Web security star Prevoty raises $2.4M seed extension, continues its crusade against XSS attacks

By Michael Carney , written on December 18, 2013

From The News Desk

For website administrators, the internet is a dangerous place full of would-be attackers and trouble makers. But for all the attention paid to Web security, the standard solutions like Web-application firewalls (WAF) are only capable of preventing known attack vectors. Unknown attackers, or methods, often called “zero day” attacks, are among the most difficult to prevent.

Los Angeles based Prevoty is believes it has found an answer to one of the most troubling of these attack vectors: cross-site scripting (XSS). The nine-month-old managed Web application as a service company was recently recognized as a finalist for the prestigious SC Magazine's 2014 Excellence Awards Rookie Security Company of the Year. And today, the company is announcing $2.4 million in new financing.

The seed extension round was led by existing investors, Double M Capital and Plus Capital, with participation from Core Ventures and ProofPoint Executive Chairman Eric Hahn's Inventure, as well as several strategic security industry angels like one of the heads of security at a major credit card company. Prevoty previously raised $700,000 via a convertible note which was converted into this priced round. The company graduated from the Spring 2013 class of Santa Monica’s Launchpad LA accelerator.

Prevoty’s co-founding CTO is Kunal Anand, a former director of technology at the BBC, director of engineering at Gravity, security engineering manager at MySpace, and a lead software architect at NASA. to say that the man knows Web security would be a gross understatement. As the top cop at MySpace, he likely has more direct experience with XSS attacks than almost anyone on the planet and it shows in Pretvoty’s product.

As I wrote at the time of the company’s launch:

Historically the preferred defense against XSS attacks has been Web Application Firewalls (WAF), which can be likened to a bouncer at the door of a popular nightclub – if you’re not on the list, or if you don’t look the part of a club-goer (aka, authorized site visitor), you’re not let in. The problem is, looks can be deceiving and, once inside, a club or website visitor can act in unauthorized ways...

In Prevoty, Anand and Bellanger have created the equivalent of in-club security which monitors the ongoing behavior of every guest and ejects them at the first sign of trouble. The company’s SmartFilter product sits between application and the firewall to provide contextual security. Rather than simply relying on past malware definitions or heuristics, SmartFilter uses “tokenizers, parsers, and profilers that in unison have the ability to perform syntactic/semantic operations on content,” according to the company.

Prevoty is the only Web security company integrating application security at the application layer, according to co-founder and CEO Julien Bellanger. This makes it a unique solution to a pervasive problem – up to 70 percent of all websites are thought to be vulnerable to XSS. “It doesn’t take much education or convincing to close new customers – only to let them know we exist,” Bellanger says.

The decision to raise a seed extension, rather than a full Series A round was a strategic one, according to Plus Capital Managing Partner, Adam Lilling. “They have so much momentum, with a number of premium paying customers and more in the pipeline, that myself and some of the existing early investors were thrilled to put more money in and give the company more runway to get all its ducks in a row before needing to go out and raise a real, proper Series A,” he says.

Prevoty currently has a 12 person team, and has had no trouble recruiting top engineers according to both Lilling and Bellanger. The plan, according to Bellanger, is to ramp up both engineering and sales as quickly as possible to take advantage of existing unmet demand. “This is a hot company, in a hot sector, using a hot language [Google’s GO], led by stud founders,” Lilling says. “They’ve had no problem at all attracting talent, especially with people looking for an excuse to live the LA lifestyle.”

The next major milestones for Prevoty are to realize its first enterprise engagement, a feat Bellanger expects to achieve within the financial sector before the end of the first quarter. The company’s product roadmap also calls for the addition of self-serve onboarding in February.

Prevoty is a rarity as an LA-based Web security company, but conversations with Web security and defense sector security experts confirm the company's bonafides. With Anand’s unprecedented experience combatting XSS attacks and the company seemingly having no trouble attracting talent and capital, the sky seems to be the limit.

But Prevoty still has a lot to prove. The company has developed a compelling solution to a problem that is rampant today, but it has yet to demonstrate that it can build a big business delivering that solution. The company must also prove that it evolve with the fast-changing Web security landscape, and introduce new and effective solutions to the next generation of threats that will inevitably emerge.

Prevoty will need much more capital to achieve its grand vision. Given its ambitions and its founders’ pedigree, the company will most likely will look to top Silicon Valley firms to write that big Series A check. But, today’s round gives the company enough breathing room to focus on executing on these very real challenges before it needs to cross that next fundraising bridge.

This could be a very different company in one year’s time. Its founders and investors just doubled down on their belief that it will be a far more massive one.

[Image via Circuitry Solution]