The engineer building the risk layer that decides, in milliseconds, whether the person logging in is really who they claim to be.
Johan Brissmyr
Every time someone logs into an app, a quiet question runs underneath the screen: is this really you? Johan Brissmyr built a company around answering it before the page finishes loading.
As CEO and co-founder of Castle, Brissmyr runs a security platform that watches how people actually behave - the devices they use, the rhythm of their requests, the small signals that separate a returning customer from a bot or a stolen credential. Castle turns all of it into a risk score from 0 to 100. Low-risk users glide through login and signup untouched. Higher-risk ones get pushed into verification or manual review. The goal is protection that stays invisible until the moment it is needed.
Castle's customers are the kind of online businesses that live and die by trust: marketplaces, fintechs, consumer apps, anything where accounts hold money or value. Brissmyr's blunt read on who gets attacked has become something of a company thesis. "Any online business that handles money is going to be a target for sure," he has said. The categories he worries about are familiar to anyone who runs a consumer product - account takeover from breached passwords, synthetic identities built to defraud, chargeback schemes that keep getting more sophisticated.
What makes his approach distinct is the insistence that good users should never feel the machinery. Most fraud tooling was built for large banks with security teams and budgets to match. Castle's pitch is that the same grade of defense should be reachable through a few API calls by a startup with none of that. Device fingerprinting, behavioral signals, and analytics get bundled into something a small team can actually deploy.
"Low-risk users can be sped through the login or signup process, while higher-risk users can be put through a verification flow or extra manual scrutiny."
- Johan Brissmyr on Castle's risk-based approachBrissmyr did not arrive at fraud detection in a straight line. He is a computer scientist by training, with a Master of Science from the Faculty of Engineering at Lund University in Sweden. Early in his career he worked at the chip company ARM before the pull of building his own products took over. With a few colleagues he left a large company to start a web development shop called Popdevelop, an unglamorous but formative move that put him in the founder's seat.
The first real startup was a hard lesson. It had five co-founders and lasted about eighteen months before collapsing under the weight of disagreement. He is candid about why. "We were five co-founders, and it was hard to agree on a direction," he has said. "We should have talked these things through before starting a company." The takeaway shaped how he builds now: alignment before ambition. His advice to would-be founders carries the same pragmatism - go work at a startup first, "a year or so, so they can learn what it's like without all the responsibility."
Before Castle he built in adjacent territory. He was CTO and co-founder of SettleBox, a portable digital identity meant for buying and selling on marketplaces like Craigslist and eBay, and then CEO and co-founder of Userbin, which offered authentication as a service for consumer applications. Identity and trust kept surfacing as the problem he circled back to.
Castle itself was, by his own account, a happy accident. He and co-founder Sebastian Wallin set out to build password-storage software, and somewhere in the work they noticed the more interesting thing was the risk model underneath. "This is way cooler than what we were originally looking for," he remembers thinking. They followed the pivot, and it became the company.
Getting into Y Combinator took stubbornness. Castle was rejected twice before being accepted on the third application, joining the Winter 2016 batch. Brissmyr has spoken about what the program actually delivered - mentorship from founders who had done it before, and the validation that the idea was worth chasing. It also meant relocating a Swedish company into the center of Silicon Valley, and later New York, where he is now based in Brooklyn.
"You have to leave a little of the Swede behind when you're pitching. People can find you too laid back."
- On adapting to Silicon ValleyThat line captures a real adjustment. Swedish business culture prizes understatement; American venture culture rewards conviction spoken loudly. Brissmyr learned to keep the substance and turn up the delivery. Alongside it he picked up a founder's confidence that is easy to forget under the noise of advisors and investors. "No one has more experience running your company than you do," he has said - a reminder that proximity to the problem is its own kind of authority.
Today Castle sits at the intersection of device intelligence and behavioral risk, with integrations into the tools modern product teams already use, including data platforms like Twilio Segment for feeding activity signals in real time. The company has raised roughly $11.8 million across its rounds, including a Series A, and grown to a team of around fifty. Brissmyr's ambition has stayed consistent from the start: make sophisticated fraud protection accessible to businesses of any size, let the honest users pass without friction, and make life measurably harder for everyone else.
Studies computer science at Lund University's Faculty of Engineering, earning an MSc.
Works at chip company ARM, then leaves a large company with colleagues to start web shop Popdevelop.
A five-founder startup runs about 18 months before collapsing over direction - a lasting lesson in alignment.
Co-founds SettleBox (portable digital identity) and Userbin (authentication as a service).
Founds Castle in Malmo with Sebastian Wallin, pivoting from password storage to fraud detection.
Castle graduates Y Combinator (W2016) - accepted on the third try.
Closes a Series A; total funding reaches roughly $11.8M.
Leads Castle from New York, growing device intelligence and behavioral risk products.
Any online business that handles money is going to be a target for sure.
This is way cooler than what we were originally looking for.
No one has more experience running your company than you do.
We were five co-founders, and it was hard to agree on a direction. We should have talked these things through before starting a company.
You have to leave a little of the Swede behind when you're pitching.
Low-risk users can be sped through, while higher-risk users can be put through extra scrutiny.
Castle began in Malmo, Sweden before making the jump to Silicon Valley through Y Combinator.
The flagship product was a pivot from a password-storage tool that turned out to be less interesting than the risk model beneath it.
Y Combinator said no twice. Castle got in on the third application.
Before founding, he was an engineer at ARM, the chip design company.
His GitHub, Twitter/X, and Instagram handles are all simply "brissmyr."
He is based in Brooklyn, New York, running a company that started an ocean away.
He is a Swedish software engineer and entrepreneur, the CEO and co-founder of Castle, a fraud and account-takeover detection company.
Castle is a security platform that scores user activity in real time using device fingerprinting and behavioral signals to detect bots, fake accounts, account takeover, and transaction abuse.
He earned a Master of Science in Computer Science from the Faculty of Engineering at Lund University in Sweden.
Castle was founded in 2015-2016 in Malmo, Sweden by Johan Brissmyr and Sebastian Wallin, and later went through Y Combinator's Winter 2016 batch.
Castle has raised roughly $11.8 million in total funding, including a Series A round closed around February 2019.