Castle (Winter 2016) - Startups.RIP

Overview

Castle is an active, developer-first fraud prevention platform founded in 2015 in Malmö, Sweden by Johan Brissmyr (CEO) and Sebastian Wallin (CTO). The company helps online businesses detect and block bots, account takeovers, fake accounts, and API abuse by analyzing hundreds of behavioral signals through machine learning. Castle entered Y Combinator's Winter 2016 batch, raised a $2M seed round from First Round Capital in late 2016, and closed a $9.2M Series A led by Index Ventures in February 2019. As of early 2026, Castle lists as active on its YC profile with approximately 42 employees and offices in San Francisco, Malmö, and Kraków. This report is a company profile, not a failure post-mortem — Castle shows no public signals of shutdown or distress. The core thesis of the company is that security responsibility should shift from end users to the businesses that serve them, with Castle providing the infrastructure to make that shift practical for any engineering team.

Founding Story

Castle's origin traces directly to a prior failure. In 2014, Johan Brissmyr co-founded Userbin, a consumer-facing authentication service for web applications. The product did not survive. Brissmyr later reflected on why: "The consumer authentication space is a difficult market to break into as there are many choices, including open-source options."^[1] Rather than abandoning the authentication problem entirely, Brissmyr extracted a more durable insight from the failure — the problem was not authentication itself, but who bore responsibility for it.

That reframe became Castle's founding thesis. In 2015, Brissmyr and his co-founder Sebastian Wallin, both engineers, started Castle in Malmö, Sweden.^[2] Wallin served as CTO while Brissmyr took the CEO role.^[3] Brissmyr also brought prior experience from SettleBox, a portable digital identity product for peer-to-peer marketplace transactions on platforms like Craigslist and eBay, giving him repeated exposure to identity and trust problems across different contexts.^[4] He holds a Master of Science in Computer Science from Lund University's Faculty of Engineering.^[5]

The founding vision was explicit about the responsibility shift. As Brissmyr wrote in 2019: "We started Castle because we wanted to figure out a way to shift security responsibility from end users to the companies who serve them."^[6] He described the early days in Sweden with characteristic directness: "In those early days as two engineers in Sweden, we recognized that there was an opportunity to turn every online company into a security guardian who could keep their users safe."^[7]

In early 2016, Brissmyr and Wallin relocated from Malmö to San Francisco to participate in Y Combinator's Winter 2016 batch.^[8] Castle presented at YC W16 Demo Day 1 in March 2016, receiving early press coverage from TechCrunch, which described it as "a drag-and-drop account takeover protection solution" for developers.

Castle YC TechCrunch article header image from March 2016 — TechCrunch covered Castle at YC W16 Demo Day in March 2016, describing it as 'a drag-and-drop account takeover protection solution' for developers.

The product positioning evolved from a broad "account protection" framing at launch into a more specific developer-first fraud prevention platform over the following years, but the core thesis — businesses as security guardians — remained consistent from founding through at least 2023.

Castle blog post by Johan Brissmyr announcing $9.2M Series A, February 2019 — Johan Brissmyr's personal blog post on the Castle blog announcing the Series A: 'In 2015, Sebastian and I created Castle with a simple vision...' — a rare first-person founder narrative.

Timeline

2014 — Johan Brissmyr co-founds Userbin, a consumer authentication service; the company fails due to market crowding and open-source competition, directly informing Castle's founding thesis^[9]
2015 — Castle is founded in Malmö, Sweden by Johan Brissmyr and Sebastian Wallin^[2]
January 26, 2016 — Castle launches on Product Hunt, receiving 369 upvotes and 34 comments; Justin Kan among notable commenters
March 2016 — Castle participates in Y Combinator Winter 2016 batch; founders relocate from Sweden to San Francisco; Castle presents at YC W16 Demo Day 1^[3]
November 2016 — Castle raises a $2M seed round led by First Round Capital, with F-Prime Capital and FundersClub participating^[10]
February 8, 2019 — Castle closes a $9.2M Series A led by Index Ventures; total confirmed public funding reaches $11.6M; angel investors include Zack Urlocker (Duo Security), René Bonvanie (Palo Alto Networks), and Olivier Pomel (Datadog)^[11]
February 12, 2019 — Index Ventures publishes Series A announcement; Shardul Shah joins Castle's board of directors^[12]
February 19, 2019 — Touch of Modern cited as a Castle customer in press coverage, providing the first named customer reference^[13]
September 17, 2019 — Castle launches "Industry-First Adaptive Authentication at the Edge to Protect Customer Accounts"^[14]
December 2019 — Castle has approximately 21 employees; research team analyzing malicious login attempts across 100M+ worldwide user accounts; offices in San Francisco, Malmö, and Kraków^[15]
May 2023 — Johan Brissmyr publishes blog content describing Castle as a "developer-first fraud prevention platform," confirming continued active operations^[16]
2025 — PitchBook reports Castle has 42 employees; YC lists company status as "Active"; castle.io website is operational^[17]

What They Built

Castle is a fraud prevention API that sits between a company's application and its users. When a user logs in, creates an account, or takes any sensitive action, Castle intercepts that event, analyzes it against hundreds of behavioral signals, and returns a risk score. The company that integrated Castle then decides what to do — allow the action, challenge the user with a step-up authentication request, or block it entirely.

