The easiest way to protect your users

Castle prevents account takeover in web and mobile apps

How it works

Track events in your web and mobile apps. We analyze device, location and usage patterns to make sure they are consistent for each user.

Feature 1@2x

1. Track any source within minutes

Simple developer-friendly APIs lets you send activity from web and mobile apps.

Feature 3@2x

2. We analyze user behavior

Castle builds behavior models over what's normal for your site and each user account.

Feature computer@2x

3. Suspicious activity is revealed

Use our webhooks, Slack notifications and REST APIs to build security workflows.

Real-time security analytics

Get complete visibility into your users’ devices and access patterns. Drill down into subsets of your users to see who is using Tor or browsing like a bot.


As easy to integrate as any analytics API

We've tailored Castle to make developers feel right at home.

JavaScript snippet

Include the snippet on all your pages. Call identify when the user is logged in. The snippet improves device recognition, but is optional.

<script type="text/javascript">
  (function(e,t,n,r){function i(e,n){e=t.createElement("script");e.async=1;e.src=r;n=t.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)}e[n]=e[n]||function(){(e[n].q=e[n].q||[]).push(arguments)};e.attachEvent?e.attachEvent("onload",i):e.addEventListener("load",i,false)})(window,document,"_castle","//")
  _castle('setAppId', '1234567890');
  _castle('identify', '1234', {
    created_at: '2012-12-02T00:30:08.276Z',
    email: '',
    name: 'Johan B'


Track security events or any unstructured data from your web backend or mobile app, and Castle will look for anomalies.

# Ruby example
  name: '$login.succeeded',
  user_id: '1234')

  name: '$login.failed',
  properties: {
    '$login' => ''