Contrast Security expands its cybersecurity tech to new markets with $150M

Contrast Security, a Los Altos, California-based company developing app security and embedded code analysis technologies, today announced that it raised $150 million in a series E round led by Liberty Strategic Capital, former treasury secretary Steve Mnuchin’s venture firm. The funding — which values the company at “greater than one billion dollars,” according to a spokesperson — saw participation from existing Contrast investors Warburg Pincus, Battery Ventures, General Catalyst, Microsoft’s M12 Fund, AXA Venture Partners, and Acero Capital.

According to CEO Alan Naumann, Contrast’s warchest of over $250 million in capital will enable it to gain greater market share following expansion in Europe, the Middle East, Africa, and the Asia-Pacific region. Naumann also didn’t rule out strategic opportunities and mergers and acquisitions in the future, as competition in the over $179 billion cybersecurity industry becomes fiercer.

“The global economy is running on software applications. People trust this software with everything important from finances, elections, wire transfers, online shopping, and health care,” Naumann told VentureBeat via email. “Unfortunately, it’s very difficult to code quickly, use open source, leverage external APIs, and deploy in the cloud, and do all of that securely. The apps you use every day have dozens of vulnerabilities and we see some apps that are attacked more 13,000 times a month … The Contrast platform is a revolutionary approach to tackling this challenge. We are stopping cyberattacks at the software layer.”

Cyber resilience

During the pandemic, many enterprises turned to digital transformation and the development of new apps to sustain business growth. As productization efforts ramped up, 84% of developers said that they were pressured to release code faster compared with before, according to GitLab. As a result, code was — and is — being shipped with an increasing number of vulnerabilities, leading to high-profile security breaches. WhiteHat security found that between 2018 and 2019 alone, there was a 50% increase in unpatched library vulnerabilities, mostly stemming from open source packages.

Jeff Williams founded Contrast in 2014 alongside Arshan Dabirsiaghi, former research director at Aspect Security, with the goal of creating a platform that could spot potentially problematic code in applications. Employing a technique called binary instrumentation — agents embedded in app servers, runtime and user libraries, controllers, and data layers — Contrast can detect vulnerabilities across web browsers, mobile clients, containers, frameworks, and more.

Naumann claims that binary instrumentation eliminates the need for regular scans, network configuration changes, and audits while enabling protection in cloud environments like Azure and Amazon Web Services and apps programmed in Java, .NET, Node.js, Ruby, and Python. Contrast integrates with a range of ticketing systems and CI/CD tools to monitor code and reports from inside apps and third-party libraries. It also performs attack detection, responding with a seven-step approach that includes virtual patching and “how-to-fix” guidance.

“Our vision is every application can be secure and the key is providing developers with powerful tools as they are developing apps, and ops teams the visibility once the apps are live,” Naumann said. “[With Contrast,] security instrumentation is included in software in development from startup and extends through into production runtime. Development, security, and operations teams no longer need to acquire and manage numerous application security toolsets that consume valuable time and cost.”

Over the past two years, Contrast has introduced features including support for serverless apps and route intelligence, which shows how much of an app’s attack surface has been assessed for vulnerabilities. In May, the company added apps programmed in Go to its list of scannable assets and joined the Cloud Native Computing Foundation and the Linux Foundation. Most recently, Contrast launched a security observability offering that bundles all of its technologies into a single, enterprise-oriented product.

“Businesses are increasingly dependent on applications to support their critical operations, creating strong demand for solutions like Contrast’s that help developers ensure, in real time, that the code underlying these applications is secure from evolving threats from hackers and other malign actors,” Mnuchin, who intends to join Contrast’s board of directors, said in a press release. “We believe the team at Contrast has developed a market leading solution, and we are excited to partner with them as they continue to innovate in the application security space.”

Customer base

Contrast is among the growing crop of startups in the DevSecOps space, which aims to automate the integration of security at every phase of the software development lifecycle, from initial through deployment. While a 2020 Gartner report characterized DevSecOps as in the early stages of adoption, companies are eagerly investing in the broader cybersecurity market. PricewaterhouseCoopers recently reported that one-third of U.S. CEOs plan to increase investments in cybersecurity by double digits within the next few months.

Driven largely by challenges arising from remote and hybrid work, the investments have benefited startups like New Context (which was acquired by Copado in March), Spectral, BluBracket, Oxeye, and Rezilion. Contrast — which has 350 employees — claims to have a larger customer and user base than most, with tens of thousands of paying developers on the platform hailing from BMW, DocuSign, AXA, Zurich, SOMPO Japan, and American Red Cross, as well as other Fortune 500 companies in health care, financial services, government, and technology sectors.

“Contrast is between $50 million and $100 million in annual recurring revenue. Customers are increasingly choosing our platform, and, as a result, we’ve seen a 100% increase in customers with over $1 million annual recurring revenue,” Naumann said.

As the volume of cyberattacks continues to climb — ransomware attacks alone increased 148% year-over-year from 2020 — investments in cybersecurity are likely to correspondingly grow. In the first half of 2021, the cybersecurity market saw $39.5 billion in merger and acquisition volume along with $11.5 billion in total venture capital investments, according to Momentum Cyber — a new record.