Raven.io Raises $20M in Seed Round Led by UpWest Labs

Today we are announcing that Raven.io has raised $20M in a seed round led by UpWest Labs, with participation from several strategic angel investors across the cybersecurity ecosystem. This funding will accelerate our mission to make runtime application protection the default security layer for every production application.

Why Runtime Protection Matters Now

The application security landscape has fundamentally shifted over the past five years. Organizations deploy code faster than ever — multiple times per day in many cases — and the attack surface grows with every deployment. Traditional perimeter defenses like web application firewalls (WAFs) were designed for a world where applications changed slowly and network boundaries were clear. That world no longer exists.

Modern applications are distributed across microservices, containers, serverless functions, and third-party APIs. A single HTTP request might traverse dozens of services before completing. WAFs inspect traffic at the edge, but they have no visibility into what happens after the request enters the application. SQL injection payloads that are stored and executed later, server-side request forgery (SSRF) attacks that pivot through internal services, and deserialization exploits that trigger deep inside the application runtime — these all bypass perimeter controls entirely.

Runtime Application Self-Protection (RASP) addresses this gap by embedding security instrumentation directly into the application process. Instead of guessing whether a request is malicious based on its HTTP payload, RASP agents observe actual function calls, database queries, file system operations, and network connections. They see what the application is actually doing, not just what it was asked to do.

What We Have Built So Far

Raven.io started with a simple thesis: if you can instrument an application well enough to profile it, you can protect it without signatures. Our platform works in three phases:

Phase 1: Instrumentation. The Raven.io agent attaches to the application runtime — currently supporting Java, Node.js, Python, .NET, and Go — and hooks into critical functions: database drivers, HTTP clients, file I/O, process execution, and cryptographic operations. The agent adds less than 3 milliseconds of latency per request on average, which we have validated across thousands of production deployments during our beta program.

Phase 2: Behavioral Baselining. During a 48-hour learning period, the agent observes normal application behavior and builds a model of expected patterns. Which SQL queries does this endpoint execute? What IP ranges does this service connect to? Which file paths are accessed during normal operation? This baseline is unique to each application instance and adapts as the application evolves.

Phase 3: Detection and Response. Once the baseline is established, the agent compares every operation against the learned model. Deviations trigger configurable responses: alert-only mode for initial deployments, or active blocking for production environments. All events are structured in OCSF format and ship to the customer's SIEM platform — Splunk, Datadog, Elastic, or any compatible receiver.

Early Traction and Validation

During our private beta, we deployed Raven.io agents across 47 organizations ranging from Series A startups to Fortune 500 enterprises. The results validated our approach:

• 142 zero-day exploitation attempts blocked that would not have been detected by WAF rules alone. These included novel deserialization gadget chains, SSRF pivots targeting cloud metadata services, and second-order SQL injection attacks.
• 99.7% detection accuracy after the 48-hour baselining period, with a false positive rate below 0.3%. Most false positives occurred during the first deployment and were resolved by extending the learning window.
• Sub-3ms latency overhead measured at the p99 level across all supported runtimes. Java applications showed the lowest overhead at 1.8ms average, while Python applications averaged 2.7ms due to interpreter instrumentation complexity.
• Average deployment time of 4.5 minutes for containerized workloads using our Kubernetes operator, and 8 minutes for traditional VM deployments using our installation script.

One of our beta customers, a fintech company processing over $2 billion in annual transaction volume, deployed Raven.io after experiencing a second-order SQL injection attack that their WAF and SAST tools both missed. Within the first week of deployment, the Raven.io agent identified three additional attack vectors in their codebase that had not been detected by any other tool in their security stack.

How We Will Use the Funding

The $20M seed round will be deployed across three primary areas:

Engineering expansion. We are doubling our engineering team from 12 to 24 over the next 12 months. Key hires include runtime engineers with expertise in JVM internals, V8 engine instrumentation, and eBPF for kernel-level visibility. We are also building out our machine learning team to improve behavioral model accuracy and reduce the baselining period from 48 hours to under 12 hours.

Platform capabilities. Our roadmap includes support for additional runtimes (Rust and PHP are next), a cloud-native management console for fleet-wide policy management, and automated response playbooks that integrate with SOAR platforms. We are also investing in API security monitoring — using the same runtime instrumentation to detect business logic abuse, broken authentication, and excessive data exposure.

Go-to-market. We are establishing a direct sales team focused on mid-market and enterprise accounts in the financial services, healthcare, and technology sectors. These industries face the most stringent compliance requirements and have the most sophisticated threat landscapes. We are also building a partner program for managed security service providers (MSSPs) who want to offer RASP as part of their managed detection and response (MDR) services.

Why UpWest Labs

UpWest Labs has a strong track record of backing Israeli founders who are building enterprise technology companies in the US market. Their portfolio includes several successful cybersecurity companies, and their operational expertise in go-to-market strategy for US enterprise sales was a key factor in our decision to partner with them.

Gil Ben-Artzy, General Partner at UpWest Labs, commented on the investment: "Runtime protection is the logical evolution of application security. As organizations move to shift-left security, they need a complementary shift-right capability that protects applications in production. Raven.io's approach to behavioral baselining eliminates the signature maintenance burden that has plagued previous RASP solutions."

What Comes Next

We are opening our platform for general availability starting in Q2 2025. Organizations can sign up for a free pilot deployment that includes up to 10 application instances for 30 days. The pilot includes full access to the detection engine, behavioral baselining, and SIEM integration.

For organizations that want to evaluate Raven.io in a controlled environment before deploying to production, we offer a sandbox testing mode that replays recorded traffic through the agent without affecting live systems. This allows security teams to validate detection coverage against known attack scenarios before committing to a production deployment.

We believe that runtime protection should be as standard as TLS encryption. Every application that handles sensitive data — and in 2025, that is nearly every application — deserves security instrumentation that watches what actually happens inside the process, not just what crosses the network boundary.

If you are interested in learning more about Raven.io, visit our product page or request a demo directly from our team.