Shape Security raises $20M for a project so secret, if it told you, it would have to kill you

By Michael Carney , written on January 7, 2013

From The News Desk

Like a lot of VCs who made their names in the great enterprise days of yore, we haven’t heard much lately from former rockstar Kleiner Perkins Caufield & Byers partner Ted Schlein. But he appears to have his next big bet on his hands, and the validation – in the form of well-heeled cash – is pretty strong.

The company is called Shape Security, and I’m going to warn you right now, you won’t leave this article, the company’s website, or any conversation with its investors too clear on what they do. But Schlein predicts that it has “the promise to be one of the more disruptive forces in the security industry ‘since the early days of anti-virus technology.’” Given he made his name as an early executive with juggernaut Symantec, people are paying attention.

Today, Shape is announcing it has raised a hefty $20 million Series B round of venture capital led by Venrock, with participation by Kleiner, Allegis Capital, Google Ventures, TomorrowVentures, and former Symantec CEO Enrique Salem. A sum that size would be notable on its own. But more surprising is that the deal comes just eight months after Schlein lead the company’s $6 million Series A, alongside TomorrowVentures, Baseline Ventures, and current and former employees of Dropbox, Facebook, Twitter, and LinkedIn.

Schlein acknowledged that the latest financing round is atypical in both its size and proximity to the Series A round, particularly given the company’s pre-launch stage. “There was lots of competition to invest,” he says, “and the terms were such that the company chose to take the extra cash.”

Despite the apparent hunger to invest, few outside the company know much about Shape, other than vagaries like it “defends against botnets and crimeware-as-a-service in an entirely new way.” But after two quarters of a “broad” private beta, Schlein tells me that many of the largest companies in highly vulnerable sectors like financial services have told Shape, “Build it [to commercial scale] and we’re going to buy it.” And that’s exactly what this new financing round is all about. The company hopes to flip the switch to a full public offering in early 2014.

So here's as much as anyone would disclose about what shape does. Shape co-founder Sumit Agarwal, a former senior advisor for cyber innovation at the US Department of Defense and head of mobile product at Google, calls Shape an “entirely new proactive security layer.” He points to “man-in-the-browser” attacks as a clear example of where cyber criminals have outpaced current security technology, and an area where Shape will make a major impact.

In these type of attacks, thieves compromise the websites of banks and other high value targets and then redirect traffic away from their domains to dummy sites, typically without the bank or the customer ever knowing. The most widely known such virus is the Zeus trojan, which has plagued the banking sector to the tune of hundreds of millions of dollars in losses. Zeus is so bad there’s an entire website setup to monitor incidences of the virus – the contents are less than encouraging. Zeus and many similar nefarious tools are available in the dark corners of the Web via paid subscription, aka crimeware-as-a-service, to anyone willing to pay a four to five figure sum.

It’s a constant battle between the thugs and cyber security forces keeping up with them. In many cases, malware detection tools simply “let you know the horse has left the barn,” to use Schlein’s words. “The best tools will let you know whether, one horse or all the horses have left, and will alert you faster.” But in most cases, the response is still just that – reactionary.

Shape aims to make things more difficult and more expensive for cyber bad guys. "Instead of trying to detect the attack, we provide deflection," said Shape VP of strategy and former Google Click Fraud “Czar” Shuman Ghosemajumder. "We sit between the website and the users."

Explaining this further, co-founder Agarwal says, “Instead of buying a kit and having access to a lot of hacked websites and a lot a infected smartphones and PCs, the hacker will now have to individually compromise each website every time a user logs on.” The company’s website adds this: “Our military-grade technology doesn't rely on past signatures, so it uniquely protects against zero-day and other advanced threats.”

So putting this all together, Shape would seem to make it so that compromising a website once, won’t get you past its gatekeepers forever. Each time thieves wish to redirect a login, they’ll need to start from scratch. Hence, more difficult and more expensive.

Shape isn’t the only cryptic security startup pulling in serious cash and defense sector talent. CrowdStrike has raised $26 million from private equity firm Warburg Pincus and hired the former executive assistant director of the FBI’s Criminal, Cyber, Response, and Service division. It has been equally mum about its next-generation security plans.

Shape has rounded out its elite 30-ish person team with several other security and defense industry heavyweights beyond Agarwal and Ghosemajumder. The startup recently added Cisco's former VP of Application Delivery as its VP of Engineering, and Wal-Mart’s former chief information security officer into an unspecified role. The team consists of several other senior engineers and executives from Cisco, Akamai, Solera Networks, Euclid Network, and Juniper Networks, among other top companies. Additionally, Venrock Partner Ray Rothrock, has joined the company’s board of directors as part of the latest financing, joining Kleiner’s Schlein, and Sequoia Capital limited partner and personal Shape investor Gaurav Garg.

These are important names and pedigrees to note. Both Schlein and Agarwal point to execution and recruiting as Shape’s biggest challenges. Neither is terribly worried about competition at this stage, and both readily admit that criminals will eventually thwart any new technology, given enough time and resources. The idea is to get as far ahead of these potential threats as possible, while validating the business model through wide commercial deployment.

It all sounds great, in a cryptic, leaving you with more questions than answers sort of way. Some degree of secrecy is to be expected in this sector. But with little substance on which to validate promises that a new technology will be a "game changer," skepticism is to be expected. With the company unwilling to provide additional details, the dollars being thrown at the company and the caliber of its investors are the only benchmarks we have to gauge its validity.