Overview

Castle is an active, San Francisco-based fraud prevention and bot detection company founded in 2015 by Swedish entrepreneurs Johan Brissmyr and Sebastian Wallin. The company emerged from Y Combinator's Winter 2016 batch with a developer-first approach to account security: a single JavaScript snippet that builds behavioral profiles for every user, flagging suspicious activity before accounts are compromised. Unlike traditional security tools that burden end users with CAPTCHAs and friction, Castle routes that responsibility to the businesses serving those users. The company raised a $2M seed round in 2016 and a $9.2M Series A led by Index Ventures in 2019, and has since expanded its product from account takeover prevention into a broader fraud prevention platform covering bots, SMS pumping, API abuse, and multi-accounting. Castle remains active as of February 2026. This report covers the company's founding, product evolution, traction, and market position — it is not a post-mortem.

Founding Story

Johan Brissmyr and Sebastian Wallin both grew up in Malmö, Sweden, a mid-sized city in the country's south that has produced a disproportionate number of European tech founders. Brissmyr holds a Master of Science in Computer Science from Lund University's Faculty of Engineering.^[1] Before Castle, he co-founded two earlier ventures: Popdevelop, a software development company, and SettleBox, a portable digital identity product for online marketplaces.^[2] Neither became a breakout company, but they gave Brissmyr hands-on experience with the authentication and identity problems that plague consumer-facing applications.

The direct predecessor to Castle was Userbin, which Brissmyr co-founded in 2014. Userbin was an authentication service built for consumer apps — essentially a drop-in login layer that developers could integrate without building their own auth stack.^[3] The product was technically sound but commercially difficult. "The consumer authentication space is a difficult market to break into as there are many choices, including open-source options," Brissmyr later said.^[4] Userbin did not succeed as a company.

The failure of Userbin produced a specific insight: authentication infrastructure is a commodity, but the problem of what happens after login — detecting whether the person who just authenticated is actually who they claim to be — remained largely unsolved for most businesses. Account takeovers, credential stuffing attacks, and fake account creation were growing problems, and most companies lacked the engineering resources to build behavioral detection systems in-house.

In 2015, Brissmyr and Wallin founded Castle in Malmö to address that gap directly. Their founding vision was explicit about shifting responsibility: "We started Castle because we wanted to figure out a way to shift security responsibility from end users to the companies who serve them," Brissmyr explained at the Series A announcement.^[5]

The founders applied to Y Combinator and were accepted into the Winter 2016 batch. In early 2016, they relocated from Sweden to the Bay Area to participate.^[6] The move was a significant commitment — leaving an established life in Malmö for a three-month accelerator program in a city where they had no existing network. The bet paid off: YC provided both the capital and the credibility to attract Castle's first institutional investors.

Timeline

• 2014 — Johan Brissmyr co-founds Userbin, an authentication service for consumer apps; the company fails to gain commercial traction in a market crowded with open-source alternatives^[3]

• 2015 — Castle founded in Malmö, Sweden by Johan Brissmyr (CEO) and Sebastian Wallin (CTO)^[7]

• January 2016 — Castle accepted into Y Combinator Winter 2016 batch; founders relocate from Sweden to the Bay Area^[6]

• January 26, 2016 — Castle launches on Product Hunt, receiving 369 upvotes; positioned as "bank-level security for developers"

• March 22, 2016 — YC W16 Demo Day: Castle reports 150 deployments, 400,000 protected users, and 35% week-over-week growth^[8]

• November 9, 2016 — Castle raises a $2M seed round led by First Round Capital, with participation from F-Prime Capital and FundersClub^[9]

• November 2016 — Approximately six months post-YC graduation: Castle has scaled to hundreds of applications, 15 million protected users, and 250,000+ mitigated accounts; Rue La La named as a customer^[10]

• February 12–13, 2019 — Castle raises a $9.2M Series A led by Index Ventures; Shardul Shah joins the board; angel investors include executives from Duo Security, Palo Alto Networks, and Datadog^[11]

