Shape Security in the CDN Ecosystem


Shape Security is an up-and-coming cyber security company offering a web security appliance that protects websites against automated bot attacks and malware. Their product is called the ShapeShifter, and is the first botwall ever introduced into the marketplace. The core technology driving the ShapShifter is the polymorphic engine that dynamically changes the make-up of the software code underlying the login section of the website. Every time the web page loads, the code and the position of the code changes, thus confusing and disrupting the ability of the automated bot to enter the username and password.

Shape Security has developed an incredible amount of traction globally amongst enterprises of all sizes. A company executive stated that Shape Security will sell $10M+ worth of products in 2014. I’ll go a step further and predict that Shape Security surpasses $100M in revenue in 2015, raising its market valuation to the $1B to $1.5B range. A large majority of the hot cyber security companies that have generated $100M in annual revenue have reached $1B in market valuation. Barracuda Networks, Imperva, Palo Alto, FireEye, and many others have proven this already.

Company Background
  • Raised: $66M in funding
  • Linkedin Employee Count: 50
  • Co-founders: Sumit Agarwal (VP), Derek Smith (CEO) and Justin Call (CTO)
  • VC Backers: Google Ventures, Kleiner Perkins, Eric Schmidt and others
  • Product: Web security appliance that is the first “BotWall”
  • Service: Protects the login section of a website against automated bot attacks and malware
  • Core technology: Polymorphic engine that dynamically changes software code every time the web page loads
  • Customers: Fortune 1000, Government Agencies and Mid-market
Product Features
  • ShapeShifter is a 1U stackable appliance
  • Protects against automated bot threats, account takeover, application DDoS, man-in-the-browser attacks, carding, account lockout and cross site forgery
  • Easy installation. Only requires the set up of a few load balancing rules that separates traffic destined for the ShapeShifter
Shape Security in the CDN Ecosystem

The ShapeShifter would be a nice addition to any CDN product portfolio. For Akamai, it would help deepen their security stack beyond DDoS and WAF functionality, where it would be able to provide eCommerce customer’s the ability to evade bot attacks targeting the login section of a website. For Limelight and EdgeCast, the addition would help improve their security offering beyond the basic DDoS protection, and put them closer to the CyberSecurity CDNs CloudFlare and Incapsula.

Although the ShapeShifter is a perfect fit for any CDN, integrating the appliance into the CDN software stack would require a massive engineering effort. It wouldn’t be as easy as throwing 1U boxes into a rack alongside the caching servers, and you’re off to the races. The CDN would need to create a section on the CDN dashboard that provides the  visual metrics that come with the ShapeShifter. CDN customers like to see the features (e.g. reporting) they are paying for in order to justify the high price tag. How much could a CDN charge for this feature? I would put it in the ball park of $5k/month to $15k/month, depending on the size of the eCommerce customer, and the amount of bandwidth they push monthly.


Shape Security is ahead of the cyber security competition by 1-2 years. It’s only a matter of time before companies such as Barracuda Networks start offering their polymorphic technology. Shape Security has the first mover advantage, and a limited time window to dominate this particular security segment. My prediction is they will dominate this segment, and become a major cyber security company alongside Barracuda Networks and Imperva.  Shape Security in the CDN Ecosystem

Scroll to Top