7 application security startups at RSAC 2025

The RSAC Early Stage Expo, the innovation hub of RSAC 2025, was created to spotlight emerging players in the information security space. Among the dozens of startups packed into the second-floor booth area, these VC-backed newcomers in API and application security stood out.

Akto.io

Akto offers an API security platform that addresses key challenges across visibility, testing, and risk management. It begins with API discovery, shedding light on shadow and zombie APIs that often go unnoticed. Akto then automates API security testing (a process still manual in many organizations), streamlining vulnerability detection while also offering runtime threat protection. Finally, it provides API security posture management by identifying and prioritizing the most high-risk APIs within an application, helping teams focus their remediation efforts effectively. 

Akto enhances API monitoring by identifying vulnerabilities, assessing risk levels, and detecting potential exposure. It runs over a thousand test cases to uncover critical issues such as broken authentication or authorization flaws, and integrates seamlessly into CI/CD pipelines, enabling automated API security at every stage of development. The platform also leverages agentic AI to enhance API discovery, security testing, and posture management, reducing false positives, improving the depth and accuracy of results, and delivering more reliable and efficient security coverage throughout the development life cycle.

AppSentinels

AppSentinels is an API security platform that analyzes application workflows and activity across the full application life cycle. By understanding app workflows, it can test for vulnerabilities and defend against complex business logic attacks in production. The platform uses advanced AI models, including graph logic, unsupervised clustering, and state space models, to map application functionality and internal processes, enabling it to detect and block sophisticated threats.

AppSentinels CEO and co-founder Puneet Tutliani said the company protects 100 billion API calls each month and aims to scale to half a trillion API calls within the next four to six months. Product developments in the last year include enhanced and deeper business logic understanding of workflows (by leveraging test cases), continuous 24/7 penetration testing without a human in the loop (a longstanding challenge in API and application security), and runtime protection that works both out-of-band and inline. Tutliani said that business and monetary fraud is currently the top concern for their clients, and AppSentinels plans to dedicate more resources in this area.

Aurva

The Aurva security platform secures sensitive data at run time, focusing on how data is used, who accesses it, and where it flows, both inside and outside of the organization. It maps data activity in real time, combining model-layer AI security, database activity monitoring, runtime data security posture management, and data flow monitoring to provide visibility into access patterns and data movement.

For non-Windows systems, Aurva uses eBPF to monitor data packets without being in-line, enabling high-speed, low-latency performance. For Windows environments, it uses custom lightweight agents powered by Agentix to deliver similar functionality. Processing over a billion queries daily for some customers, Aurva offers comprehensive insight into data access and flows across complex environments while ensuring minimal impact on system performance.

Escape

Escape is a dynamic application security testing (DAST) platform purpose-built to detect and prioritize complex business logic vulnerabilities, issues that traditional tools often miss. Rather than focusing solely on surface-level flaws like missing headers, Escape helps organizations identify, triage, and remediate deeper vulnerabilities such as broken object level authorization, insecure direct object references, and access control issues.

Escape identifies API endpoints through multiple sources: analyzing exposed web code, crawling domains using its custom spider, and integrating directly with repositories on GitHub and GitLab to discover APIs from source code. Once APIs are discovered, Escape generates a wide array of attack scenarios, ranging from classic vulnerabilities like SQL injection or man-in-the-middle attacks to advanced business logic exploits. The platform then prioritizes findings based on their business impact, using a severity matrix that factors in traditional cybersecurity scores, exploitability, and environment-specific risk.

To accelerate remediation, Escape provides code snippets tailored to each development framework, enabling faster fixes by developers and aligning with modern DevSecOps workflows, reducing friction between security and engineering teams.

Raven

Raven brings a runtime-first approach to application security, enabling organizations to analyze their code in production and de-prioritize up to 97% of open-source vulnerabilities that pose no real risk. Raven analyzes code at the functional level in real time, identifying only those vulnerabilities that are truly exploitable in the application’s runtime context. At the core of the Raven platform are proprietary eBPF sensors that observe the entire stack, from the operating system to the application layer, without requiring code injection or instrumentation. These sensors trace which libraries and functions are actually in use, reducing noise and revealing the true risk profile.

Raven also employs an agentic AI system, supported by expert engineers, to pre-analyze vulnerable functions across open-source libraries. This enables library-level risk assessment when cross-referenced with a customer’s live application behavior. Transitive dependencies, often hidden but equally dangerous, are also tracked and analyzed within Raven’s runtime dependency graph, helping identify deep-rooted vulnerabilities. Raven also provides suggested remediations after finding these vulnerabilities, and includes runtime detection and response capabilities. It can detect runtime anomalies early, the company said, allowing security teams to respond faster to emerging threats.

Seal Security

Seal Security streamlines open-source vulnerability patching by making the latest security fixes backwards compatible with older library versions. These standalone patches are integrated into the build process, allowing developers to automatically address vulnerabilities without chasing updates and reducing coordination time between development and security teams. CEO and co-founder Itamar Sher said that the company has focused on two additional areas beyond application security in the past year: securing open-source operating systems and securing container images. All three are now combined into the Seal Security package.

If you have a security patch for your OS that Seal detects, you just have to press a single button to deploy the latest patch applicable to your specific environment, Sher said. Seal makes sure that all of the open-source components that are part of your build chain are secure, and come from a secure source. Seal commits to customers that they can take a container base image and make a vulnerability-free version of it within three days. In addition, Seal Security has expanded its support of programming languages in the past year from five languages to eight including Java, C# (.NET), Python, JavaScript, C, C++, PHP, and Ruby.

Seezo

Seezo addresses application security even before developers start coding with an AI-powered security design review (SDR) platform. Seezo automates the traditionally manual and resource-heavy process of conducting security design reviews for every new feature the engineering team builds, before they build it, helping to shift security even further left in the software development life cycle.

Instead of relying on scarce App Sec personnel (the industry average is just two security professionals for every 100 developers), Seezo uses AI to analyze design documents, Jira tickets, product requirement documents, and architectural diagrams. From this context, it generates tailored security requirements for developers before a single line of code is written. This early intervention dramatically reduces the number of vulnerabilities introduced later in the development pipeline, according to the company. Where manual security reviews currently cover only 10% to 15% of new features, Seezo aims to scale this coverage to 100%, without requiring teams to grow exponentially.

Seezo is LLM-agnostic, prioritizing performance to ensure its solution remains flexible and efficient across SaaS and on-premise deployments. By automating the generation of contextual security guidance at the design stage, Seezo helps developers to build securely from day one, bridging the gap between product design and secure implementation.