Our History

Built alongside the evolution of browser security.

Report URI was created to help organisations understand what executes in the browser and operationalise browser-native security controls at scale.

See the timeline Read the story
The Origin

Early work in CSP and browser security.

As websites became increasingly dependent on third-party code, browser security standards like Content Security Policy (CSP) created new opportunities for visibility and enforcement — but operating them at scale was another matter entirely.

The Web Changed

Third-party code took over.

Modern websites started executing dozens of scripts, tags, and dependencies the organisation had never written, never reviewed, and never directly controlled.

Browsers Stepped Up

CSP arrived as a native control.

Content Security Policy gave browsers a way to enforce what could execute on a page — a real, runtime control built into every major browser at no cost.

The Reality

Operating it remained hard.

Understanding browser behaviour, investigating violations, and maintaining effective policies across growing environments was difficult in practice — and that gap shaped Report URI.

Building the Platform

Built browser-native from day one.

What began as CSP reporting evolved into broader client-side visibility, policy management, and active enforcement — never via injected scripts, agents, or runtime interference.

01

CSP reporting, the original feature

Report URI launched in 2015 with CSP and HPKP violation reporting — the simplest, most useful thing a browser-native security platform could do. One header, structured reports, instant visibility.

02

Visibility and noise control

As volume grew, report filtering, custom subdomains, and the first commercial subscriptions arrived. Telemetry stopped being a firehose and started being useful, actionable data.

03

Active client-side protection

Script Watch, Data Watch, Frame Watch, Policy Watch, and Threat Intelligence emerged as a coordinated suite for detecting and stopping client-side attacks — Magecart-style skimming chief among them.

04

Compliance-grade evidence

Browser-native visibility turned into auditable evidence aligned to PCI DSS 4.0 requirements 6.4.3 and 11.6.1 — without changing how the platform fundamentally works.

The Industry Shift

Client-side risk became a security priority.

As attacks targeting third-party scripts and browser dependencies increased, organisations faced growing pressure to understand and manage client-side risk. The gap between what was deployed and what actually ran in users' browsers became impossible to ignore.

Supply Chain

Third-party scripts became the weak link.

Compromised dependencies turned into one of the most reliable ways to reach high-value pages without ever touching server-side infrastructure.

Magecart & Skimming

Card-skimming campaigns went industrial.

Coordinated criminal groups turned browser-layer skimming into a recurring board-level issue. Fines, breach reports, and public incidents followed.

PCI DSS 4.0

Compliance caught up to the browser.

Requirements 6.4.3 and 11.6.1 forced organisations to prove what was running on their payment pages — continuously, with evidence, not quarterly.

2015
the year Report URI launched
700M+
browser events processed daily
100%
browser-native — no agents, no proxy
Today

Visibility and enforcement at scale.

Today, organisations use Report URI to reduce risk from third-party code, enforce browser-layer policies, and support compliance initiatives through auditable visibility and control.

The platform continues to evolve alongside changes in browser security, web application architecture, and client-side threat activity — while remaining grounded in a browser-native approach to enforcement and visibility.

Looking Ahead

Browser security continues to evolve.

The browser has become a critical layer for security, compliance, and third-party risk management. New standards, new threats, and new compliance requirements all keep arriving at the client-side layer.

Report URI continues to help organisations understand what executes in the browser and define what's allowed through browser-native security controls — the same approach it was built on, applied to whatever comes next.

The browser is no longer just where the user experience happens. It's where security, compliance, and third-party risk now have to be enforced.

Leadership

Learn more about the team behind Report URI.

Leadership → About Report URI →
Milestones

The story year by year.

From a single CSP reporting endpoint in 2015 to a browser-native platform processing over 700 million browser events a day.

2014
An Idea Is Born

Observing new trends in the security capabilities of Web Browsers, our founder began exploring the powerful features that would boost website security, and provide valuable information to website owners.

Lift Off!

After a year of Research and Development, Report URI was officially launched with only two features, CSP reporting and HPKP reporting!

2015
2016
One Year In

After a full year of learning, and seeing tremendous growth in usage, we released a bunch of major updates. Included in those updates was our Report Filtering capabilities, designed to remove noise from your telemetry and deliver greater value. These filters evolved over time and still exist to this day.

Commercial Plans

As the number of users continued to grow, and the amount of telemetry we processed along with it, we introduced paid subscriptions to the platform to provide access to more features and larger volumes of telemetry where needed.

2017
2017
Our First Investor

With Report URI having proved itself as a valuable product to hundreds of website operators, and demonstrating that it was commercially viable, we were joined by world-renowned Cybersecurity Expert, Troy Hunt! As our Strategic Partner, Troy would bring valuable knowledge, insight, and exposure to Report URI, to help fuel our growth.

We Could Have Helped

Throughout 2018, we saw several high-profile cyberattacks against industry and government websites that made international news headlines. We were seeing a spike in exactly the kind of attacks that Report URI could help website operators defend against, and ultimately could have prevented.

2018
2019
Expanding Capabilities

Fueled by exceptional growth in 2017 and 2018, and now having full-time staff to drive R&D, we launched countless new features and capabilities to our platform for several years, along with being awarded 'Best Emerging Technology' at the coveted SC Awards.

Email Security

Having covered all the capabilities supported by modern web browsers for website security, 2020 saw us continue to expand into the realm of email security. With DMARC reporting proving to be a big hit, the introduction of MTA-STS capabilities was a logical next step and has since become an integral part of our platform.

2020
2021
Fighting Back

By the start of 2021, a criminal collective referred to as 'Magecart' had become notorious. Their attacks stole sensitive data from websites, costing organisations millions of dollars in fines from regulators alone. We began launching a dedicated suite of products to detect and stop these attacks, helping website operators fight back.

Threat Intelligence

Following the enormous success of our 'Magecart' response, we continued to develop our capabilities. Now processing hundreds of millions of pieces of telemetry per-day, we began to curate and evolve our own internal Threat Intelligence feeds to leverage the huge amount of data at our fingertips and provide more value to our customers.

2022
2023
Huge Strides

To solidify our industry position as a robust protection against 'Magecart', and all the copycat attacks emerging, we joined the Payment Card Industry Security Standards Council as an Associate Participating Organisation. This outwardly demonstrates how serious we are about solving real security problems that our customers face on a day-to-day basis.

Building For The Future

Having established our position as an industry leader, we focused on expanding the team to ensure that we could continue to deliver and continue to innovate. Paul Oggelsby was appointed as Chair of our Board of Directors, we brought on senior developer resources, expanded our sales and marketing presence, and much, much more!

2024
2025
The Vision

In many ways, our vision is to continue doing what we do now: To deliver effective tooling that helps website operators protect against real threats.

To deliver that vision, we're continuing to invest in the R&D of new features and capabilities, we'll continue to expand the team with skilled and dedicated people, and we'll always work closely with our customers to ensure we're providing the best service that we can.