Escape dynamically scans APIs to find security flaws

French startup Escape has raised a $3.9 million (€3.6 million) funding round shortly after ending Y Combinator’s winter 2023 cohort. The company provides a cybersecurity product focused on securing APIs before they are rolled out publicly.

French VC firm Iris is leading the round with Frst also participating once again after leading the pre-seed round. Existing investors Irregular Expressions, Tiny Supercomputers and Kima Ventures are participating in the round. Some of the company’s angel investors include Philippe Langlois, Mehdi Medjaoui and Roxanne Varza.

“We decided to create a custom algorithm powered by artificial intelligence that can simulate cyberattacks. Once it has found security flaws, it will give you remediations,” co-founder and CEO Tristan Kalos told me. He founded the startup with Antoine Carossio, and there are now 10 people working for Escape.

In more technical terms, Escape is an agentless solution as it integrates directly in your development pipeline. Every time the dev team commits some new lines of code in the code repository, it will trigger Escape using an integration in the continuous integration/continuous delivery flow (CI/CD).

For instance, Escape can identify an issue with rate limiting. That means that a bad actor could leverage this flaw to extract large volumes of data. Escape can also see if invalid actions are properly blocked to prevent data manipulation. It integrates with Snyk so that Escape issues appear in your Snyk’s code issues.

“These are dynamic tests. We don’t test the source code itself, but rather the application as it runs. What’s complicated with an API is the business logic — how to interact and how to attack the API. We use reinforcement learning, a mix of deep learning and heuristics,” Kalos said.

Escape first decided to focus on GraphQL APIs as the startup identified that it would be the best go-to-market strategy. But the company is currently rolling out support for REST APIs, which are more widespread than GraphQL-based APIs.

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before Sept 26 to save up to $668.

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before Sept 26 to save up to $668.

The company has already convinced around 20 clients, such as Sorare, Shine and Neo4J. As you can see, Escape wants to focus on bigger clients working in sensitive industries, including banks and financial services companies. Each contract could potentially be worth tens of thousands of euros per year.

Before Escape, making sure that your company’s APIs were secured was mostly a manual process. Every now and then, big companies work with security analysts to conduct a penetration test (or pentest, for short).

“Once or twice a year, they come in, look at everything that’s going on and hand you a security report. Companies review the findings internally and list the issues: we’ve got to resolve this, we’ve got to resolve that,” Kalos told me.

But then, companies have to find the developers who are in charge of this specific part of the product or that API in particular. In other words, it’s a reactive and imperfect process.

Escape doesn’t want to replace pentests altogether. Pentests don’t just focus on APIs either, they are much larger than that. Escape just wants to surface security flaws at the API level so that they are fixed when they first appear. This way, most issues are already fixed when a security firm conducts a pentest. It’s a more proactive and dynamic security model, and that could be a nice selling point.