The runtime defense team you deploy, not the one you hire. A 27-person company that promises to stop AI, API, and web attacks before a human reads the alert.
Caption: Castro Street, 4:47 a.m. The lights at 584 are off. Somewhere in the cloud, a defense agent just answered a request the on-call engineer will never have to read.
Dispatch · San Francisco · 2026
That small piece of software is Impart Security. It is, by stated category, a WAF. By practical category, an engineering team you deploy rather than hire. By accidental category, a quiet rebuttal to the idea that more dashboards make anyone safer.
"At AI speed, runtime is the only source of truth." — Impart Security, on its own platform page
By the Numbers
The People
Jonathan DiVincenzo, Marc Harrison, and Brian Joe did this once before. Their last company, Signal Sciences, was a WAF that engineers actually liked. Fastly bought it in 2020 for around three quarters of a billion dollars. Most founders would have taken the year off. They took the year to start over - this time aiming at the layer above HTTP, the one where AI agents now live.
Signal Sciences alum. Runs the customer side and the press conferences. Based in San Francisco.
Long career in CDN and WAF engineering before Impart.
Product and platform veteran from the Signal Sciences era.
The Platform
Most security vendors sell you a thing and then sell you another thing to operate it. Impart's pitch is the opposite: one runtime, several modules, no acronym tax. Here is what runs inside it.
Impart doesn't replace your security team. It gives them a colleague who never sleeps, never escalates, and never asks for a Slack channel.
What CISOs Actually Spend Their Time On
Impart's argument for existing, illustrated below. The exact percentages vary by survey; the shape of the bar chart does not. Detection has been solved. Response has not.
Source: industry estimates, approximate. Impart's pitch is to collapse the top bar into the bottom two.
Who's Already Running It
Gambling, burritos, sports merch, mortgages, insurance. Impart's customers don't share a vertical; they share a problem - too much API traffic, too few engineers, too little tolerance for downtime.
Recent Movements
The Twist
Most security platforms ask the customer to author rules in a YAML-shaped trench. Impart inverts the contract: the customer hires the platform, and the platform writes - and owns - the runtime policy. The phrase the company uses internally is "engineering platform." The phrase the customers use is "we got our Tuesdays back."
WAF, API security, CADR, and LLM protection in one runtime - not four contracts and a Slack bridge.
Detection and response happen in the request path, in milliseconds, deterministically.
The team has shipped the previous generation of WAF. They know which abstractions cost sleep.
MCP protection and LLM guardrails ship today, not when "the AI agenda" finally lands on the roadmap.
What People Can Actually Do With It
Block prompt injection at the model boundary. Discover the API endpoints your last team forgot to document. Quarantine an agent that started behaving like a brute-force script. Replace seven dashboards with one. Sleep through low-severity traffic anomalies and trust the policy to handle them. Send your CISO an actual graph instead of a Jira backlog.
The Money
Led the $12M Series A in June 2025. Managing Director Karan Mehandru on the board.
Led the 2022 Seed. Re-upped at the A.
Seed and A investor.
Early backers at the Seed stage.
Where to Read More
Back to Castro Street
The lights at 584 are still off. The agentic crawler from Tuesday morning has long since lost interest. Inside the cloud, a defense agent signed by a small company on a quiet block has filed a graph, throttled a pattern, and gone back to listening. Somewhere in lower Manhattan, an on-call engineer is sleeping. That is the change. That is also, more or less, the entire pitch.