How Kasada Fights Back Against Bots

Australian-based company Kasada seeks to undermine the economics of malicious automation

By Rohan Pearce

Editor, CSO | FEB 23, 2020 8:24 PM PST

Could Kasada become Australia’s first cyber security ‘unicorn’? AustCyber CEO Michelle Price raised the possibility at a 2019 event marking the launch of NSW’s Cyber Innovation Node.

That the question could even be posed about a half-decade-old company might seem astonishing, but Kasada has managed to win clients among the ASX 100 and Forbes Global 2000, which is an impressive feat for any startup let alone one in the security space. However, it’s perhaps not surprising given Kasada’s founder — Sam Crowther’s idea of a good time when he was a teenager was doing work experience with the Defence Signals Directorate (now the Australian Signals Directorate) — as well as the particular niche the company has sought to fill: Fighting back against the plague of malicious bot-driven attacks on web applications.

As a teenager, Crowther worked with DSD for a number of years. When he finished high school he started a software engineering degree but the experience of dealing with the real-world challenges of information security made university less appealing.

Instead he ended up doing a year-long stint at Macquarie Bank. “I was brought on board to find problems and solve them in relation to security,” he explains. He left the Macquarie Group in 2015 to found Kasada. Like many of the best startup ideas, it was born out of “personal pain,” Crowther says. He was seeking to address a number of different problems that all had a common thread of automation. “So there are problems around account abuse, credit card abuse, and data scraping,” he says. “The thing that tied them all together was the fact that I could leverage a piece of code that I’d written to perform the tasks — and that was the only thing that made them viable.” The idea of combating the malicious use of automation is at the heart of Kasada and its bot detection and mitigation platform.

Going from the initial idea to Kasada involved a “lot of luck” Crowther says somewhat modestly. “I built a prototype and proved that it could work. From there, I looked at getting a little bit of angel money. I scraped some money together from some friends and family and then hired two guys to work with me to build the very first proper version.” “That took place over the course of about six to nine months,” he says. Kasada is “more or less a reverse proxy,” Crowther explains. “The idea is that customer routes traffic to their applications via us. We validate that it’s good and we send the good stuff back to them.”

There are a lot of use cases because there’s so many ways in which automation can be used to abuse web-facing systems, he adds, but the three that are the most common are account fraud, data scraping, and abuse of loyalty schemes. Account fraud can involve using stolen credentials to attempt to access a customer’s accounts. “The reason that that’s viable is because when you have a million credentials, you can have a piece of code performing a million logins across 10,000 websites in a relatively short period of time. If you tried to do that manually, it wouldn’t work,” Crowther says.

One of the companies known to be a Kasada customer is REA Group, which uses Kasada to combat automated data scraping.

“They had a real problem where competitive businesses were scraping listings data, which at the end of the day is intellectual property that belongs to them. And so they needed us to help them stop these people from just stealing their data,” Crowther says.

Kasada CEO Sam Crowther

The third common use case is combating fraud involving loyalty and rewards programs: “I have what is essentially a something of value; it’s not money initially, but it can be readily converted to money. We work with a number of big retailers and hospitality companies to protect the rewards programs just because it’s so rampant with automated fraud.”

Two of the key selling points for Kasada is how it detects malicious bots and how it mitigates the threat they pose to a business, the CEO says. Crowther says that instead of performing pattern analysis over time to detect malicious bot traffic, Kasada tries to “make decisions immediately.” “From that very first interaction, what we’ll do is actually interrogate the inbound application to make sure that it is, in fact, a legitimate browser of a customer. So that bit is very unique,” the CEO says.

The second thing that distinguishes Kasada is that instead of just outright blocking traffic it identifies as malicious, it seeks to undermine the economics of running a bot. “So an example of that may be using this proof of work that we’ve designed to just tie up computational resources,” explains Crowther. “All of a sudden we can introduce real dollar costs to run this bot for extended periods of time; it deters people very quickly.”

Retailer True Alliance is another Australian company known to be using Kasada’s services. Many of the Kasada’s customers are sensitive about revealing their use of the company’s platform, Crowther says. “We work with some of the biggest online gaming companies globally, some of the biggest hotel companies globally, some of the big energy providers,” he says.

In May 2019, Kasada raised $6.5 million in funding with CSIRO-backed venture firm Main Sequence Ventures and the Westpac-backed Reinventure Group both participating in the capital raising. Crowther says that right now the company has a major focus on the US market and making sure that it gets its customer success, support and sales teams in the region right. “We’ve proven within a relatively small market in Australia that we can do a good job; now it’s time to take it to the big pond, so to speak,” he says.

When it comes to Kasada’s product offering, the CEO says that there are “some other things” it’s working on but the focus at the moment is largely on “making sure that we make this product as good as it can be and solve as many problems for customers as we can. Once we have that critical mass, then it will make sense to start releasing other bits of product functionality and products.”