Raven Emerges From Stealth with $20M for Runtime Security

Overview of Raven’s Stealth Exit and Funding

Raven, a startup focused on runtime application security, has officially emerged from stealth mode with $20 million in funding. The investment round was led by Redpoint Ventures and General Catalyst, providing the capital necessary to scale its platform that observes applications during execution to identify and prevent cyberattacks. According to SecurityWeek, Raven’s technology aims to address a specific visibility gap in production environments where traditional security tools often lose track of application logic.

Modern security stacks heavily rely on perimeter defenses and static analysis. However, once an application is running, the internal state becomes a blind spot for many organizations. Raven’s platform is designed to provide real-time monitoring of application behavior, ensuring that any deviation from expected logic is flagged or blocked before a breach can escalate. As the market for runtime application security platform benefits grows, Raven positions itself as a critical layer for organizations managing complex, distributed architectures.

The Technical Case for Runtime Observability

Traditional security measures such as static and dynamic analysis focus on the pre-deployment phase. While these are essential for identifying a CVE in third-party libraries, they cannot predict how an application will behave under a novel or Zero-Day exploit. When an attacker achieves RCE, they often manipulate the application’s internal control flow to execute unauthorized commands or facilitate Privilege Escalation.

Detecting Anomalous Behavior in Cloud-Native Apps

In microservices and containerized environments, the complexity of inter-service communication makes it difficult to maintain a consistent security posture. Raven addresses this by establishing a baseline of normal operation. By detecting anomalous behavior in cloud-native apps, the platform can identify when a process begins communicating with a suspicious external C2 server or when an internal function is called with unexpected parameters. This behavioral approach is more resilient than signature-based detection because it focuses on the TTP used by attackers rather than specific file hashes or known IoC strings.

This level of visibility is particularly useful for a SOC team that needs context beyond simple network logs. Integrating runtime insights into a SIEM allows analysts to see the exact function calls or database queries associated with a security event, significantly reducing the time required for root-cause analysis. Furthermore, while EDR provides visibility at the operating system level, Raven operates at the application layer, capturing logic-based attacks that bypass system-level monitors.

Shifting Security from Perimeter to Execution

The move toward runtime security represents a shift in how defenders view the attack surface. Instead of merely trying to keep attackers out, the focus is increasingly on preventing runtime exploits in production by assuming the perimeter will eventually be breached. This aligns with modern security frameworks, such as MITRE ATT&CK, which emphasize the need to detect post-compromise activity. Raven’s platform monitors the ‘ground truth’ of what the application is doing, making it significantly harder for an adversary to hide within legitimate traffic flows.

Recommendations for Security Leaders

To better secure production environments, security leaders should prioritize the following actions:

• Audit Runtime Visibility: Evaluate whether current monitoring tools can detect anomalies within the application logic itself, or if they are limited to network and host-level telemetry.
• Integrate Application Context: Ensure that application security alerts are piped into centralized monitoring systems with enough context for rapid response.
• Baseline Critical Applications: Establish behavioral baselines for high-value applications to ensure that any deviation from normal execution paths is immediately visible to security responders.