Traceable, an application security startup headed by the former CEO of AppDynamics Jyoti Bansal, launched today with $20 million in Series A funding.

Bansal co-founded Traceable with Sanjay Nagaraj, former VP of engineering at AppDynamics and Traceable’s CTO. Cisco bought AppDynamics, an application performance management company, for $3.7 billion in 2017.

“Application security is the next major challenge in cybersecurity,” Bansal said. “Traditionally, for the last 10 or 15 years, cybersecurity has mostly focused on securing the networks. We think now the next level has to be about code, because now we are in this developer-driven world where developers are writing a lot of code, and that really becomes your primary asset that you want to protect."

Bansal adds it's important to understand how people are using applications and APIs. "We’re just at the very beginning stages of what needs to be done.”

Traceable does this by enabling DevSecOps, which embeds security controls and processes into the code itself.

“You involve developers in the security aspects of things, and you involve security ops in the code aspect of things, and that's exactly where Traceable fits in,” Bansal said. “We are bringing the platform for DevSecOps so that both teams are looking at the same code-level data.”

Security operations teams and vendors alike are still figuring out how to best protect cloud-native applications built with microservices. The use of microservice APIs massively expands the attack surface for enterprises and can expose business logic that hackers use to infiltrate applications and private data — like in the high-profile Facebook and Uber business logic attacks which exploited vulnerabilities in microservice APIs. “Traceable solves one of the biggest problems security teams face, which is distinguishing between valid and malicious use of an application’s APIs,” said Gerhard Eschelbeck, former Google CISO and Traceable advisor, in a statement.

The startup developed an application security platform that uses distributed tracing technology to trace end-to-end application activity — from the user and session through the application code. Meanwhile, TraceAI, the platform’s artificial intelligence (AI) and machine learning technology, analyzes this data to learn normal application behavior and to detect activity that deviates from the norm. Businesses can then use Traceable’s forensic data and insights to analyze attack attempts and perform root cause analysis.

The startup loosely competes against web application firewall (WAF) vendors like Akamai, Imperva, F5, Cloudflare, Fortinet, and Barracuda, as well as newer API security startups like Salt Security. But it’s still an emerging space, and Traceable’s founders say that they bring a unique approach to this market, which they expect to take stronger shape over the next three to five years.

“As a next-generation application and API security company for the cloud-native era, there are four key business values that we that we bring to the table,” Nagaraj said, adding that this includes “discovering and understanding your APIs and your specifications of your APIs to protect you from your emerging threats. And, we help you understand that with the right kind of forensics to provide you the detailed insights and analytics within your APIs. And, we designed Traceable for cloud-native environments.”

The product, available now in preview, has customers including real estate brokerage Houwzer, financial technology firms, cloud-native startups, and retail companies, Bansal said.

Additionally, Bansal and Nagaraj open sourced Traceable’s underlying distributed tracing platform. The new open source project, named Hypertrace, allows DevOps teams to observe and monitor production applications using the same distributed tracing and observability capabilities powering Traceable while also contributing to the project.

“We’re trying to bring the best of both worlds together by enabling developers with the open source technology, which is Hypertrace, and security operations team with the Traceable product,” Nagaraj said.

The security operations and DevOps teams don’t always get along. While developers are much more comfortable using open source code, and pushing new code rapidly, security teams have been slower to adopt open source and historically equated DevOps to running with scissors — bad things happen when you go fast.

“So from a security and operations perspective, we’re trying to bring together DevSecOps by enabling developers to adopt some of the pieces that security wants them to adopt,” Nagaraj explained. “For example, some of the functionality that we have in the product enables you to understand the way the APIs are behaving. These pieces are actually going to enable the security operations team to push the developers to be more security focused and security conscious.”