Explore the full 2022 list of Fast Company’s Most Innovative Companies, 528 organizations whose efforts are reshaping their businesses, industries, and the broader culture. We’ve selected the firms making the biggest impact with their initiatives across 52 categories, including the most innovative AI, design, and data science companies.
Our most innovative security companies of 2022 run the gamut from helping consumers control access to their data to protecting marketers from unintentionally paying to show ads to bots. What most have in common is using software, including artificial intelligence, to help humans make the most informed decisions possible about managing security risks. That’s because while some security breaches do arise from sophisticated hackers harnessing previously unknown flaws in software, many also involve humans being tricked into falling for scams or simply making mistakes: 85% of breaches studied by Verizon for its 2021 Data Breach Investigations Report “involved a human element.”
Among the companies on our list, Deduce harnesses massive collections of data to spot patterns of fraudulent login attempts, Tessian’s software flags signs of sophisticated phishing attacks and warns users before they accidentally send confidential material to the wrong place, and financial-services-connection platform Plaid has rolled out new tools to help users understand and control what data they’re sharing between financial institutions. Arctic Wolf uses Hollywood-caliber video materials and gamification to provide corporate employees with security training they’ll actually remember, and insurer Coalition offers security scans to help its clients avoid risks that could lead to costly claims. Transmit Security helps users avoid having to remember or store passwords that could get leaked, while Evervault lets developers who don’t specialize in security add encryption features to their apps without having to code them themselves. Moonshot uses techniques similar to commercial advertisers to find people who seem at risk for being swayed by extremist material and show them more moderating voices, while Inky uses AI and even computer vision to detect and warn people about email scams missed by other tools.
By helping the people who use it stay alert, these companies make the internet more secure.
For sleuthing out hacking attempts even across websites and apps
Big tech companies like Google and Facebook have plenty of data to help them detect when someone’s trying to log in as you, but smaller ones often don’t have the commensurate level of information or coding skill to detect fraudulent login attempts. Two-year-old Deduce seeks to bring the detection of account-takeover attempts, for example, to the rest of the internet. Powered by a network that ingests privacy-compliant data from more than 150,000 sites and 300 million user profiles, Deduce is able to identify and alert customers to novel, emerging fraud techniques, as well as attempted hacks targeting the same user across multiple companies. In 2021, Deduce launched two new products: Identity Insights, which acts as a kind of cybersecurity radar, providing companies with early warnings of fraudulent behavior; while Customer Alerts provides instantaneous direct notifications of suspicious activity so they can change their passwords before it’s too late. In protecting its clients from criminals taking out loans with someone else’s identity or ordering big-ticket items using a stolen account details, the company hopes to cut off the source of the ill-gotten resources that ultimately fund terrorism, human trafficking, and other nefarious activities. New customers can be up and running on Deduce’s Identity Network in a matter of hours. With subscription prices that start at $200 per month, Deduce claims that it’s now protecting more than 200 million accounts, with a user base growing at more than 500% year over year.
Deduce is No. 24 on this year’s list of the World’s 50 Most Innovative Companies.
2. Arctic Wolf
For going Hollywood with, yes, security training
Arctic Wolf evaluates a reported 1.6 trillion security events each week as part of its efforts to help banks, hospitals, and municipal governments (among others) mitigate risks and defend against cyberattacks. But according to analysts, somewhere between 40% of breaches—and maybe even 95%—stem from human error. In May 2021, Arctic Wolf introduced a new educational program, Managed Security Awareness, that goes beyond the basic requirements of asking employees to watch one boring video on good security hygiene. Arctic Wolf’s interactive training program reinforces employee knowledge by engaging them multiple times a month—with short, gamified lessons based on real-world active threats. The videos have high-production values and leaderboards to track participants, while integrated coaching prevents employees from getting lost in tough challenges. Last September, Arctic Wolf, which has a valuation of $4.3 billion, acquired a security-training startup called Habitu8 to elevate further the entertainment and learning value of its training regimen, and by November it had expanded Managed Security Awareness to include content designed for specific industries, such as law and education as well as different roles with an organization, from human resources to finance; sessions designed to address security around compliance programs, such as HIPAA; and an additional module to maximize employee preparedness for phishing attacks. To date, more than 3,000 customers, including Microsoft and Disney, have subscribed.
