It is 9:47 p.m. on a Wednesday and somewhere in the world, a botnet is trying on stolen credit cards like a teenager in a department store dressing room. A Fortune 500 retailer's checkout page is the dressing room. The botnet's plan is simple - test cards, find live ones, run. The plan fails. Not at checkout. Not at login. The plan fails because, four pages earlier, something noticed how the cursor moved.
That something is Spec. The company does not, as a rule, get loud about its work. Its customers do not, as a rule, want to advertise that they need it. But Spec, headquartered in downtown San Jose with roughly 180 people, sits in the quiet plumbing of the consumer internet - between you, your favorite e-commerce brand, and the increasingly clever people trying to rob both of you blind.
The official line is that Spec is "the AI-resistant fraud prevention platform protecting the world's largest consumer brands." The unofficial line, the one founder Nate Kharrl tends toward in interviews, is that legacy fraud tools were built for a world that no longer exists - and that world ended somewhere around the time large language models learned to fill out forms.
// 01Who They Are Now
Spec is, to start with the unromantic facts, a B2B SaaS company. It sells to enterprise security and risk teams at consumer brands - retail, ticketing, food delivery, marketplaces. It has raised about $33.7 million, the most recent slice being a $15 million Series A in October 2023 led by SignalFire, with Legion Capital and Rally Ventures along for the ride. Annual revenue is in the neighborhood of $26 million. The company was founded in 2020 as SpecTrust and shed the "Trust" in 2022, which is the kind of move only confident companies make.
The product itself is a single platform that does something deceptively boring-sounding - it collects and unifies what Spec calls "Journey Data." The journey, in this case, is the entire arc of a user's interaction with a website. Not the login moment. Not the checkout moment. The full path. Every mouse twitch, every form-field correction, every tab that opened in the background.
than traditional fraud tools collect from a single customer session, per Spec's product disclosures.
// 02The Problem They Saw
Online fraud has always been a cat-and-mouse problem. What changed - what made Spec necessary, in the founders' telling - is that the mice got robots. Generative AI, agentic browsers, and cheap automation turned what used to be a human-scale crime into an industrial one. A fraudster in 2014 was a person at a laptop. A fraudster in 2024 is a person with software that can spin up 10,000 plausible-looking sessions before lunch.
The defenses, meanwhile, hadn't really moved. Most fraud stacks still pinged a third-party score at login, ran a check at checkout, and called it a day. They were, as Kharrl has put it in podcast appearances, treating fraud like a passport control booth when the actual problem was a leaking border.
There is also a meta-problem. Many fraud tools are themselves AI products, which means they leave behavioral signatures of their own - which means sophisticated attackers can probe them, learn them, and route around them. Spec's founders saw this coming earlier than most. The company's branding leans hard into the phrase "AI-resistant" for a reason.
// 03The Founders' Bet
Nate Kharrl is not someone who arrived at fraud prevention through a side door. He spent years at Akamai, then ThreatMetrix, then eBay - which is to say he watched fraud evolve from inside three of the companies most exposed to it. His co-founders Patrick Chen and Bryce Verdier brought adjacent operating experience. The three started Spec mid-pandemic in 2020, which was, depending on your worldview, either terrible timing or perfect.
The bet was structural. Rather than build another point solution - another scoring API, another bot detector, another identity check - they would build the connective tissue. A platform that ingested every signal a customer brand could generate about a user's journey, linked the signals across sessions and channels, and let the brand's own risk team write rules against the whole picture. No-code, deployable by the security team itself, without a six-month integration project.
It was an unfashionable bet. The fraud market in 2020 wanted black-box AI scores. Spec wanted to hand customers the raw journey and let them reason about it. The market, eventually, came around.
The short, mostly chronological history of Spec
SpecTrust founded in San Jose by Nate Kharrl, Patrick Chen, and Bryce Verdier. Building begins on a no-code fraud platform.
Early seed funding from Ribbit Capital and others. First Fortune 500 customers go live.
SpecTrust rebrands to Spec. New platform features launch. Additional funding closes.
$15M Series A led by SignalFire. Total funding crosses $33M. Headcount expands toward enterprise sales.
