing some serious investor attention and even a pandemic is not diminishing that interest. Addition led today’s round, bringing the total raised to $450 million with $350 million coming this year alone.

Snyk has a unique approach to security, building it into the development process instead of offloading it to a separate security team. If you want to build a secure product, you need to think about it as you’re developing the product and that’s what Snyk’s product set is designed to do — check for security as you’re committing your build to your git repository.

With an open source product at the top of funnel to drive interest in the platform, CEO Peter McKay says the pandemic has only accelerated the appeal of the company. In fact, the startup’s annual recurring revenue (ARR) is growing at a remarkable 275% year over year.

McKay says, even with the pandemic, his company has been accelerating adding 100 employees in the last 12 months to take advantage of the increasing revenue. “When others were kind of scaling back we invested and it worked out well because our business never slowed down. In fact, in a lot of the industries it really picked up,” he said.

That’s because as many other founders have pointed out, COVID is speeding up the rate at which many companies are moving to the cloud, and that’s working Snyk’s favor. “We’ve just capitalized on this accelerated shift to the cloud and modern cloud native applications,” he said.

The company currently has 375 employees with plans to add 100 more in the next year. As it grows, McKay says that he is looking to build a diverse and inclusive culture, something he learned about as he moved through his career at VMware and Veeam.

He says one of the keys at Snyk is putting every employee through unconscious bias training to help limit bias in the hiring process, and the executive team has taken a pledge to make the company’s hiring practices more diverse. Still, he recognizes it takes work to achieve these goals, and it’s always easy for an experienced team to go back to the network instead of digging deeper for a more diverse candidate pool.

“I think we’ve put all the pieces in place to get there, but I think like a lot of companies, there’s still a long way to go,” he said. But he recognizes the sooner you embed diversity into the company culture, the better because it’s hard to go back after the fact and do it.

Addition founder Lee Fixel says he sees a company that’s accelerating rapidly and that’s why he was willing to pour in so big an investment. “Snyk’s impressive growth is a signal that the market is ready to embrace a change from traditional security and empower developers to tackle the new security risk that comes with a software-driven digital world,” he said in a statement.

Snyk was founded in 2015. The founders brought McKay on board for some experienced leadership in 2018 to help lead the company through its rapid growth. Prior to the $350 million in new money this year, the company raised $70 million in 2019.


By Ron Miller

A SonicWall cloud bug exposed corporate networks to hackers

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.


By Zack Whittaker

12 Paris-based VCs look at the state of their city

Four years after the Great Recession, France’s newly elected socialist president François Hollande raised taxes and increased regulations on founder-led startups. The subsequent flight of entrepreneurs to places like London and Silicon Valley portrayed France as a tough place to launch a company. By 2016, France’s national statistics bureau estimated that about three million native-born citizens had moved abroad.

Those who remained fought back: The Family was an early accelerator that encouraged French entrepreneurs to adopt Silicon Valley’s startup methodology, and the 2012 creation of Bpifrance, a public investment bank, put money into the startup ecosystem system via investors. Organizers founded La French Tech to beat the drum about native startups.

When President Emmanuel Macron took office in May 2017, he scrapped the wealth tax on everything except property assets and introduced a flat 30% tax rate on capital gains. Station F, a giant startup campus funded by billionaire entrepreneur Xavier Niel on the site of a former railway station, began attracting international talent. Tony Fadell, one of the fathers of the iPod and founder of Nest Labs, moved to Paris to set up investment firm Future Shape; VivaTech was created with government backing to become one of Europe’s largest startup conference and expos.

Now, in the COVID-19 era, the government has made €4 billion available to entrepreneurs to keep the lights on. According to a recent report from VC firm Atomico, there are 11 unicorns in France, including BlaBlaCar, OVHcloud, Deezer and Veepee. More appear to be coming; last year Macron said he wanted to see “25 French unicorns by 2025.”

According to Station F, by the end of August, there had been 24 funding rounds led by international VCs and a few big transactions. Enterprise artificial intelligence and machine-learning platform Dataiku raised a $100 million Series D round, and Paris-based gaming startup Voodoo raised an undisclosed amount from Tencent Holdings.

We asked 12 Paris -based investors to comment on the state of play in their city:

Alison Imbert, Partech

What trends are you most excited about investing in, generally?

All the fintechs addressing SMBs to help them to focus more on their core business (including banks disintermediation by fintech, new infrastructures tech that are lowering the barrier to entry to nonfintech companies).

What’s your latest, most exciting investment?

77foods (plant-based bacon) — love that alternative proteins trend as well. Obviously, we need to transform our diet toward more sustainable food. It’s the next challenge for humanity.

What are you looking for in your next investment, in general?
Impact investment: Logistic companies tackling the life cycle of products to reduce their carbon footprint and green fintech that reinvent our spending and investment strategy around more sustainable products.

Which areas are either oversaturated or would be too hard to compete in at this point for a new startup? What other types of products/services are you wary or concerned about?
D2C products.

How much are you focused on investing in your local ecosystem versus other startup hubs (or everywhere) in general? More than 50%? Less?
100% investing in France as I’m managing Paris Saclay Seed Fund, a €53 million fund, investing in pre-seed and seed startups launched by graduates and researchers from the best engineering and business schools from this ecosystem.

Which industries in your city and region seem well-positioned to thrive, or not, long term? What are companies you are excited about (your portfolio or not), which founders?
Deep tech, biotech and medical devices. Paris, and France in general, has thousands of outstanding engineers that graduate each year. Researchers are more and more willing to found companies to have a true impact on our society. I do believe that the ecosystem is more and more structured to help them to build such companies.

How should investors in other cities think about the overall investment climate and opportunities in your city?
Paris is booming for sure. It’s still behind London and Berlin probably. But we are seeing more and more European VC offices opening in the city to get direct access to our ecosystem. Even in seed rounds, we start to have European VCs competing against us. It’s good — that means that our startups are moving to the next level.

Do you expect to see a surge in more founders coming from geographies outside major cities in the years to come, with startup hubs losing people due to the pandemic and lingering concerns, plus the attraction of remote work?
For sure startups will more and more push for remote organizations. It’s an amazing way to combine quality of life for employees and attracting talent. Yet I don’t think it will be the majority. Not all founders are willing/able to build a fully remote company. It’s an important cultural choice and it’s adapted to a certain type of business. I believe in more flexible organization (e.g., tech team working remotely or 1-2 days a week for any employee).

Which industry segments that you invest in look weaker or more exposed to potential shifts in consumer and business behavior because of COVID-19? What are the opportunities startups may be able to tap into during these unprecedented times?
Travel and hospitality sectors are of course hugely impacted. Yet there are opportunities for helping those incumbents to face current challenges (e.g., better customer care and services, stronger flexibility, cost reduction and process automation).

How has COVID-19 impacted your investment strategy? What are the biggest worries of the founders in your portfolio? What is your advice to startups in your portfolio right now?
Cash is king more than ever before. My only piece of advice will be to keep a good level of cash as we have a limited view on events coming ahead. It’s easy to say but much more difficult to put in practice (e.g., to what extend should I reduce my cash burn? Should I keep on investing in the product? What is the impact on the sales team?). Startups should focus only on what is mission-critical for their clients. Yet it doesn’t impact our seed investments as we invest pre-revenue and often pre-product.

What is a moment that has given you hope in the last month or so? This can be professional, personal or a mix of the two.
There is no reason to be hopeless. Crises have happened in the past. Humanity has faced other pandemics. Humans are resilient and resourceful enough to adapt to a new environment and new constraints.


By Mike Butcher