Arcjet turbocharges in-code developer defences
Enterprise software application development is continually charged with the need to simplify, coalesce and automate core functions into what vendors often call a unified platform, a single pane of glass or (less grandiosely) greater proximity to the command line (or visual coding tool) that software engineers use every day.
Aiming to align security platform toolsets far more closely to developers than traditional approaches to cyber resilience is Arcjet.
Styled as the “security platform that ships with your code” and provides teams with significantly greater reliance than bolt-on after tools, the company describes itself as a developer-first native security platform for modern applications.
Now basking in the glow of some recent funding, the company says it is ready to provide secure developer technology to meeting a fast-changing security landscape… but how fast is change in this space right now?
How fast is change?
According to the Arcjet engineering team, bots now outnumber humans online, with 37% of all traffic coming from malicious sources. The suggestion here is that AI is amplifying the problem, creating adaptive, automated attacks that can bypass traditional defences and inflict real business costs.
What kind of malicious activity are we talking about?
Everything from fake sign-ups to spam AI bots scraping content and overwhelming Application Programming Interfaces (APIs), meaning that developers are under pressure to protect their apps in a world where traditional security tools are no longer fit for purpose.
Arcjet has this quarter launched a new local attack detection model that brings AI-powered threat analysis directly into a developer’s application code.
The company’s local AI model performs attack detection directly “inside the request handler” and so it is capable of analysing user behaviour alongside business context to stop sophisticated threats that bypass conventional defences.
What is a request handler?
NOTE: A request handler receives requests from clients (such as web applications, browsers, or other services), parses and validates them, invokes the appropriate business logic (sometimes via the business proxy), and then constructs a response in a format the client understands e.g. JSON or XML. Arcjet integrates at this layer to inspect and protect incoming requests, so this is the level that which Arcjet’s technology is applied at.
“Legacy security tools – designed for a pre-AI era and operating at the network perimeter – see packets, not users or business context,” said David Mytton, Arcjet founder and CEO. “They can’t provide the deep, granular level of protection needed to distinguish valuable AI traffic from genuine threats or respond at the pace of AI innovation. As a result, developers are left with security approaches that lack application & business context, slowing release cycles and creating costly false positives while missing sophisticated attacks.”
Mytton insists that Arcjet takes a different approach.
By embedding an AI directly into the codebase and inspecting every request in milliseconds (without slowing deployment), Arcjet’s protections become part of the application itself, so they are testable and deployable like any other feature.
From the first line
Backed up by analysis which adapts in real time, Arcjet says it enables developers to stop fraud and abuse from the first line of code. The platform allows developers to collaborate with security teams to stop attacks, without changing architecture, deploying agents or configuring proxies.
“More than 1000 developers across AI and e-commerce are using Arcjet to protect more than 500 production applications processing millions of requests every day,” said Mytton. “One early Arcjet customer was able to reduce serverless cloud costs for its content-heavy community forums by 66% with Arcjet’s protections against malicious bot scraping. Another was able to rapidly secure a new finance platform against common attacks, completing a security audit ahead of a crucial launch deadline.”
Two of the largest Arcjet user groups to date are:
- AI application developers protecting against bot abuse and automated spam signups, where every malicious request translates into real compute cost.
- E-commerce teams who are fighting increasingly sophisticated scraping and fraud attempts that can hit revenue and undermine customer trust.
“Security has to live inside your code if it’s going to keep up with modern threats,” Mytton added. “We built Arcjet to make AI-powered defences a native part of the development process – with minimal overhead and APIs that feel familiar. This funding will accelerate our mission to make embedded in-code protection the default for modern applications.”
In modern web development, where developers run their code at the compute edge on Internet of Things (IoT) devices, in an increasingly varied range of smart devices, across agentic services forming interconnections via MCP Server synapse points and b beyond… there may well be truth in the proposition that a traditional single-wall of security can no longer reliably protect an app or a business.
“It’s not that developers don’t care about security. They do. They just haven’t been given tools that match the way they already write and ship software. Good security decisions depend on knowing what the application is trying to do,” wrote Mytton, on his company’s own blog.
He says that when developers are building, they’re thinking about outcomes: shipping features, unblocking PCI audits and stopping abuse.
Security decisions with application context
“Developers are not shopping for web application firewalls (WAFs), they’re solving concrete problems like bots hammering a signup form or spam polluting analytics. That’s why Arcjet is designed for developers: drop the SDK into your routes, test locally and make security decisions with application context,” concluded Mytton.
Embedding protection directly into code – analysing every request in real time – almost seems like an obvious alternative, but not so many are doing it. Arcjet appears to be igniting the turbochargers in this space.