• September 17, 2019 — Castle unveils "Adaptive Authentication at the Edge" product^[12]

• December 2019 — Castle has 21 employees across San Francisco, Sweden, and Poland^[13]

• 2020 — Castle recognized as a Bay Area Best Places to Work winner by the SF Business Times and Silicon Valley Business Journal^[14]

• Post-2019 — Jim Gochee joins as COO; Castle expands product suite into bot detection, SMS pumping protection, and API abuse prevention^[15]

• February 2026 — Castle listed as "Active" on YC's company directory; founder LinkedIn references a Series C milestone (details unconfirmed)^[16]

What They Built

Castle's core product is a behavioral fraud prevention platform designed to be integrated by developers in minutes rather than months. The fundamental problem it addresses is the gap between authentication and trust: a user can log in with valid credentials that were stolen in a data breach, and most applications have no way to detect that the session is fraudulent.

Initial Integration and Behavioral Profiling

Castle's initial integration required developers to drop a single JavaScript snippet into their website's header.^[17] From that point forward, Castle begins building a behavioral profile for each individual user — tracking device fingerprint, keystroke patterns, site browsing history, and hundreds of additional signals.^[18] The system learns what "normal" looks like for each specific user, not just for users in aggregate. When a login or account action deviates from that established baseline — a new device, an unusual location, atypical navigation patterns — Castle flags it.

Risk is categorized into three tiers: unusual, suspicious, and malicious.^[19] This tiered output gives developers actionable signal rather than a raw probability score that requires interpretation. A "malicious" flag might trigger an automatic block; a "suspicious" flag might prompt a step-up authentication challenge; an "unusual" flag might simply be logged for review.

The technical infrastructure reflects the data intensity of this approach. Castle runs on AWS and uses Apache Kafka for real-time event streaming, Apache Spark for large-scale data processing, and DynamoDB for low-latency profile lookups.^[20] This stack allows Castle to process behavioral signals at the speed of user interactions — a requirement for fraud detection that must operate in real time without adding perceptible latency to the user experience.

Developer-First Positioning

The single-snippet integration was a deliberate go-to-market choice. By minimizing the engineering effort required to get started, Castle could be adopted by a developer in an afternoon without requiring a security team, a procurement process, or an enterprise sales cycle. This mirrors the distribution strategies used by Stripe (payment APIs), Twilio (communications APIs), and Datadog (infrastructure monitoring) — all of which grew by making complex infrastructure accessible to individual developers. The Datadog CEO's participation as an angel investor in Castle's Series A is a notable signal of this parallel.^[11]

Product Evolution

Castle's product expanded significantly beyond its initial account takeover focus. The platform grew to include bot detection, multi-accounting prevention (identifying users who create multiple accounts to abuse promotions or evade bans), SMS pumping protection (a fraud type where attackers trigger mass SMS sends to generate carrier revenue), content abuse detection, transaction abuse prevention, and API abuse protection.^[21]

In September 2019, Castle launched "Adaptive Authentication at the Edge," a product that moves authentication decisions closer to the network edge to reduce latency.^[12] Castle also launched "Identity-Aware Bot Detection," described as an industry-first product that links bot activity to specific user identities rather than treating bot detection as a purely network-level problem.^[22] This identity-aware approach is a meaningful technical differentiator: most bot detection systems operate at the IP or session level, while Castle's approach can identify when a known user account is being operated by automated tooling.

Market Position

Target Customers

Castle targets consumer-facing online businesses — companies that have large numbers of registered user accounts and face meaningful fraud risk from account takeovers, fake account creation, or automated abuse. Early customers included e-commerce platforms like Rue La La.^[10] The developer-first integration model suggests an initial focus on companies with in-house engineering teams capable of implementing an API-based security tool — typically mid-market SaaS companies, e-commerce platforms, fintech applications, and consumer marketplaces.

The product's expansion into SMS pumping protection and API abuse suggests Castle has followed its customers into adjacent fraud problems as those customers scaled. The HN discussion thread referencing Castle's customer base in marketing platforms indicates the product has found adoption across a broader range of verticals than pure e-commerce.

