c/side: How This Cybersecurity Company Optimizes Vulnerable Browser-Side Third-Party Scripts

By Amit Chowdhry • Jun 11, 2024

c/side is a cybersecurity company that develops solutions for monitoring, optimizing, and securing vulnerable browser-side third-party scripts. Pulse 2.0 interviewed c/side CEO Simon Wijckmans to learn more about the company.

Simon Wijckmans’ Background

Simon Wijckmans

What is Wijckmans’ background? Wijckmans said:

“I started as a contractor at Microsoft before I was 18. The schools did not provide me with access to topics I cared about – most notably technology, engineering, and business – so I found a hack to homeschool myself in Belgium and get time to learn about technology on my own and at my job.”

“After becoming an employee at Microsoft, I worked there for nearly four years on projects like Microsoft Surface, Azure, and Office 365. My next move was Cloudflare, where I started as a solutions engineer during COVID. Their business grew immensely throughout that time and, as a result, I got the opportunity to move into product. My first project was bot detection as a subject matter expert, where I learned that I like cat-and-mouse style problems. I then inherited and became the product manager of “Page Shield.” This product tried to solve the same thing we’re doing now with c/side—protecting sites from malicious third-party scripts. It’s still live today but does not deliver on its promises.”

“After a year at Vercel and six months at a small startup, it was time to come back to the problem that Page Shield tries to solve, with a new approach.”

“In a way, I’ve engineered my career to go from big enterprise to smaller and smaller companies, learning multiple techniques along the way, until I felt ready to go out there and do it on my own.”

Formation Of c/side

c/side Team

How did the idea for c/side come together? Wijckmans shared:

“That came a bit after I left Cloudflare. Page Shield was built on the wrong foundation when we inherited it, and our solutions to improve it or even build it better from scratch fell on deaf ears a bit. After all, it didn’t contribute massively to the entire revenue at such a big company.”

“After a few years, I noticed this problem was growing and that existing tools weren’t solving it. So we got back together, figured out a better way, and started the process of raising the money and getting the founding team together.”

Core Products

What are c/side’s core products and features? Wijckmans explained:

“The larger scope has everything to do with client-side security, but we’re starting with monitoring, securing, and even optimizing third-party JavaScript. Devs use a bunch of those scripts, and they can be very dynamic—meaning they can load different code in each session in the browsers of their users. When things go wrong, like when a script is breached, both the user and website owners don’t know since it’s managed by a third party.”

“Our tiny script forces the other scripts through our proxy, in which we analyze the full code before it gets rendered in the user’s browser.”

“Contrary to adding latency, we’ve succeeded in optimizing those scripts, which counteracts the small delay that happens through our proxy, resulting in a faster site almost all of the time.”

Challenges Faced

What are a couple of initial challenges you’ve faced building c/side? Wijckmans acknowledged:

“The hardest part of building any business will be GTM. We’re not selling pretty gadgets; this is a solution to a problem that can harm businesses. But many of these businesses have so many security challenges to address that they simply can’t get to all of them. And then the ‘one-stop shop’ that sells side products that barely work comes in and promises the world… this is a hard challenge.”

Evolution Of c/side’s Technology

This might be too early, but has c/side’s technology evolved since the initial vision? Wijckmans noted:

“Yes. We’ve started building nearly all the features of the full product despite starting with launching the free tier first. This way we can begin onboarding users while ironing out the last things on the paid tiers.”

“In this process, a few things that were initially planned for later have been added to the free tier, like viewing the full code for example, deminified and deobfuscated (meaning written in a way a human can read and understand it).”

“Paid tiers, later on, will have more features like a longer history of viewing the code, as well as SOC add-ons among other things.”

“We also planned on using an edge runtime, Cloudflare Workers, but noticed edge-side storage was too slow. So instead of fighting to be 15 ms closer to a user to then add 150 ms in storage latency, we decided to run in five locations to begin with 0 ms storage latency. These are the sorts of things that change between MVP and actual product.”

Significant Milestones

What have been some of the company’s most significant milestones? Wijckmans cited:

“Raising the pre-seed, building the team, shipping the whole base product in under 3 months, and having some organic inflow of prospects already.”

Funding

Are you able to discuss funding? Wijckmans revealed:

“We’ve raised a pre-seed of $1.7m, with the majority coming from Scribble Ventures and Roar Ventures. Among them, we’ve been very honored to get a few angels on board including: Kathy Korevec, Dan Scheinman, Jason Warner, Mike Taylor, Mike Kutlu, Kevin Van Gundy, Alayzain (Zain) Rizavi, Daniel Lopez Ridruejo, Vishal Kumar, Daniel Smith & Nick Gianos.”

Total Addressable Market

What total addressable market (TAM) size is c/side pursuing? Wijckmans assessed:

“We’re starting with third-party JavaScript protection, which is a sizable market on its own. We also let you monitor the scripts, which is a requirement for the latest PCI DSS version 4.0. By March of next year, every website that accepts payments needs that in place or they risk losing their payment vendors.”

“After we’ve built that, we can branch out to other client-side features which we’ll keep to ourselves for the time being.”

Differentiation From The Competition

What differentiates c/side from its competition? Wijckmans affirmed:

“We use a proxy to route all the other third-party scripts through us. This way we can check 100% of the code, 100% of the time. This is unique. Others take a less robust approach, checking sources only or solely relying on threat feeds. Some even sample the traffic, and just check 10% of the sessions, which obviously isn’t very safe.”

“Since these scripts are dynamic, attackers can target a small percentage of users and stay undetected that way for days, weeks, or even months. With our solution in place, this is not possible, as it checks every individual session—all the time—and saves the code.”

“So even if, somehow, something were to go wrong that we didn’t catch, we have the data to analyze the exact code and ensure it doesn’t happen again. That’s a feature on its own that not a lot of other vendors provide.”

“We’ve used all the traditional checking methods, and combined them with our own engine (that checks 60+ attributes and ranks them) and an LLM to parse through the code of a script. If the code itself checks too many ‘bad’ boxes, we can stop the code from loading altogether and autonomously. For example, when a new domain is noticed that was registered just a few days earlier and in a totally different place than the other known domain—like the case of British Airways—pointing to an IP range of a less reputable party, that is rather obvious.”

“Of course, when our users have this happen on their site, they get an alert and can see why we blocked the code from deploying.”

“The reason others don’t use this proxy approach is because it’s not easy to engineer it without causing massive delays. As I explained before, we’ve managed to even speed up scripts most of the time, circumventing this issue. Our team worked hard on achieving this, and we’re happy we cracked the code so to speak to make this happen.”

Future Company Goals

What are some of c/side’s company goals, short-term and long-term? Wijckmans highlighted:

“We have a few first interested parties, as well as design partners ready to try it out and give feedback. While iterating on that, we’re planning to raise the seed round. This will give us plenty of run time to build out the product and set up sales channels to start onboarding users. Likely hiring a few extra employees to make this happen.”

“In due course, we’ll launch the paid tiers with extra features and start acquiring users on those to get the first revenue in the door.”

“Then we want to both increase the feature set (increasing TAM) and keep on growing the revenue by acquiring more users.”

Favorite Memory

What has been your favorite memory starting up c/side so far? Wijckmans concluded:

“The first engineering kickoff we did was the best one I ever had in my career, and afterwards I realized why: I handpicked the people I worked with in the past that got most stuff done. So naturally this meant things moved fast.”

“This was further reinforced when we did our team offsite. It was great getting the team together in person for a week; some would go to bed very late and in the morning we’d wake up and a major improvement was shipped from the fireplace.”