Breaking
WALLARM CLOSES $55M SERIES C - JULY 2025 NAMED API SECURITY PLATFORM OF THE YEAR 2025 134% NET REVENUE RETENTION ACROSS ENTERPRISE PROTECTING APIs FOR PANASONIC, DROPBOX, MIRO, SEMRUSH NEW: AGENTIC AI PROTECTION FOR LLM AGENTS HQ: SAN FRANCISCO - TEAM: ~210 GLOBAL WALLARM CLOSES $55M SERIES C - JULY 2025 NAMED API SECURITY PLATFORM OF THE YEAR 2025 134% NET REVENUE RETENTION ACROSS ENTERPRISE PROTECTING APIs FOR PANASONIC, DROPBOX, MIRO, SEMRUSH NEW: AGENTIC AI PROTECTION FOR LLM AGENTS HQ: SAN FRANCISCO - TEAM: ~210 GLOBAL
YesPress · Field Report

Wallarm. The quiet giant of API security.

More than half the APIs you touched today - banking, retail, gaming, your favorite SaaS - quietly pass through their inspection layer first. You won't see them. That's the point.

2016Founded
$80M+Total Raised
~210Employees
SF, CAHeadquarters
Wallarm platform overview
Above: the Wallarm console - dashboards no security team brags about until something tries to break through.
Share this page LinkedIn Twitter / X Facebook Instagram

Dispatch 01 · Right NowThe company you've never heard of, sitting on your traffic.

Walk into a Wallarm customer's NOC at 3 a.m. on a quiet Tuesday. The dashboards look almost boring. Green lines, low jitter, a few amber pulses where credential-stuffing bots have learned to hide inside legitimate-looking JSON. Everything that should be quiet is quiet. That is what an API security platform looks like when it is doing its job - the absence of a phone call.

Wallarm sells the absence of phone calls. They have been doing it since 2016, from a Sansome Street address in San Francisco, with a team of about 210 spread across San Francisco, Austin and a long tail of remote engineers in places that produce excellent Rust. In July 2025 they closed a $55M Series C led by Toba Capital. Total funding crossed $80 million. And in a market crowded with vendors yelling about "next-gen" everything, Wallarm did the only thing more impressive than yelling: they kept renewing.

134 percent net revenue retention. That is the line auditors stare at twice. It means customers do not merely stay - they spend more next year than they did this year, often a lot more. In security, the year-after-year retention is the only review that matters. Everything else is theatre.

"Every app is an API now. Wallarm is what stands between that API and the rest of the internet." Field note - YesPress, May 2026

Dispatch 02 · The ProblemThe internet quietly turned into a pile of APIs. Defense stayed put.

Once upon a time, web traffic was mostly humans clicking on pages, and protecting it meant a firewall that watched for SQL injections aimed at login forms. The Web Application Firewall - the old, beige, polite WAF - had a perfectly good decade. Then the web stopped being a web.

Around 2016, a quiet thing happened. Mobile apps multiplied. Single-page apps shipped. Microservices replaced monoliths. Every front-end became a thin shell talking to a back-end through dozens, sometimes hundreds of APIs. Today over eighty percent of internet traffic is API traffic. The front door moved. Most security budgets did not.

That's the gap Wallarm walked into. Not as another WAF vendor pretending to do "API protection" with a new sticker. As an API security company first, building backwards into the WAF the rest of the industry was still selling.

FILED, 03:14 a.m.: The old WAF was built for pages. APIs do not have pages. They have endpoints, schemas, OAuth tokens, GraphQL queries, and the occasional misconfigured cursor that leaks half a CRM. You cannot protect what you cannot enumerate.

Dispatch 03 · The BetTwo white-hats walk into Y Combinator.

Wallarm was co-founded by Ivan Novikov and Stepan Ilyin. Novikov - known in research circles by the handle d0znpp - had spent more than a decade breaking things that other people sold. He had the unusual credential of having found bugs in vendors he would later compete with. Ilyin brought the product instincts.

They went through Y Combinator's W16 batch with what was, at the time, a slightly heretical thesis: that traditional WAFs would fail at API scale, and that machine learning - actual model-driven traffic analysis, not just signature matching - was the only honest way to keep up.

It is the sort of bet that sounds obvious in retrospect. In 2016, it was a fight. Big vendors had distribution, regulators had checklists, and "API security" wasn't yet a Gartner category. Wallarm spent the next nine years patiently being right.