3. Transmit Security
For unshackling users from the bind of remembering passwords
Logging in to websites and apps using passwords can be risky, because passwords are easily stolen, often forgotten, and can be reused on other sites. Many services have set up what’s known as passwordless login, using biometrics like fingerprints or facial images, but these methods often still require passwords, at least when setting up new devices. Transmit Security builds secure login systems, and in February 2021, it launched a new product, BindID, which allows users to leverage any biometric identification stored in a mobile device across computers, phones, call centers, public kiosks, and other real-world scenarios in which someone has to verify who they are. Transmit manages this feat without repetitive registration and onboarding processes by using the stored biometric data many users already have on their mobile devices. In a typical scenario of a user trying to log into a service on a new laptop, they’d be prompted to login with mobile, after which BindID would sends a QR code to the laptop, and the user would scan it with their phone. BindID then uses their stored biometric data to unlock the desired application. This translates to a smoother experience for users and less opportunity for hackers. Transmit Security’s annual revenue growth surpassed 40% for the second straight year in 2021, hitting a reported $100 million annual run rate. Last June, the company, which had been self-funded by its founders, closed a $543 million Series A round, the largest funding round to date in the cybersecurity sector.
For blotting out online bot behavior
According to some reports, bots account for two-thirds of all online traffic, and marketing security company Cheq estimates that more than one-third of Black Friday shoppers are fake. This is a nightmare for businesses, which have to contend with bots clicking their ads, scraping their sites, and setting up fake accounts for fraudulent purposes. Companies end up overpaying to target customers, advertising in places that bring in more bots rather than not, and failing to discern the behaviors and desires of real, live human beings. Fraudulent ad responses alone cost the industry billions of dollars every year, but online marketing people typically aren’t trained in the computer security techniques needed to detect such issues and fight back. In 2021, Tel Aviv-based Cheq launched what it claims is the first full-suite security platform for marketing teams. The platform runs more than 2,000 real-time browser tests to check the authenticity of every user while simultaneously applying behavioral analytics to detect suspicious scrolling and browsing patterns. By identifying and weeding out bots, Cheq helps ensure that campaign budgets are devoted to actual consumers, that bots aren’t undermining conversion efforts with fake registrations and bogus leads, and that invalid traffic doesn’t warp a company’s business intelligence and metrics. Cheq has been adding an average of 400 small businesses and 50 enterprise customers per month to its roster of clients, which already totaled more than 10,000 global customers (including Toyota, Hewlett Packard, Chanel, and Colgate-Palmolive), for its customer-acquisition security platform.
For showing people whom they’re sharing their financial data with
More than 6,000 companies, such as Venmo and Robinhood, rely on Plaid and its unified banking API to connect their apps seamlessly and securely with over 11,000 financial institutions in the United States, Canada, the U.K., and Europe, making it the data transfer network that undergirds much of the fintech market. Given Plaid’s prime position at the intersection of fintech and traditional finance, securing customers’ information is paramount. To that end, the San Francisco-based company released Plaid Portal in beta in late 2020, giving customers visibility into what data they’re sharing with different institutions and providing them more control over that information. Portal users can view all connections between their financial accounts and apps, review the types of data being shared, disconnect financial accounts from apps, and delete financial data from Plaid. In May 2021, Plaid also introduced a redesigned transition for when a fintech service connects with Plaid (it’s called the Consent pane), so that users have greater transparency into what’s happening at the moment they’re authorizing Plaid to be the steward of its personal financial information. The company developed these consumer-centric security features during the same time that the U.S. Department of Justice evaluated Plaid’s proposed $5.3 billion sale to Visa. Ultimately, that deal was canceled in January 2021; by April, Plaid closed a $425 million series D funding round, giving the company a valuation of $13.4 billion.