The product is designed for engineering teams, not security analysts. Integration requires adding a few lines of code to an existing application. There is no dashboard that requires a dedicated security operator to monitor in real time. Instead, Castle's models run automatically and surface only the events that require attention.

Wayback Machine snapshot of castle.io homepage circa April 2016 — Archived snapshot of the Castle homepage from around the time of their YC W16 Demo Day launch and TechCrunch coverage in March–April 2016.

Signal collection. Castle tracks device fingerprints, keystroke dynamics, site browsing history, and hundreds of additional behavioral signals per user session.^[18] These signals are collected passively through a JavaScript snippet and a server-side SDK, meaning users experience no friction during normal interactions.

Risk scoring. Castle's machine learning models process those signals and return a numerical risk score between 0.0 and 1.0 for each user action.^[19] A score near 0.0 indicates low risk; a score near 1.0 indicates high likelihood of abuse. The integrating company sets thresholds that trigger different responses.

No security team required. A key architectural claim at the time of the Series A was that Castle's models are driven by end-user behavior and feedback exclusively, requiring no supervision from a dedicated security team.^[20] This lowered the adoption barrier for companies that lacked in-house security expertise — a deliberate positioning choice against enterprise-grade competitors that required significant configuration and ongoing tuning.

Product surface area. By 2025, Castle's product covered bot detection, account takeover (ATO) prevention, fake account detection, multi-accounting prevention, content abuse detection, SMS pumping protection, and API abuse protection.^[21] The expansion from a narrow ATO focus to a broader fraud prevention suite reflects the product's evolution over roughly a decade.

Wayback Machine snapshot of castle.io homepage circa February 2019 (Series A era) — Archived snapshot of the Castle homepage around the time of their $9.2M Series A announcement in February 2019, showing the evolved product positioning.

Adaptive Authentication at the Edge. In September 2019, Castle launched what it described as an industry-first capability: adaptive authentication processing at the network edge rather than in a centralized cloud.^[14] Edge processing reduces latency for authentication decisions, which matters for high-traffic consumer applications where even a 50-millisecond delay in login flows affects user experience.

What made it different. Most fraud prevention tools at the time were built for security teams — they required rule configuration, manual review queues, and ongoing tuning by specialists. Castle's developer-first approach meant that a backend engineer could integrate the product in an afternoon and have risk scoring running in production without involving a security analyst. The tradeoff was less customization in exchange for faster time-to-value.

Castle Product Hunt launch page — 'The easiest way to protect your users from getting hacked', 369 upvotes — Castle's Product Hunt launch on January 26, 2016 received 369 upvotes and 34 comments, with Justin Kan among the notable commenters.

Market Position

Target Customers

Castle's primary target is any company running a consumer-facing application that handles user accounts — eCommerce platforms, fintech apps, SaaS products, marketplaces, and gaming platforms. The developer-first positioning means the initial buyer is typically an engineering team or a technical founder, not a CISO or security team. Touch of Modern, a members-only eCommerce platform, was the only publicly named customer as of early 2019.^[13] The use case there was account takeover prevention — stopping fraudsters from accessing legitimate customer accounts to make unauthorized purchases.

The "no security team required" positioning suggests Castle was targeting mid-market companies that had outgrown basic authentication but lacked the resources to build or staff a dedicated fraud operations function. A Hacker News thread referencing Castle's customer base suggested marketing platforms were among its users, though that post was flagged and deleted, limiting the signal.

Castle.io's customers seem to include marketing platforms (deleted/flagged post)

Market Size

The fraud detection and prevention market was large and growing during Castle's formative years. Account takeover fraud specifically accelerated as credential stuffing attacks — automated attempts to log in using stolen username/password combinations from data breaches — became industrialized. By December 2019, Castle's own research infrastructure was analyzing malicious login attempts across more than 100 million worldwide user accounts,^[15] suggesting the scale of the problem Castle was positioned to address.

No market sizing figures appear in Castle's public communications. The angel investor syndicate assembled for the Series A — including the former COO of Duo Security, the CMO of Palo Alto Networks, and the CEO of Datadog^[11] — implies that sophisticated security-sector investors viewed the market as sufficiently large to justify institutional backing.

Competition

Castle's founding story contains an explicit competitive lesson. Brissmyr's prior company, Userbin, failed in part because the consumer authentication market was crowded with open-source alternatives.^[9] Castle's B2B positioning was a direct response to that lesson — by selling to businesses rather than developers building their own auth stacks, Castle avoided the open-source substitution problem.

