The company that stopped watching software from the outside - and put the guard inside the running code.
Contrast Security's wordmark, photographed against navy - a company built by the people who wrote the industry's rulebook, OWASP, and then set out to enforce it from within the application itself.
For two decades, application security worked like a home inspection - someone walked the perimeter, scanned from outside, and handed over a list of things that might be wrong. Contrast Security took a different view. Instead of examining software from the outside, it instruments the application from within, embedding sensors directly into the running code so it can see exactly which vulnerabilities sit on paths that actually execute, and block attacks as they happen.
Founded in 2014 by Jeff Williams and Arshan Dabirsiaghi - both veterans of OWASP, the open-source community that gave the industry its shared vocabulary for software risk - the company set out to replace legacy tools that generated more noise than signal. Williams, who authored the OWASP Top 10, remains chief technology officer.
The technical bet is called instrumentation: the same technique performance-monitoring tools use to watch how code behaves, repurposed to watch for attacks. Because Contrast sits inside the process, it can distinguish a reachable flaw from a theoretical one, which cuts down the false positives that lead developers to ignore security tooling altogether.
Today the platform spans the full arc of application security - interactive testing (IAST), static analysis (SAST), software composition analysis (SCA), runtime self-protection (RASP), and, since 2024, Application Detection and Response (ADR). The through-line is consolidation: one agent doing the work of an entire toolchain.
"Companies have invested in detection and response across the network - EDR, NDR, ITDR - but attackers continue to leverage gaps in applications and APIs. ADR closes that critical gap."
Rick Fitz, Chief Executive OfficerApplication Detection and Response spots threats and blocks live attacks - including many zero-days - inside custom apps and APIs. Debuted at Black Hat USA 2024.
Interactive testing that uses runtime instrumentation to find vulnerabilities only on code paths that actually run, sharply reducing false positives.
Runtime self-protection that blocks production attacks in real time at under 5% overhead, using the same agent as Assess.
Static analysis of source and binary code to surface vulnerabilities early in the development lifecycle.
Software composition analysis that flags open-source and third-party risk with runtime context on which libraries are truly used.
Free tooling that puts code and open-source scanning directly in developers' hands - an on-ramp to the platform.
Future co-founder Jeff Williams helps create OWASP and authors the OWASP Top 10, shaping how the industry talks about software risk.
Williams and Arshan Dabirsiaghi launch the company to commercialize deep security instrumentation and secure software from the inside out.
Contrast introduces runtime self-protection with support for Java, .NET and ColdFusion, sharing one agent with its testing product.
Raises $150M led by Liberty Strategic Capital at a valuation over $1 billion, bringing total funding to roughly $274M.
Former Splunk executive Rick Fitz joins as chief executive to scale the company and its runtime platform.
Contrast introduces Application Detection and Response, defining a category for stopping app-layer attacks and zero-days in production.
Named a Visionary in the 2025 Gartner Magic Quadrant for Application Security Testing.
"Being named a Visionary in Gartner's Magic Quadrant reflects the impact Contrast is having as customers modernize application and API security."
Rick Fitz, CEO - October 2025Contrast secures software from the inside out. It embeds security sensors directly into running applications to find vulnerabilities and block live attacks in real time, spanning testing (IAST, SAST, SCA), runtime protection (RASP) and detection and response (ADR).
It was founded in 2014 by Jeff Williams and Arshan Dabirsiaghi, both veterans of the OWASP open-source security community. Williams, who authored the OWASP Top 10, remains chief technology officer.
Application Detection and Response, launched at Black Hat USA 2024, detects threats and blocks attacks - including many zero-days - that target custom applications and APIs, from inside the running application itself.
About $274M in total across six rounds. Its 2021 Series E raised $150M, led by Liberty Strategic Capital, at a valuation above $1 billion.
Instead of scanning software from the outside, Contrast instruments the application from within. That lets it flag only the vulnerabilities on code paths that actually run - reducing false positives - and block attacks live at under 5% performance overhead.
Profile compiled from public sources including Contrast Security press releases, Crunchbase, PitchBook, Gartner and Business Wire. Figures such as revenue are estimates and marked approximate where relevant.