For providing insurance that mitigates the need for its insurance
Cybersecurity insurance provider Coalition not only protects its more than 140,000 customers with coverage in the event that any of them needs to file a claim; the company also provides tools to help them assess risk and detect problems before disaster strikes. In 2021, the four-year-old startup launched Coalition Control, a dashboard that integrates automated security assessments with policy information, integrating data from its recent acquisition of security-scanning platform BinaryEdge. The automated scanning service helped lead to Coalition’s customers filing 70% fewer claims than the industry average. The company, which has a private-market valuation of $3.5 billion, boasts that its annual premium run rate has reached $650 million and revenue grew by more than 400% in 2021.
For making sure you really wanted to attach that file to this email
In January 2021, email security provider Tessian launched features to detect account takeover attacks—an increasingly popular cyberhack where a legitimate account is hijacked and used for phishing others within a company, using anomaly detection and natural language processing to identify threats in real time and notify both employees and IT administrators why an email was flagged. A month later, Tessian introduced a novel feature designed to make sure that people don’t inadvertently send an attachment to the wrong person and potentially create an unintentional security breach, again relying on machine learning to identify when it thinks an attachment might be in error and alerting a user in the moment. Tessian, which wins the award for boldest corporate tagline (Email security for “Oh Sh*t” moments—protect your employees from themselves), has signed such major clients as Bain Capital, NYSE, and the chip-tech company Arm.
For freeing developers from having to encrypt their own apps
Consumers and app developers want encryption to help keep personal data safe. But coding around data encryption is a specialized programming skill. Headquartered in Dublin, two-year-old startup Evervault handles the encryption-related part of building an app so that developers don’t have to worry about getting those difficult details right, making properly deployed encryption available in more systems. In August 2021, the company launched its suite of tools built around the Evervault Encryption Engine, E3, and earned key compliance certifications, including HIPAA and the Payment Card Industry Data Security Standard. Unlike most software-as-a-service companies, Evervault prices its products on a “pay as you grow” basis, charging clients based on processing or transmitting data. The company claims to have securely processed millions of data points for its early customers.
For spotting phishing emails that other security systems miss
In this era of cryptomining and ransomware, phishing doesn’t seem like a super-sexy security risk—more like a horse and buggy rolling along the shoulder of a highway where Lambos and McLarens are drag racing. But according to a 2021 report from Cisco, phishing still accounts for 90% of all breaches. Phish Fence, Inky’s core product, uses artificial intelligence, computer vision, and machine learning to detect bogus emails capable of evading the secure email gateways (SEG) most companies deploy. In July 2021, Inky rolled out Internal Mail Protection to apply the same protocols to intraoffice emails, which phishers frequently hijack after having gained access to an employee’s account. This additional layer of protection helped Inky expand its customer base across such fields as energy and IT, grow to serve more than 500 enterprises, and increase an estimated 70% year over year.
For intercepting extremist intent
An organization dedicated to countering violent extremists one at-risk individual at a time, Moonshot is a tech startup founded in 2015 by tech policy veterans Vidhya Ramalingam and Ross Frenett. The company, which has offices in Washington, D.C., and London, uses monitoring technologies to identify individuals who are sharing extremist content online, then redirects them to more moderate content. Moonshot has run more than 100 campaigns in 35 countries and 22 languages, and one of its most ambitious focused on violent rhetoric following the 2020 U.S. presidential election. Monitoring activity on Parler, Gab, Telegram, 4chan, 8kin, MyMilitia, Zello, and MeWe—in addition to mainstream platforms, such as Google Search, Facebook, Twitter, and YouTube—Moonshot discovered that users in more than half of all U.S. counties were searching to learn how to join an armed group. In the three and a half months following the election, Moonshot’s campaign registered 1.7 million engagements, testing 21 pieces of original de-escalation content and redirecting thousands of users to crisis counseling services. On January 6, 2021, Moonshot’s Twitter ads were viewed nearly 700,000 times with more than 1,600 clicks through to Redirect content; Google display ads were viewed more than 4 million times, leading to nearly 37,000 clicks. Moonshot clients include several U.S. government agencies, including the Department of Homeland Security and the State Department, as well as the U.K. Home Office, Facebook, and Google. In June 2021, the company closed its first funding round of $7 million.