GuardRails

GuardRails empowers developers to find, fix, and prevent security vulnerabilities in their web and mobile applications.

We have a live product dozens of SaaS customers and are closing significant deals with large enterprises.

Our target market consists of any organization that develops software. One person startups, fortune 500 companies and everyone in between. In the first instance we target the GitHub ecosystem, which is used by over 2.2 million organization and over 31m developers. In the next stage we extend support to GitLab and Bitbucket, as well as providing an on-premise offering. In the last stage we are going to add support to every other git based version control system.

The enterprise application security market alone is expected to exceed 7.5 billion USD by 2022, which doesn't yet account for the larger development tooling market for security, which is currently entirely underserved.

In the era of the digital economy, most successful breaches are linked to attacks on applications resulting in companies losing over $400 billion each year. 60% of small businesses fail within 6 months of a security breach.

The problem is that development teams are not equipped with the necessary security tools nor skills to detect, evaluate, and remediate security issues in their mobile and web applications.

This is further validated by several recent studies of development teams, that show:

9/10 developers are concerned with the security of their code.
More than half are not satisfied with the methods they have to evaluate the security of their code.
1/3 of open source developers don’t implement any sort of security testing.
The average time from when a vulnerability is added to an open source package until it is fixed is over 2 years.

GuardRails is a holistic security platform that empowers developers to avoid dangerous security issues in their applications. From the very first day, GuardRails was designed for developers and to ensure their experience is top notch. GuardRails integrates directly with versioning control systems, such as GitHub, and can be installed across an organisation in minutes. Once installed, it listens to events that change code. On every code change event, the source code of the protected applications is downloaded to our secure servers, the used programming languages of the applications are identified, and based on that the relevant security scanning engines are selected and launched against the code. The results of the security engines are unified, deduplicated, false positives removed, and then provided directly in the development workflow.

The experience for developers is very simple, they can stay in their normal workflow and develop the way they always have. However, every time they create a new code change, GuardRails scans the changes and comments whether new security issues have been identified or not. In case security issues were identified, the results are posted as a comment in the workflow that contains all the necessary information so that the developers can fix the issue right then and there. Developers that are committing fixes to the security issue will automatically trigger another scan that provides details on whether the fix was successful or not.

Our competition can be classified in three categories:

Open Source Security Solutions
Enterprise Solutions
Next Generation Security Solutions
Open Source Security solutions are highly fragmented, one tool exists per language and security technique. Furthermore, there is no support or strong community behind these tools, which makes it very difficult to get started. GuardRails is different because it takes the existing open source tools (and others), unifies them in its platform, manages the setup, tuning, and maintaining of them and make it accessible to the masses via an easy installation process. GuardRails further augments the open-source tools by providing tailored remediation advice and customer support.

Enterprise security solutions have been around for decades and were designed to be sold to security departments for audit reasons. In the age of agile and DevOps, these tools have to be used by developers, which naturally creates a lot of friction between teams. The enterprise solutions are very costly, and require a team of dedicated security experts to manage and maintain the scanning efforts and on-boarding of applications. GuardRails provides the same offering as enterprise solutions, but without all their pain points. GuardRails is affordable, easy to use, can be managed by development teams directly, yet still provides all the relevant metrics for enterprises and their security teams. Security scans finish in minutes not hours and the remediation advise GuardRails provides greatly exceeds that of the enterprise solutions.

Next Generation Security Solutions already improve on most pain points that open source security solutions and enterprise security solutions come with. However, the drawback is that the next generation security solutions only focus on one security concern, which for the most part is identifying vulnerabilities in open source third party libraries. GuardRails provides solutions for all security concerns in one unified platform.

Differentiation
GuardRails is providing a unique differentiation to other solutions in 4 key areas:

Version Control System Integration
Security Tool Orchestration
Security Rules Curation
False Positive Detection
Version Control System Integration
GuardRails is a platform with a unique architecture. We focus on providing a completely frictionless integration with all modern Version Control System. At the moment GitHub and GitLab is supported, both cloud and on-premise versions. Support for BitBucket and others is coming soon. This allows GuardRails to establish an end-to-end security verification pipeline that covers all repositories (present and future), without requiring any configuration or additional setup.

Security Tool Orchestration
Build on-top of the tight Version Control System integration, GuardRails receives notifications of any new code change that is created. GuardRails then seamlessly identifies the programming languages and frameworks in a repository, selects the matching security engines, and runs it against the code. GuardRails is smart and detects similar results from different security tools and automatically de-duplicates them, so you don't have to. GuardRails also understands what latest code changes introduce vulnerabilities and, out of the box, only alerts on these new vulnerabilities.

Security Rules Curation
The traditional mindset of security tool vendors is that more vulnerabilities equals better, which resulted in a tremendous amount of security issues being flagged. This burden is then handed to the engineers or the security team, which causes a lot of noise and work. At GuardRails we understand these problems, and based on our extensive first-hand experience, every single rule of every single tools is curated to decide whether it qualifies as a GuardRails issue, or not. This means much less noise for you and your teams, so that you can focus on shipping new and exciting features.

False Positive Detection
Even with a carefully curated ruleset, tools are limited in their ability to identify false positives in the reported issues. GuardRails has build an expert system that detects false positives and is starting to use machine learning to continuously increase the accuracy of detecting real vulnerabilities that need to be addressed. This further ensures that engineers and security teams have more time to work on challenging and important activities, that can't be done by tools.

We sell startup plans from 45 USD a month, business plans from 230 USD a month, and enterprise plans from 25,000 USD a year.

Our business model leverages Software as a Service. We have developed a scalable security platform that we can sell at a high-margin to enterprises around the world.

Scaling the product engineering, data-science and sales teams