Cybersecurity may not be flashy, but it’s one of the most important building blocks of our digital economy, with the global cost of online crime set to hit $10.5tn in 2025, up from $3tn in 2015. It’s also an industry that needs a paradigm shift to keep pace with the realities of modern web development.

The way that security has traditionally worked is to essentially put up a wall in front of your application that filters out malicious activity from legitimate use. Cracking this problem has created huge companies like Cloudflare, which at the time of writing has a market cap of $78bn.

But developers today are building in a very different world to the one in which Cloudflare was founded back in 2009, for two big reasons.

The first is the rise of “serverless” architectures in web development: where code is decreasingly deployed on central servers, and increasingly running at the edge, closer to the end customer, meaning you can’t just put up a single ring of security around an app. The second is the rise of AI, which is creating a whole new category of threats to businesses.

Arcjet has created a solution to these modern threats, with a new approach to security that lets developers embed protections directly into their code, rather than retroactively putting up walls around their apps.

The company, led by a repeat founder who has a proven track record building traction with the developer community, has quickly acquired thousands of customers and is aiming to become the next Cloudflare for this new era of cybersecurity.

Beyond the walled castle

Keeping web applications safe in the serverless era requires a fundamental reset in how companies approach cybersecurity.

Previously, apps running on centralised servers could be protected like gold in a medieval castle, where strong walls would keep attackers out. But that model isn’t enough when your economy becomes more distributed and you want to send trading caravans out into the world: now you need armed guards to protect your resources, that can respond to different threats as they arise.

Until now, there hasn’t been a simple way of providing that kind of robust, context-aware security for distributed apps running outside of centralised servers, and security teams have had to spend time creating their own, sometimes imperfect, protections around products running closer to the user. Arcjet’s technology removes the need for this resource-intensive process, allowing dev teams to protect every app they have running on the edge by simply adding in a few lines of code, without having to build bespoke solutions in-house.

This in-code integration means that security rules can be dynamically adjusted at runtime based on metadata like user session or pricing plan, giving the protection better awareness of the context the application is running in, compared to existing solutions. This leads to less false positives and more customisable controls for developers looking to protect serverless applications.

A new era of AI threats

Another big reason that Arcjet can become a huge company in today’s web development environment comes down to an expensive potential vulnerability for anyone building agentic AI tools and products that allow users to interact with chatbots. These businesses now need to think about a new highly valuable resource that needs protection: the tokens that you spend by making calls to models from the likes of OpenAI, Google and Anthropic.

Attackers can cost companies huge sums of money by making high-volume calls to these models, something we’ve already seen with cases like one founder seeing their token bill skyrocket 20x due to malicious use.

Arcjet lets developers dynamically throttle those costly requests to make sure they aren’t being abused, letting businesses protect what have become crown jewels in the AI company building stack.

Other threats caused by AI and bots include aggressive web scraping, where automated crawlers can cost companies thousands in bandwidth expenses, and attacks where ecommerce players use bots on competitors’ sites to hold inventory in baskets, so that products appear out of stock for real users.

Arcjet lets developers protect against all of these threats with a single solution wherever they deploy their applications, meaning that they don’t need to constantly worry about new attack vectors that could hurt their reputation and bottom line.

By a developer, for developers

The elegance and simplicity of this security solution are a product of Arcjet CEO and founder David Mytton being a developer with a deep conviction as to how better software can improve product engineering.

David writes the devtools newsletter Console, which reaches more than 30k subscribers every week, showing that he understands his customer base and knows how to unpack complex product information in a way that’s useful and digestible for developers.

He also understands how to scale and exit a software company, having founded SaaS infrastructure monitoring platform Server Density in 2009, which he sold to US cybersecurity company StackPath nine years later.

All of this experience and customer understanding have helped Arcjet rapidly build traction, with the company currently signing up several thousand users a month. Originally from the UK and living in London for the last fifteen years, David is now showing his personal commitment to this mission, relocating to the US to place Arcjet at the centre of its largest addressable market.

He is exactly the kind of European founder we like to back at Plural, one with the ambition to build a global company solving a real problem in a massive industry, with the scar tissue and talent to make it happen.

This article was co-authored with Ott Kaukver, former CTO of Twilio and Checkout.com, who co-led this round.