1 Introduction

Cleafy is a web and mobile application security vendor headquartered in Milan, Italy. The company was founded in 2014 by a group of engineers from Politecnico di Milano – the largest technical university in Italy – with a goal to develop innovative security and fraud prevention solutions for banks and other financial institutions. Since then, the company’s technology has been adopted by a number of major corporate and retail banks; in total, over 10 million users are protected with it. In 2017, Cleafy became a part of the Moviri Group, a global software and professional services company with offices in Italy and USA. Along with Cleafy’s own growing partner network in Europe, Asia-Pacific and Latin American markets, this is expected to substantially boost the company’s presence in multiple local markets around the world. Despite its early age, Cleafy has already established a number of technology partnerships with large vendors like Microsoft, Citrix, Splunk and RSA, which enable it to reach new potential customer groups, especially with a planned Microsoft Azure-based Software-as-a-Service offering for small and medium businesses.

As more business services are brought online, either through web browsers or mobile apps, fueled by the ongoing Digital Transformation, they become an increasingly more lucrative target for cybercriminals. This is especially relevant for payment service providers: direct financial losses from successful attacks or fraud can be significant, and these industries are also heavily regulated. With multiple attack vectors and increasingly sophisticated targeted attacks, protecting services against them becomes a difficult challenge. Moreover, meeting the latest compliance regulations requires even bigger investments. For example, the recently adopted Revised Payment Service Directive (PSD2) mandates that service providers not only check financial transactions for signs of malware infection, but report them to the adaptive authentication systems in place to engage strong authentication for risky transactions. To fully comply, banks must expand their existing web security solutions to cover API endpoints and mobile apps, as well as integrate them with their existing strong authentication infrastructures and anti-fraud technologies.

Cleafy offers a single integrated solution to address all these challenges. Combining functionality of endpoint detection products and traditional online fraud detection solutions, Cleafy is a unified threat detection and protection platform developed with a strong focus on security and compliance challenges of financial and e-commerce institutions. However, as opposed to traditional anti-malware products, Cleafy does not rely on malware signatures or behavior analysis, using instead a proprietary patented technology for clientless, application-independent and completely passive transaction monitoring and risk assessment. Integrating with existing application infrastructure on the server side, it does not require any modifications on the backend and only minimal changes in mobile apps. With native risk assessment functionality, it can be easily integrated with various transaction monitoring and adaptive risk-based authentication platforms and plugged directly into existing SIEM, incident management or ticketing systems.

Perhaps the biggest challenge for Cleafy is its narrow focus on financial customers. Although the technology can be easily adapted for a larger potential audience, the company does not yet have sufficient resources to reach and serve such a market. This is likely to change in the future thanks to the growth of their partner network and the recent acquisition by the Moviri group, however.