The broader fraud prevention market included established players like Sift (formerly Sift Science), Kount, and Forter, as well as later entrants like Sardine. These companies generally targeted larger enterprises with more complex fraud operations needs. Castle's developer-first, low-configuration approach occupied a distinct positioning — faster to integrate, lower initial cost, but potentially less customizable for sophisticated fraud teams.

Index Ventures' Shardul Shah articulated the competitive angle at the Series A: "Security is the primary concern on everyone's mind today and the Castle team has figured out an approachable way to make the online world more secure for everyone."^[12] The word "approachable" is the key differentiator claim — Castle was betting that ease of adoption would win deals that more powerful but harder-to-deploy competitors would lose.

VentureBeat covered Castle's $9.2M Series A led by Index Ventures in February 2019, reporting on its AI-powered account takeover prevention platform.

Business Model

Castle operates as a B2B SaaS company selling API-based fraud prevention to companies that build consumer-facing applications. The product is delivered as an API with accompanying SDKs, meaning customers pay for access to Castle's risk scoring infrastructure rather than deploying software themselves.

No public pricing information is available. The developer-first positioning suggests a usage-based or tiered subscription model is likely — common for API-first security products — where pricing scales with the volume of events analyzed. This structure aligns incentives: Castle earns more as customers grow, and customers pay proportionally to the value they receive.

The angel investor composition at the Series A — executives from Duo Security, Palo Alto Networks, and Datadog — suggests Castle was deliberately building relationships with the enterprise security ecosystem, potentially positioning for upmarket expansion beyond the initial developer-first segment. Whether that expansion materialized is not documented in public sources. Total confirmed public funding reached $11.6M at the Series A,^[11] with database sources suggesting additional undisclosed rounds may have followed, including a possible Series C referenced on the CEO's LinkedIn profile.^[22]

Traction

Castle's publicly available traction data is limited but directionally positive across the metrics that exist.

Product Hunt validation. Castle's January 2016 Product Hunt launch generated 369 upvotes and 34 comments, with Y Combinator co-founder Justin Kan among the commenters. For a developer-tools product launching before YC Demo Day, this represented meaningful early community interest.

Platform scale. By December 2019, Castle's research team was analyzing malicious login attempts across more than 100 million worldwide user accounts.^[15] This figure reflects the aggregate user base of Castle's customers rather than Castle's own user count, but it indicates the product was deployed at meaningful scale across multiple enterprise or mid-market customers.

Headcount growth. Castle had approximately 21 employees in December 2019.^[23] PitchBook reported approximately 42 employees as of 2025.^[17] Doubling headcount over roughly six years is modest growth, but it indicates the company sustained operations and continued hiring through a period that included the COVID-19 pandemic and a broader tech downturn.

Geographic expansion. The addition of a Kraków, Poland office by late 2019 — alongside the original Malmö and San Francisco locations^[15] — suggests Castle built an international engineering capacity, likely for cost efficiency while maintaining a US commercial presence.

No ARR, MRR, customer count, or churn data is available in any public source.

Key Lessons

Failure in an adjacent market can be the most valuable research for a new company. Brissmyr's experience with Userbin taught him specifically that the consumer authentication market was structurally difficult due to open-source competition.^[9] Rather than abandoning the domain, he used that failure to identify a B2B positioning that avoided the same substitution risk. Founders with prior startup experience in adjacent markets often have a more precise understanding of where the real opportunity lies than first-time founders entering cold.
Developer-first positioning is a go-to-market strategy, not just a product philosophy. Castle's "no security team required" claim was not just a feature — it was a sales motion. By making the initial buyer an engineer rather than a CISO, Castle could close deals faster and at lower contract values, building a customer base before attempting upmarket expansion. This approach trades revenue per customer for speed of adoption, which works best when the market is large enough to support volume.
Angel investor composition signals strategic intent. Castle's Series A angel syndicate — the former COO of Duo Security, the CMO of Palo Alto Networks, and the CEO of Datadog^[11] — was not assembled for capital. These individuals brought credibility, customer introductions, and enterprise security ecosystem access. For B2B security startups, the right angels can function as a distribution channel and a signal to enterprise buyers that the product is credible.
Undisclosed funding rounds are a meaningful signal in B2B SaaS. The gap between Castle's confirmed $11.6M in public funding and PitchBook's reported $18.2M,^[24] combined with the CEO's LinkedIn reference to a Series C, suggests Castle raised additional capital without public announcement. B2B security companies sometimes avoid publicizing rounds to limit competitive intelligence. Analysts tracking private companies should treat database figures as floors, not ceilings.
Longevity without public milestones is itself a signal. Castle has operated for over a decade, raised multiple rounds, doubled its headcount, and expanded internationally — all without generating significant press coverage after 2019. In a sector where many fraud prevention startups either scaled rapidly to acquisition or failed quietly, Castle's sustained operation at modest scale suggests a viable but not hypergrowth business. Not every successful startup becomes a unicorn; some build durable, profitable businesses that simply do not generate headlines.

Sources