Brissmyr framed the target customer in terms of their users' experience: "We want to flip that responsibility to businesses and empower every one of them to offer bank-grade account security without compromising user experience."^[23] This framing positions Castle as a tool for any business that cannot afford to build a dedicated fraud team but needs enterprise-grade fraud prevention.

Market Size

The fraud detection and prevention market is large and growing. Account takeover fraud specifically has expanded as credential stuffing attacks — automated attempts to use username/password combinations leaked from data breaches — have become industrialized. The scale of the problem is reflected in Castle's early traction: 250,000 mitigated accounts across 15 million protected users within six months of graduating YC.^[10]

The expansion of Castle's product into bot detection, SMS pumping, and API abuse reflects the broadening of the addressable market. SMS pumping fraud alone has become a significant cost center for companies that use SMS-based authentication — attackers trigger mass OTP sends to phone numbers they control, generating carrier revenue at the victim company's expense. By building protection against this attack type, Castle expanded its addressable market beyond account security into a broader fraud operations category.

The angel investor roster from the Series A provides indirect market validation. Zack Urlocker (former COO at Duo Security, an identity security company acquired by Cisco for $2.35 billion), René Bonvanie (CMO at Palo Alto Networks), and Olivier Pomel (CEO at Datadog) all invested personal capital — a signal that domain experts with direct knowledge of the security and developer tools markets believed Castle's approach was commercially viable.^[11]

Competition

Castle operates in a competitive market that includes both established fraud prevention vendors and newer entrants. The space includes companies like Sift (account fraud and content abuse), Kount (transaction fraud), Sardine (fintech fraud), and Arkose Labs (bot mitigation and account security). Larger security vendors like Cloudflare and Akamai offer bot management products at the network layer.

Castle's differentiation from these alternatives rests on two claims. First, its behavioral profiling is per-user rather than population-level — the system learns individual baselines rather than applying aggregate risk models. Second, its identity-aware bot detection links automated behavior to specific user accounts, a capability that pure network-layer bot detection cannot provide.

The developer-first integration model also differentiates Castle from enterprise-focused competitors that require lengthy implementation projects and dedicated security teams. Phin Barnes of First Round Capital articulated this positioning at the seed round: "Castle offers a much-needed out of the box solution, leveraging behavioral data to recognize us by our actions and quickly identify and challenge malicious actors."^[24]

The primary competitive risk is commoditization. As fraud prevention capabilities become table stakes for cloud infrastructure providers and identity platforms, the standalone fraud detection market may consolidate around a small number of scaled players or get absorbed into broader security suites.

Business Model

Castle operates as a B2B SaaS company selling fraud prevention infrastructure to online businesses. The product is API-based and developer-integrated, which typically supports usage-based or tiered subscription pricing — common models in the developer tools and security API space. No public pricing data is available for Castle, and the company has not disclosed revenue figures at any stage.

The developer-first go-to-market model suggests a self-serve or product-led growth motion at the low end, with a sales-assisted motion for larger enterprise accounts. The hiring of Jim Gochee as COO post-Series A indicates organizational maturation toward a more structured go-to-market function.^[15]

Castle's value proposition is cost avoidance: the cost of account fraud, fake account abuse, and bot-driven policy violations is measurable and often significant for the businesses it targets. This makes the ROI conversation relatively straightforward compared to preventive security products where the benefit is harder to quantify.

Traction

Castle's earliest public traction data comes from its YC W16 Demo Day pitch in March 2016: 150 deployments, 400,000 protected users, and 35% week-over-week growth.^[8] The week-over-week growth figure is notable but should be contextualized — at 150 deployments, the absolute base was small, and percentage growth at that stage is easier to sustain than at scale.

By November 2016 — approximately six months after graduating YC — Castle had scaled to hundreds of applications, 15 million protected users, and more than 250,000 mitigated accounts.^[10] Named customers at that stage included Rue La La, a flash-sale e-commerce platform. This growth trajectory — from 400,000 to 15 million protected users in roughly six months — was sufficient to attract a $2M seed round from First Round Capital.

