Escape Secures $18M to Scale Automated API Pentesting and AI Agents

According to SecurityWeek, the cybersecurity startup Escape has raised $18 million in Series A funding. This investment is directed toward expanding the company’s AI agent capabilities and scaling its engineering and go-to-market teams. The funding round reflects a growing industry demand for specialized tools capable of handling the unique security challenges posed by modern, API-centric application architectures.

The Escalating Complexity of API Attack Surfaces

Modern web applications rely heavily on a complex web of internal and external APIs. This reliance has created a vast and often poorly documented attack surface. Many organizations struggle with the proliferation of legacy and undocumented endpoints, necessitating effective strategies for inventorying shadow APIs. Traditional manual penetration testing often falls short in these environments because it is point-in-time and cannot scale at the speed of continuous deployment.

When APIs are not properly secured, they become primary vectors for a Supply Chain Attack or data exfiltration. Attackers frequently target these interfaces to find an RCE (Remote Code Execution) vulnerability or to exploit misconfigured authentication mechanisms. By automating the testing process, organizations can shift security further left in the development lifecycle, identifying flaws before they reach production.

Strategic Expansion of the Escape API Security Platform

The Escape API security platform features are designed to provide continuous monitoring and automated testing without the need for manual script configuration. By utilizing AI agents, the platform can navigate complex business logic to discover vulnerabilities that traditional scanners might miss. This is particularly relevant for modern frameworks where a single CVE (Common Vulnerabilities and Exposures) in a third-party library can expose the entire application stack.

The automation of these processes allows the SOC (Security Operations Center) to focus on high-priority alerts rather than getting bogged down by the noise of manual API discovery. Furthermore, as organizations move toward Zero Trust architectures, verifying the integrity and security of every API call becomes a foundational requirement.

How to Secure GraphQL APIs and Modern Frameworks

One of the specific technical hurdles in modern application security is understanding how to secure GraphQL APIs effectively. Unlike REST APIs, which have distinct endpoints for different resources, GraphQL often uses a single endpoint that accepts complex queries. This flexibility, while beneficial for developers, can lead to significant security risks such as deeply nested query attacks or unauthorized data exposure.

Automated tools must be capable of parsing these complex schemas to identify potential XSS (Cross-Site Scripting) vectors or injection points. Escape’s approach involves using AI to mimic the behavior of a human pentester, probing the API for logic flaws and authorization bypasses that automated static analysis tools often overlook.

Actionable Recommendations for Security Teams

To address the risks associated with modern API ecosystems, defenders should prioritize the following actions:

• Implement Continuous Discovery: Use automated tools to maintain an up-to-date inventory of all public and private APIs, ensuring that no shadow endpoints remain unmonitored.
• Integrate with CI/CD: Move beyond periodic testing by integrating API security scans directly into the build pipeline. This ensures that every code change is validated against known security standards.
• Focus on Business Logic: While traditional vulnerability scanning is useful, emphasize testing for broken object-level authorization (BOLA) and other logic-based flaws that are prevalent in API environments.
• Standardize API Documentation: Enforce the use of OpenAPI or similar specifications to ensure that security tools have a clear roadmap of the intended API behavior, which facilitates more accurate automated testing.