Human Security, a company focused on bot mitigation and fraud detection, on Wednesday announced its merger with PerimeterX, a company focused on safeguarding Web apps from account takeover and automated fraud.

Dark Reading analyzed the two companies in order to assess the impact the merger will have on customers and on the overall bot defense market. Our assessment is that, separately, the two companies addressed different parts of the bot, account abuse, and fraud problem. Going forward, the merged company, operating under the existing Human Security name, will offer a strong product portfolio showcasing Human's bot defense capabilities and PerimeterX's comprehensive account protection capabilities. Enterprises will be able to safeguard against bot attacks via a single Human Defense Platform, which would be attractive to both features-focused CISOs and managers interested in consolidating the number of vendors they are working with.

The new company will serve more than 500 customers and have more than $100 million in annual recurring revenue. Human Security's CEO Tamer Hassan will continue as CEO of the combined company, while Omri Iluz, CEO and co-founder of PerimeterX, will become general manager of the enterprise security division and join the board. Ido Safruti, PerimeterX's co-founder and CTO, will become CTO of the enterprise security division. Financial terms of the merger were not disclosed.

The Bot Problem

Bot management and defense is often viewed as an extension of the Web application firewall, as it handles an array of Web application and business-logic abuse attacks. Business-logic abuse, or Web attacks that abuse the legitimate processing flow of an application, is a growing problem for enterprises and difficult to mitigate.

Many attack surface management and detection products fail to see business-logic attacks because they look like normal user activity. An attack-focused CISO may overlook these attacks because they don't look like a direct attack on the organization the way a SQL injection or cross-scripting attack would. A compliance or governance-focused CISO could also miss these attacks because they typically don't violate regulatory standards.

In fact, these types of attacks are often discovered by the CMO examining business performance and finding that website activity did not correlate with forecasted results. Business-logic abuse attacks show up in situations where bots buy up popular items and scalp them as part of an unauthorized secondary market, consume content to make it look like there is user engagement when there isn't, use stolen payment cards or gift cards to make purchases, and fraudulently take over accounts via credential-stuffing attacks, to name a few.

CISOs looking at bot defense, account abuse, and fraud protection want to be able to detect undesirable or unwanted actor behavior and make it uneconomic for an attacker to misuse e-commerce processes without impacting legitimate user activity.

Analysis: Strength, Weakness, and Opportunity

Human's platform addresses an array of media security challenges: digital advertising fraud, CTV fraud and misrepresentation, mobile app and malware, abuse and spoofing, paid marketing manipulation, lead generation fraud, loyalty program abuse, and coupon and promotion fraud. Both Human and PerimeterX also address enterprise security risks, such as account takeover, fake account creation, carding, client-side supply chain attacks, digital skimming, PII harvesting, Web scraping, scalping, and denial of inventory.

Dark Reading's analysis suggests that a specialist like the combined company of Human will be able to expand its abilities to detect, identify, and actually disrupt sophisticated cybercriminals. The wider product portfolio means more signal and visibility across the Internet, giving the new company richer data assets. Human's platform gives insight into front-wave activity and identity through ad-tech signals, whereas PerimeterX provides insight into BLA attack patterns. Data collected by each product will complement the other product's capabilities.

With the merger, the companies will be able to invest even more in research and development efforts to develop new capabilities for the platform and new products. The combined company will be able to expand into adjacent product areas, such as fraud analytics, identity verification, and authentication.

However, a wider product portfolio increases the chance that enterprises already have deployed some of the elements, potentially increasing the customer's resistance to buying into this portfolio.

It doesn't appear that customers will see much — if any — immediate disruption as a result of the merger, according to Dark Reading's analysis. Both companies have similar customer acquisition and retention models. While Human's customers tend to be ad tech, performance marketing, and cybersecurity/application security teams in organizations, PerimeterX has worked mostly with security and e-commerce digital teams with e-commerce companies. Joining these silos means that customers will have a fully articulated solution addressing key business needs. Both organizations have Client Success Teams and dedicated sales leads that focus on retention.

"Our advanced technology, combined resources, mission-focused teams, and industry-leading strengths will enable us to create the most comprehensive Human Defense Platform that offers the most complete protection for enterprises and internet platforms across advertising, marketing, e-commerce, and cybersecurity," Hassan says.