By December 2019, Castle had 21 employees across three offices (San Francisco, Sweden, and Poland).^[13] The company was recognized as a 2020 Bay Area Best Places to Work winner by the SF Business Times and Silicon Valley Business Journal.^[14] No revenue figures, ARR, or customer count data are publicly available at any point in the company's history. Growth trajectory after 2019 is not documented in available sources.

The Series A investor quality provides indirect traction validation. Index Ventures, which led the $9.2M round, has backed companies including Adyen, Robinhood, and Figma — a firm that conducts rigorous diligence before committing to a Series A. Shardul Shah, the Index partner who joined Castle's board, said: "Security is the primary concern on everyone's mind today and the Castle team has figured out an approachable way to make the online world more secure for everyone."^[25]

Key Lessons

Note: Castle is an active company, not a defunct one. The following lessons are drawn from the company's strategic choices and evolution — not from a failure narrative.

• Pivoting from a crowded commodity market to an adjacent, defensible problem can unlock a viable business. Userbin's failure in the authentication infrastructure market directly informed Castle's decision to focus on post-authentication behavioral fraud detection — a problem with fewer open-source alternatives and higher enterprise value. The lesson is not simply "find a better market" but rather "use your domain expertise to identify the adjacent problem that your failed product was actually solving for customers."

• Developer-first distribution is a durable go-to-market strategy for security infrastructure, but it requires a clear upgrade path to enterprise. Castle's single-snippet integration lowered adoption friction dramatically, mirroring the playbooks of Stripe and Twilio. The risk is that self-serve adoption at the developer level does not automatically convert to enterprise contracts. The post-Series A COO hire suggests Castle recognized the need to build a more structured sales motion alongside its product-led growth.

• Angel investor selection can serve as a product validation signal, not just a capital source. Castle's Series A angel roster — the former COO of Duo Security, the CMO of Palo Alto Networks, and the CEO of Datadog — represented domain experts who had direct experience with the problems Castle was solving. Their participation provided credibility with enterprise buyers and subsequent investors beyond the dollar value of their checks.

• Expanding the product surface area in response to evolving fraud patterns is both a growth opportunity and a focus risk. Castle's expansion from account takeover prevention into bot detection, SMS pumping, API abuse, and content fraud reflects the reality that fraud is not a static problem. Each expansion opens new customer segments and use cases. The risk is that a 20-person team building across six distinct fraud categories may lack the depth to win against specialists in any single category.

• Geographic distribution of engineering talent (Sweden, Poland, San Francisco) can be a structural advantage for a company with Swedish founders. Castle maintained engineering offices in Sweden and Poland while keeping its commercial operations in San Francisco — a model that allows access to strong European engineering talent at lower cost while maintaining proximity to U.S. enterprise buyers and investors.

Sources

1. The Org — Johan Brissmyr profile (education)
2. eWeek — Castle raises $2M for account takeover technology
3. Castle blog — Series A announcement (Brissmyr founding quote)
4. VentureBeat — Castle raises $9.2M Series A
5. TechCrunch — YC W16 Demo Day recap
6. VC News Daily — Castle seed funding and traction
7. PRWeb — Castle Series A press release
8. Tracxn — Castle company profile
9. ZoomInfo — Castle company profile (Best Places to Work)
10. Y Combinator — Castle company directory (Active status)
11. Crunchbase — Castle behavioral signals description
12. Castle.io — Product suite overview
13. Index Ventures — Castle Series A announcement
14. PitchBook — Castle total funding ($18.2M)
15. LinkedIn — Johan Brissmyr profile (Series C reference)
16. Y Combinator — Separate inactive Castle (rental property management)
17. TechCrunch — Castle YC W16 product coverage (March 2016)
18. SiliconAngle — Castle $2M seed round coverage
19. YC blog — Castle (YC W16) analyzes user data to stop hackers
20. Hacker News — Castle.io discussion thread
21. HuntScreens — Castle product screenshots
22. Product Hunt — Castle launch page