"The best security companies are not the loudest ones. They are the ones whose customers stop being in the news." Anon. CISO, quoted in conversation

A short, slightly suspicious timeline

2016
Wallarm incorporates in San Francisco. Goes through Y Combinator W16. The "API security" tag does not exist on Gartner yet.
2018
Series A. Toba Capital and Partech lead. Customers start showing up from financial services - the people who read incident postmortems for fun.
2021
Series B. The pandemic moves every retailer onto APIs they did not have a year ago. Wallarm is on the phone.
2023
Platform unifies API discovery, attack prevention, and testing into a single console. Customers stop juggling four tools.
2025
$55M Series C in July. Named API Security Platform of the Year. Ships Agentic AI Protection - because the new attackers are not people anymore.
2026
Quietly inspects more than half of public-facing APIs at large enterprises. Does not put it on a billboard.

Dispatch 04 · The ProductOne platform, four jobs, no business about adding more SKUs.

Wallarm resisted the security-industry tradition of selling a separate logo for every problem. The pitch is unfashionably simple: one platform, deployed once, that does the four jobs an API security team actually needs.

API Discovery

Finds every API you have - including the ones engineering forgot about - and flags exposed secrets and sensitive data.

Attack Prevention

Runtime layer that blocks OWASP API Top 10 attacks, credential stuffing and injections in real time.

API & AI Testing

Pre-production testing for APIs and AI endpoints so the holes get found before shipping, not after.

Agentic AI Protection

Defends LLM-driven agents against prompt injection, jailbreaks and agent-logic abuse.

The platform runs on a stack you would expect from a team that has been doing this long enough to have opinions: ClickHouse and Elasticsearch for the haystack, Go and Rust for the proxy, PostgreSQL for the boring parts. Deployable on-prem, in any major cloud, or as managed SaaS. The point is to disappear into whatever architecture the customer already has, not to demand a rewrite.

"We did not want to add the eleventh dashboard to a CISO's life. We wanted to remove three." Paraphrase of the product philosophy

Dispatch 05 · The ProofReceipts, please.

The names Wallarm publishes on its own site are a kind of receipt: Panasonic, Dropbox, Miro, Semrush, Rappi, Wargaming, Victoria's Secret, Samsung. The pattern is instructive. These are not pilot projects. They are companies whose entire business model rides on whether an API stays up and uncompromised.

PanasonicDropboxMiroSemrush RappiWargamingVictoria's SecretSamsung

Wallarm funding, 2016 - 2025

USD raised per round · source: company press releases
2016 Seed
$2.3M
2018 Series A
$8.0M
2021 Series B
$10.0M
2025 Series C
$55.0M

The shape investors like: a long, patient climb, then a step change once the market they bet on shows up. Total raised exceeds $80M.

Dispatch 06 · The MissionSecure every API. Then secure every AI agent making API calls on someone's behalf.

Mission statements are usually where a profile goes to die. Wallarm's is short enough to survive: secure every API and AI interaction across the modern enterprise. The second half of that sentence is the new part, and it is the part the rest of the security industry is just starting to catch up to.

Because the next adversary is not a person typing curl into a terminal. It is an AI agent, instantiated by a developer at a customer site, given OAuth scopes, and sent off to do useful work. Most of the time it does. Occasionally it gets prompt-injected into doing something else. Wallarm's Agentic AI Protection sits between agents and the APIs they hit, watching for the patterns that mean an agent has been talked into a bad day.

OVERHEARD AT RSA: "The bot traffic problem just got recursive. Bots are now using bots to attack bots. Someone better be watching the door."

Dispatch 07 · Why It Matters TomorrowIf the API is the new perimeter, this is the new perimeter team.

For thirty years, "the perimeter" meant a firewall and a VPN. Both still exist. Neither is where the action is. The action is in the API call between a mobile app and a payments service, between an AI agent and a CRM, between a third-party integration and the customer database it was never supposed to touch. Whoever has the best view of that traffic has the best view of modern risk.

Wallarm has spent nine years building that view. The Series C is not the story. The Series C is what the story made possible.

Closing Scene3 a.m., still quiet.

Back in that NOC. The dashboards are still green. The phone, mercifully, is still not ringing. Somewhere on a coffee table is a half-eaten sandwich and a Wallarm sticker stuck to a closed laptop. The customer's payments API, which moves several billion dollars a year, has just refused another 41,000 credential-stuffing attempts in the last hour. Nobody will mention it tomorrow.

That is the entire promise of an API security leader. Not a press release. A quiet morning.

The RolodexWhere to find Wallarm

Websitewallarm.com LinkedInlinkedin.com/company/wallarm Twitter / X@wallarm Facebookfacebook.com/wallarm GitHubgithub.com/wallarm YouTube - Demos & Interviewsyoutube.com/@wallarm Research Bloglab.wallarm.com Documentationdocs.wallarm.com Series C Press Release$55M Series C - July 2025 Emailin@wallarm.com