Launch of Spec ID (Journey Data fingerprinting) and Site Sentry (proactive attack-surface analysis).
Roughly 180 employees. Customers across e-commerce, ticketing, food delivery, and marketplaces.
// 04The Product, In English
Spec's platform has a few named pieces. The Trust Cloud is the data layer - it ingests behavioral signals from across the customer journey and unifies them. Spec ID does what the company calls Journey Data fingerprinting, which is a polite way of saying it links sessions across devices and channels so a fraudster cannot just open a new tab and become a new person. Site Sentry sweeps a customer's site for the kind of weak spots that fraud rings probe first - the forgotten coupon endpoint, the dusty refund flow.
Behind all of this is the operative philosophy - that fraud is not a moment, it is a pattern. A login from Lagos at 3 a.m. is not, by itself, suspicious. A login from Lagos at 3 a.m. immediately preceded by 200 identical signup attempts, all of which corrected the same form field in the same way, is a different story. The legacy stack sees the first thing. Spec sees the story.
// 05The Proof
Customers do not, as noted, love going on the record about who is protecting their checkout. But Spec discloses in aggregate that customers using its platform report reductions in fraudulent and abusive activity exceeding 99 percent. That number is the kind of statistic that should be treated with a raised eyebrow - until you remember that what it is replacing is often a rules engine written in 2017 and a third-party score the security team stopped trusting in 2019.
By the numbers
The customer mix tilts toward the kinds of brands fraudsters love most. Ticketing platforms, where bots have been a sport since the 2000s. Food delivery, where refund abuse is a hobby for some users and a small industry for others. Online marketplaces, where new-account fraud and collusion rings are perennial. Retail e-commerce, where card testing remains depressingly profitable. Spec's pitch to each of them is the same - your fraud problem is bigger than your login form.
// 06The Mission
If you asked Kharrl what Spec is for, in plain language, he would likely give you a version of this - make AI-powered fraud tools obsolete. It is a maximalist goal, which is why it is also a useful one. It implies a direction of travel rather than a destination. Every quarter, the bots get smarter and cheaper. Every quarter, the defense has to be smarter and cheaper too. Spec is structurally betting that owning the journey data is the way to stay ahead.
There is also a quieter mission, which is to give security teams back some agency. The last decade of fraud prevention pushed enterprise teams into a passive posture - subscribe to a score, hope for the best, explain to the CFO why chargebacks went up anyway. Spec's no-code rule-building, its raw journey data, its plug-in-and-go integration, are all designed to put the brand's own team back in the driver's seat. Whether they want to be there is a different question - the ones that do, by all accounts, stay.
// 07Why It Matters Tomorrow
The internet is getting weirder. Agentic AI - software that can browse, click, fill in forms, and complete purchases on behalf of a human or, more interestingly, on behalf of nobody - is moving from research demo to background reality. Most consumer brands have no idea how to tell a helpful agent from a hostile one. Many would prefer not to know, which is a luxury that probably ends sometime soon.
Spec's bet, the long one, is that the answer is behavioral. You cannot trust a user-agent string. You cannot trust an IP. You can trust, more than people think, what an actor actually does across a journey - the sequencing, the timing, the small tells that humans produce and software still mostly does not. As AI agents proliferate, behavioral linking becomes less of a fraud tool and more of a basic trust primitive for the consumer internet.
Back to that 9:47 p.m. Wednesday. The botnet that tried on stolen cards in the Fortune 500 retailer's checkout did not get caught at checkout. It got caught when its sessions started looking suspiciously similar - same cursor accelerations, same field-fill order, same micro-delays - across what were ostensibly thousands of different shoppers. By the time any single session reached payment, Spec had already linked them into one big, obvious story. The retailer's loss-prevention team did not have to do anything. The retailer's CFO never heard about it. Which is, if you talk to security people, the highest compliment a fraud platform can earn. Quiet, on time, and one step ahead of the robots.
Photo / illustration: Spec product visualization, via Spec. Caption photography in the spirit of Vincent Musi - one cursor, two stories, somebody's audit log is about to get interesting.