Kasada is a bot migration company whose software defends web, mobile and API channels against various types of threats. Its scalable software is easy to deploy and adapts to new attacks in seconds. Kasada is based in New York and Sydney, with offices in Melbourne, San Francisco, and London.
Rapid Growth Drives Need for Efficiency
Malicious bots represent an increasing threat to online businesses; on average, 40 percent of login attempts to company websites are fake. Kasada is a bot mitigation company that helps customers detect and defend against bot attacks across web, mobile, and application programming interface (API) channels. Since gaining its first customer in 2016, Kasada has experienced rapid growth, acquiring a few enterprise clients that drive more than half of business volume. Though headquartered in Australia, Kasada has a growing customer base in the US, where businesses tend to incur much higher levels of web traffic. Scaling is critical, as bots swarm these customers’ websites when they launch a new product. Left unmitigated, bot attacks can bring a website down for hours, even days.
Kasada software needs to quickly adapt to extreme spikes in traffic, from 10,000 requests per minute to 1 million requests the next. To help the business run more efficiently at scale, Kasada began a multifaceted modernization exercise on Amazon Web Services (AWS). Project goals included increasing the velocity of deployment and improving DevOps practices with an automated continuous integration/continuous development (CI/CD) pipeline. The business engaged CMD Solutions, an AWS Partner, to accelerate project delivery.
Facilitates Autoscaling with Move to Microservices
Even before the modernisation exercise, Kasada had initiated preliminary work to shift from single-tenant to multi-tenant architecture, from monolith to microservices. This strategy wouldn’t only reduce the cost to serve per customer, but also remove interdependencies that could hinder scaling. The engineering team considered how to scale optimally and deploy changes as fast as possible, which led them to containers and Kubernetes.
Kasada and CMD did extensive work to find the optimum balance between the number and type of instances used, as well as the limit of containers on each instance. The business is using Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) for container orchestration, both of which autoscale on demand.
“We’re confident now that we can scale up if something unknown happens—which happens quite often. CMD Solutions added valuable expertise around Kubernetes to support our decision-making process. We would come up with a recommendation, they would do the work and get the data, and then show us the impact of each decision path.”
David Turner, Head of Engineering at Kasada
Lowers Response Times and Cost per Customer
Containerisation with autoscaling has also reduced application response times to about 30milliseconds, which Turner attests is “insanely fast.” He says, “It’s imperative we have the fastest response times possible on a consistent basis to prevent attacks from sophisticated bots. We need to stay up and scale up, both of which we can do without any concerns on AWS.”
Furthermore, the shift to microservices has contributed to a reduction in the cost to serve each customer. “When it comes to larger customers, cost isn’t a concern due to their high infrastructure utilisation rates. But for smaller customers, the actual need for infrastructure was lower in a single-tenant model, which resulted in a lot of wastage,” Turner said.
Now, CPU utilization rates are half their previous levels, down to 12 percent from 25 percent.
Right-sizing instances and the number of containers per instance, performance improvements due to smart caching practices, and strategic use of Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances have all contributed to cost reduction.
Thwarts Bot Threats with Faster Releases
Bots and their makers are fierce adversaries who seek out the tiniest vulnerabilities on websites. Kasada needs to constantly release and update its software to stay one step ahead. Transformation of its CI/CD pipeline and a streamlined DevOps practice have facilitated a shorter release cycle. Kasada was releasing once every two weeks or even once a month in some cases, and can now release daily. “Being able to deploy whenever we need had a massive impact on our adaptability when bots try to quickly find a way around our software,” says Turner.
Previously, deployment was painstaking. Engineers had to carefully select deployment windows with cushion time in case things didn’t go as planned. “It wasn’t a fun process and it was a time sink for a full day,” Turner shares. “We no longer need someone to handhold releases; it’s just a one-button click and our people are confident doing it. Streamlining our CI/CD process definitely led to higher employee and customer satisfaction because we can iterate and deliver features faster.”
Boosts Standardisation and Automation
Standardisation and automation using AWS CloudFormation to provision infrastructure as code has likewise contributed to increased velocity, by minimising the burden on operations. Implementation of an AWS Landing Zone with AWS Control Tower has also standardised governance and agile best practices across Kasada’s IT environment, paving the way for multi- tenant architecture.
Onboarding of new customers is simpler, with automated deployment as part of Kasada’s CD process, “to ensure every customer starts on the right foot,” adds Turner. Kasada now has all its customers on the same version of software, whereas previously 10 out of 15 customers could be using different versions. “CMD has helped a lot with finding a middle ground and standardising, in addition to automating our testing strategy for each release under a modern CI/CD setup,” says Turner.
Eases Expansion through Codified Security and Compliance
As part of its modernization, Kasada codified security and compliance in alignment with the Payment Card Industry Data Security Standard (PCI DSS) and SOC 2 auditing framework.
“To be a leading security company, you need certain certifications to show that you walk the walk. If a customer has PCI DSS compliance, we, as a proxy service, have to be compliant,” explains Turner. Services such as AWS Security Hub, AWS Config, and Amazon GuardDuty have helped Kasada automate threat detection and access control. Confident in its stance as a compliant service provider for businesses of any size, Kasada is pursuing further business expansion in the US while considering new markets in Asia and the UK. The modernization work till now has benefited further development of its multi-tenant architecture, which is currently in progress. Turner reflects, “Our overall experience working with CMD Solutions and AWS has been really positive. It’s been great not to have to do all this work on our own from scratch.”
“Being able to deploy whenever we need, had a massive impact on our adaptability when bots try to swiftly find a way around our software.”
David Turner, Head of Engineering at Kasada