Business Logic Security Testing for Developers & Security Teams

Find and fix business logic vulnerabilities in your applications in CI/CD before production — powered by Escape’s industry-leading API security intelligence.

Team Size:6
Location:Paris, France
Group Partner:Nicolas Dessaigne

Active Founders

Antoine Carossio

🇫🇷 • Engineer • UC Berkeley • Apple

Antoine Carossio
Antoine Carossio

Company Launches

tl;dr: Securing GraphQL is hard. Escape makes it easy for developers to build secure and reliable GraphQL APIs. You can test it for free and get your results in seconds using this link: https://app.escape.tech/ycw23

Hello everyone, we are Antoine and Tristan, the founding team behind Escape.

🧠 Tristan (left) previously worked as a GraphQL Developer and experienced himself the need for better tooling in this ecosystem. 💪 Antoine (right) previously worked as a security engineer for the French Government and Apple 🍎 which led him to the journey of helping developers secure their code.

🛡 Why are we building Escape?

GraphQL has seen exponential growth in the past years and is now used by 20% of all developers. Companies like Paypal, Walmart, Twitter, and Airbnb are now all relying on GraphQL APIs for their core businesses.

Yet, we observed that most - as in like 95% - of GraphQL APIs that exist today are insanely vulnerable to cyberattacks.

The reason is simple: GraphQL has an entirely different structure than traditional APIs like REST.

Existing security tools do not support it, leaving GraphQL developers and organizations completely blind to the security of what they release and putting their business at risk.

🎯 Our solution

We aimed to build the GraphQL Security Testing tool that devs would love. As developers ourselves, we think such a tool would

  • be fast to run in CI/CD
  • be super easy to set up and maintain
  • give relevant results

Existing tools fail at achieving the latter because they rely on brute-forcing API requests. Thus, most requests are blocked at the validation layer, failing to test the actual code.

At Escape, we developed a new approach called feedback-driven API exploration. We crafted a graph traversal algorithm that learns from the API's responses how to generate requests that actually make sense from a business standpoint.

Requests generated by bruteforce (left) vs. Escape’s feedback-driven exploration (right)

Using this technique, we are able to pass the validation layer and test the code of the application at a deeper level than previous solutions. So far, we have achieved more than 80% coverage in most applications without fine-tuning.

🚀 let us assess the security of your GraphQL API for free in seconds

In only 6 months, we partnered with Snyk and Postman, got into the GraphQL foundation, and worked with companies like Neo4j and ArangoDB.

👉 If you are using GraphQL yourself, you are welcome to try our platform and get your application's security report for free, as we unlocked all the features for the YC community: https://app.escape.tech/ycw23!

Company Photo

Company Photo