Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

API Security Firm Cequence Raises $60 Million

The rapid adoption of APIs to facilitate both digital transformation and the pandemic-related growth in online commerce has caused a rush to market. But as with all code produced and released in haste, there are frequent problems. Cyberattacks against APIs have become a growth area for cybercriminals.

The rapid adoption of APIs to facilitate both digital transformation and the pandemic-related growth in online commerce has caused a rush to market. But as with all code produced and released in haste, there are frequent problems. Cyberattacks against APIs have become a growth area for cybercriminals.

Sunnyvale, Calif-based API security firm Cequence has raised $60 million in a Series C funding round led by new investor Menlo Ventures. Other new investors include ICON Ventures, Telstra Ventures and HarbourVest Partners, while existing investors Shasta Ventures, Dell Technologies Capital and T-Mobile Ventures also participated. This brings the total raised by Cequence to $100 million.

Cequence securityThe new funding will be used to support enhancements to the Cequence product; to aid expansion into new regions in the United States and Europe, and new markets in Asia and Australia; and to increase staffing. Venky Ganesan of Menlo Ventures, who commented, “It is the only solution that provides visibility and inline response mitigation to attacks on APIs,” will also join the company’s board.

One of the difficulties with APIs is that companies easily lose sight of them. APIs are not published directly but are usually used as part of web or mobile applications. They can allow attackers access to the most sensitive parts of a company network, yet security teams have little visibility on them. Typical flaws may include broken authentication and authorization, a lack of rate limiting, and code injection vulnerabilities.

The Cequence API security solution has three basic phases: API discovery, possible abuse detection, and abuse mitigation. 

Discovery is the initial first critical step: you cannot secure what you cannot see – and companies frequently don’t fully know their own inventory. “One customer, a top U.S. carrier, was simply seeking a better understanding of how APIs were being exposed by its customers,” Cequence CEO Larry Link told SecurityWeek. “The process was that APIs should be registered when invoked in code – a sort of self-policing approach. The carrier had approximately 2,000 self-registered APIs. But when Cequence checked, it found 18,000 APIs.”

Such ‘hidden’ APIs are not limited to carriers, but occur with most customers. “With one retail customer, the discovery phase uncovered instances of APIs that were initially deployed in a test environment and hadn’t been taken down. They became deployed as part of a Salesforce marketing relationship and were overexposing sensitive information. Anybody building a digital customer experience using APIs can lose track of them,” he continued.

The second phase is to analyze the traffic for abuse or flaws. A danger with APIs is that they are basically machine to machine with no direct human oversight, and potential access to confidential PII. This lends itself to automated and potentially large-scale but unseen attacks. For example, in one instance a customer had offered a limited edition of a product at a discount price. An ‘attacker’ took advantage of a rate limiting failure in the API and immediately bought the entire limited-edition stock for on-selling at an inflated price. Such incidents are not direct security incidents, but are unintended consequences of the way the API is written and could lead to reputational damage.

Advertisement. Scroll to continue reading.

Cequence applies a series of tests to the APIs, checking authentication and whether it is leaking credentials or exposing confidential PII such as credit card numbers or social security numbers. The results of these tests allow Cequence to apply a risk rating of one to ten to each API. That data is passed to the security team, which is able to inform the API developer on what aspects need to be improved – or indeed, whether the API needs to be blocked immediately.

The fluid nature of APIs, which must change every time the associated application is modified, means that this type of continuous monitoring and assessment is essential.

Cequence was founded in 2014 by Ameya Talwalkar (chief product officer), Michael Barrett, (previously CISO, now CISO at Latch), and Shreyans Mehta (CTO). It raised $17 million in a Series B funding round in February 2019.

Related: The Next Big Cyber-Attack Vector: APIs

Related: UK-Based API Security Firm 42Crunch Raises $17 Million

Related: Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.


Forty cybersecurity-related M&A deals were announced in January 2023.


Seventeen cybersecurity-related M&A deals were announced in the first half of February 2023.


Thirty-five cybersecurity-related M&A deals were announced in February 2023


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek