Cloud and mobile technologies, along with remote work, all continue to invite serious security risks. While “RDP” and “VPN” have become four-letter words, and IT experts pursue zero-trust and layered approaches to prevent breaches, APIs have consumed little of the cybersecurity conversation. Cequence Security aims to change that.

The eight-year-old company said on Wednesday it has closed $60 million in funding. That brings its total to more than $100 million. Menlo Ventures led the round as a new investor, joining a number of other existing and new venture capitalists in providing the money.

Cequence Security says it has experienced record growth during COVID-19 — little surprise given organizations’ unparalleled work-from-home deployments and digital transformation initiatives. A core part of that activity has come in the form of APIs to connect various business applications. The problem, Cequence Security asserts, is that most IT departments (and even channel partners) overlooked security reviews and governance best practices that would protect said APIs from bad actors.

Gartner supports that perspective.

Cequence Security’s Larry Link

“Many organizations lack visibility of their APIs, as many APIs are used as part of web or mobile applications and not published directly,” analysts Mark O’Neill and Jeremy D’Hoinne write in the research firm’s 2021 Hype Cycle for Application Security. “This means that a key requirement of API threat protection is API discovery, since, as every security professional knows, you can’t secure what you don’t know.”

Cequence Security’s platform addresses those gaps with API inventory tracking, risk assessment and threat prevention.

“It is the only solution that provides visibility and inline response mitigation to attacks on APIs,” said Venky Ganesan, partner at Menlo Ventures. “It’s the only solution out there that doesn’t need to signal other products for mitigation.”

Cequence Security will use the $60 million for a variety of growth strategies. Channel Futures talked with Larry Link, president and CEO of the company, to find out what MSSPs need to know.

Channel Futures: How will Cequence Security use the new investment money for the benefit of its partner program?

Larry Link: The recent investment will fund co-marketing activities to drive lead generation, the development of sales tools to help channel partners identify and articulate API security risks for their customers, and product enhancements to streamline customer onboarding for either SaaS-delivered or partner-delivered deployments.

CF: How else will Cequence Security put the $60 million to use?

LL: We will be investing in go-to-market initiatives in our existing markets of North America and EMEA. We are starting go-to-market programs in APAC and Japan, including hiring teams, signing channel partners and funding demand generation programs across all theaters. We are also heavily investing in customer success teams and tools to support our Global 2000 customer base.

CF: What do MSSPs need to know about securing APIs?

LL: APIs are increasingly being targeted to steal sensitive information and disrupt business applications. While most MSSPs have focused on the traditional breach and response to protect against data leakage or business disruption via ransomware, APIs are a new attack vector that cannot be protected using WAFs, NGFWs or vulnerability scanners. None of those tools will identify an …

… API that is leaking customer information through responses to valid API requests made by malicious actors.

CF: This seems like a niche area where the channel may lack awareness compared to, say, XDR and zero trust. Please talk about how you’re working to educate partners and why that’s important.

LL: Cequence Security has protected many large institutions from bot attacks for over five years, and this is important because during this time, bots have evolved to bypass incumbent solutions by targeting APIs directly. These attacks have become increasingly sophisticated, and our direct experience identifying and defending against them helps us bring more ‘real-world’ impact to our partners.

We also tailor our education based on the partner’s practice focus. For advisory partners, we can help educate them on the challenges of delivering API security in a multicloud, multichannel world. For DevOps partners, we focus on how we integrate into a pipeline or service mesh and provide security guardrails and protection without affecting developer velocity. And for partners who resell WAFs or firewalls, we focus on new application security requirements tied to OWASP API Security Top 10 and OWASP Automated Threats for Web Applications, as many of these partners are already familiar with the OWASP Top 10 Web Application Security Risks.

CF: What do you see coming in 2022 that MSSPs need to know?

LL: In the past two years, many organizations have accelerated their digital transformation efforts. They are using more microservices and APIs to offer a better customer experience, integrate with their supply chain and improve service reliability and updating of core business applications.

At the same time, attackers have developed more tools to find and target these APIs using automation, and as a result, there are a lot of attack types that fall under the umbrella of API security: Application DDoS, account takeovers and credential stuffing, access to PII or error logs to help attackers deconstruct the application, and attacks targeting private APIs that are publicly available (Shadow APIs).

MSSPs not only need the right tools to protect their customers from these attacks without creating more friction for legitimate users, they will also need to be able to proactively engage as a trusted adviser to educate customers on their entire API attack surface and implement controls and security tools to identify non-conformant and risky APIs before they are pushed to production.