Investing in Traceable to Protect Enterprises from Advanced API Attacks

Matt Carbonara

Head of Enterprise Tech Investing, Citi Ventures

Blaze O’Byrne

Senior Vice President, Citi Ventures

Nick Sands

Senior Vice President, Citi Ventures

Max R. Mailman

Assistant Vice President, Citi Ventures

Company logo

As enterprises seek to become more agile and resilient through digital transformation, they are increasingly adopting microservices at the core of their operations. Microservices' modular and granular structure, which breaks an application into discrete parts that communicate with one another through APIs, allows for improved scalability, composability and performance.

However, this mass adoption is also contributing to significant “API sprawl” within organizations, leaving many APIs unmanaged and exposed for data breaches. And threat actors are taking notice: in a 2023 survey of over 1600 large organizations around the world, 60% reported experiencing at least one API-related data breach within the past two years (with 74% of those experiencing three or more breaches).

The rise in these attacks is prompting a surge in interest among enterprise security leaders in solutions that provide visibility into and secure their organizations' API inventories. Of all the current API security solutions, we believe Traceable stands above the rest.

Founded in 2018, Traceable's API security platform is purpose-built for modern API-first application architectures, which generate massive quantities of data and are often deployed across both on-premises and cloud resources. Through innovative data collection and stitching, eBPF agents and advanced context-based analysis, Traceable delivers best-in-class visibility throughout an enterprise's microservices environment — providing 360-degree clarity before, during and after a threat event. Traceable's platform has four modules that work together to provide this comprehensive solution:

  1. API Discovery and Posture Management: Traceable’s API catalog automatically and continuously discovers and inventories every API in an organization — including internal, private, public, and partner or third-party APIs. Traceable also provides a detailed security posture analysis and risk score for each API, allowing security teams to understand which APIs are most vulnerable to attack and abuse. The company’s risk scoring takes into account the API’s context, including its ease of discovery, its exploitability and the sensitivity of the data that passes through it.
  2. Attack Protection: Using its contextual analysis of APIs and complete understanding of the interconnectivity between API activity, user activity, data flow and code execution, Traceable can automatically detect and block API attacks (both known and unknown), business logic abuse attacks, and API fraud and abuse, as well as the exfiltration of sensitive data from enterprise production environments.
  3. Threat Detection and Analytics: Traceable's OmniTrace™ Engine provides highly detailed, context-based analytics that empower security teams to proactively hunt for threats and potential vulnerabilities within a microservices ecosystem. It also enables detailed postmortem review of any API security event and simplifies audits and compliance reporting.
  4. API Security Testing:Traceable enables shift-left security by helping developers build APIs securely from the start, test them for common exposures and vulnerabilities, and remediate any flaws before deployment.

Traceable's comprehensive, context-aware approach is key to meeting the needs of large enterprises amid the ongoing, widespread shift to cloud. Enterprise API security tools require flexible deployments across environments (cloud vs. on-premises), operating system types (Linux, Windows or Mac) and ways the API is monitored (agentless vs. agents) — Traceable customers universally told us that the company has built a best-in-class solution with this exact flexibility in mind. This product-market fit positions Traceable extremely well for meaningful growth and expansion of its product suite as the API security market grows.

On that note: Traceable also recently introduced API security capabilities for generative AI, becoming the first and only API security platform to provide end-to-end protection for the APIs that connect large language models (LLMs) to the people and applications that use them. These new capabilities will help Traceable address the urgent cybersecurity challenges that are arising as enterprises begin to integrate LLMs into critical applications, such as prompt injection, insecure outputs and sensitive data disclosure.

Traceable’s market-leading innovation comes as little surprise given its co-founders Jyoti Bansal (CEO) and Sanjay Nagaraj (CTO)’s experience building large businesses such as AppDynamics, an application performance management tool acquired by Cisco for $3.7 billion in 2017. Having invested in Jyoti’s other startup, Harness — a DevOps platform valued at close to $4 billion — in 2021, and having since partnered with him on commercializing Harness’s solution within Citi, we have supreme confidence in his product vision and company leadership.

Given Traceable's ability to secure APIs at enterprise scale, growing traction with large organizations and founding team with decades of experience in enterprise tech, we're immensely pleased to announce our investment in Traceable, joining existing investors IVP, Tiger Global, Unusual Ventures and Geodesic Capital. We look forward to deepening our partnership with Jyoti and Sanjay, and to supporting the critical effort to secure every API within every enterprise around the world.

For more information, email Blaze O’Byrne at, Nick Sands at or Max Mailman at

To see Citi Ventures’ full portfolio of companies, click here.