ForAllSecure closed a $21M Series B on its mission to become the ‘de facto standard in application security’

Money keeps pouring into Pittsburgh companies this quarter, and this time, it’s for a fast-growing cybersecurity firm targeting a growing tech space.

Software security testing company ForAllSecure announced this morning that it raised a $21 million Series B round led by Koch Disruptive Technologies and existing investor New Enterprise Associates. With this round, ForAllSecure has now raised a total of $36 million in funding, according to the company.

Founded in 2012, ForAllSecure came out of patented technology developed from research at Carnegie Mellon University. From there, the company went on to win first place in the 2016 DARPA Cyber Grand Challenge for its signature product, Mayhem. In 2017 and 2020, ForAllSecure nabbed a couple of contracts totaling $53 million from the Department of Defense to deploy Mayhem across some of the most critical systems in the department. Now, the company is ready to expand its commercialization efforts toward new customer acquisition and partnerships.

“We’re using the funding to double down on developer-led adoption. We’ll be hiring developer relations in marketing, education and training staff, and of course sales and engineering,” ForAllSecure cofounder and CEO David Brumley told Technical.ly. “Last year we released Mayhem for API for free, and you’ll be seeing more along those lines with a new announcement in a few weeks.”

That release enables software developers to build and secure application programming interfaces, or APIs, more efficiently through fuzz testing against SQL injections, command injections, authentication bypasses, server side request forgeries and DoS attacks, per the company. That’s an important tool to have given the prevalence of APIs in not only software development, but in businesses beyond the tech industry as well. Underscoring the need for Mayhem for API, ForAllSecure pointed to a report from Gartner that predicted API attacks becoming the most common form of cyberattacks in 2022.

It’s been an attractive proposition to the 100-plus customers of ForAllSecure so far, which include a wide range of industries, from defense to gaming platforms like Roblox. And there are signs that interest will only increase, with global research and advisory firm 451 Research finding in a 2018 study that one of the biggest challenges in development, security and operations is a “lack of automated, integrated security tools for continuous integration and continuous delivery.”

“The DevSecOps industry is experiencing unprecedented disruption driven by the explosive growth of software development and demand for more secure applications,” said Navin Maharaj, director at Koch Disruptive Technologies, in a press release. “The company’s cutting-edge autonomous technology is defining the standard in testing and protecting the world’s software. Our investment in ForAllSecure underscores our belief that the company is at the forefront of cybersecurity to protect software and software-connected assets from the increasing threats we are seeing today.”

ForAllSecure now operates as a remote-first company, Brumley told Technical.ly. While the team has an office in Oakland through the Pittsburgh Innovation District’s Avenu coworking space, only about a third of the company’s 30 employees are currently based here.

This latest round of funding for the company also caps off the end to a rebound in venture capital activity for Pittsburgh. After dismal deal volumes in 2021 (despite record-breaking national activity), the uptick in VC deals this quarter is a hopeful sign for those worried about cash flow into the region.

It’s also a sign that cybersecurity ventures could grow in Pittsburgh. Through the local academic programs available here to a vested interest in the field from local government, there’s room for companies big and small to leverage local expertise and opportunities.

And from what Burmley shared, it sounds like ForAllSecure has plans to do just that.

“We expect to raise a series C in 24 months,” he said. “Our overall mission is to become the defacto standard in application security. We don’t see ourselves merging with anyone at this time.”