Snyk, from first check to leader in dev-friendly open source security

We are thrilled to announce our investment in Snyk, which is a developer-first security solution that helps companies use open source code and stay secure. We couldn’t be more excited to be leading this new round of capital again with Canaan Partners and including Heavybit, FundFire, and Peter Mckay (Co-CEO of Veeam) (see Techcrunch for more coverage).

Our initial journey goes way back as we were investors in Guy Podjarny’s previous company, Blaze.io, which sold to Akamai in 2012. For the next few years we collaborated on several co-investments and what ultimately attracted us to Guy’s new company (along with co-founders Danny Grander and Assaf Hefetz), was their bold vision to create a new platform for securing open source components with a dev-first focus. At the time we seeded Snyk in late 2015, open source library usage was growing significantly and solutions were either security first which slowed down dev or dev first but not with enough security built in. With the movement towards continuous integration and deployment, it was clear a new solution was needed.

In a little over two years, Snyk has gone from “founder market fit” to “product market fit” and this new round will allow the company to build out is product offering and expand its Fortune 500 customer base.

With over 120,000 developers using the platform, 100,000 projects protected, 350,000 downloads per month, and notable partnerships with Heroku, JFrog and Microsoft Sonar, Snyk has proven it can get developers to fully adopt a security solution, and the importance of having the strongest database of known vulnerabilities in open source

Funding rounds are always a great opportunity to look back and see how the company’s initial thesis has held up and what has improved or changed. See below for Snyk’s initial vision from late 2015, much of which remains the same today; developer velocity increasing, security isn’t dev-friendly, how do you bridge the gap, esp. in open source world where much of it is third party code.

There have clearly been some tweaks to the model since then, but what is most exciting for us is watching Snyk go from idea and vision in a non-existent market to one where the question of how developers are securing open source components is becoming mainstream. And given some high profile security breaches like Equifax in Sept. 2017 where it was due to unpatched open source vulnerabilities, you can see why the interest in solutions like Snyk’s are gaining rapid adoption.

While the need for dev-friendly open source security may seem obvious today, especially with the stats above, how did we frame our initial investment? Here‘s what got us excited back then, much of which has come to fruition in the 2 years since:

  1. Solving a huge pain point in an emerging but potentially massive market — we were witnessing the move to continuous integration and deployment spreading to the enterprise combined with the growth of open source and third party components; the thinking was that if you could make it dev-friendly then it could be a massive business
  2. Dev first business model with budget from security — we love bottom up, organic models but always question where the bigger budgets are coming from, and what we saw in Snyk was an opportunity to go bottom up with developers and then access the security budget for bigger dollars.
  3. Founder-market fit — GuyPod previously was Chief Architect at Sanctum/Watchfire Security, developers of one of the first web-app firewalls, ultimately sold to IBM. Danny Grander had significant security engineering experience starting in the IDF where he met Guy and into Skybox Security and as CTO of Gita Technologies. Assaf had a Sr Research role at Skycure which Symantec bought last year. This team had the technical and product skills and understanding to go after this opportunity.
  4. Repeat founders — we are always thrilled when founders we backed previously give us thefirst shot to invest in their new company. In this case, we had backed Guy before when he co-founded Blaze.io which was sold to Akamai. He eventually became CTO of the Web Experience Unit at Akamai.
  5. We like to work with founders well before they leave their current roleand start a new company. In Guy’s case we had regular dialogue over a couple year timeframe to both brainstorm and also vet the idea with our Fortune 500 relationships. We also introduced Guy to fellow founders like Tom Preston-Werner from Github (see blog post on Snyk) to help refine the story.
  6. Time to value — incredibly easy to get up and running, authenticate via github, bitbucket and Snyk starts scanning, monitoring, and suggesting fixes
  7. We love being able to help accelerate time from “founder-market fit” to “product-market fit” to which we accomplished by helping Snyk secure some of their early on-prem Fortune 500 customers.
  8. We are purpose built to double and triple-down in our portfolio as they hit milestones and scale their GTM team.

Once again, we couldn’t be more excited about leading this new round of funding and look forward to continued success for the team.

Also on Medium

 

Thoughts from RSA and the Climate for Security Startups The year ahead in security tech and VC

Just getting back from a few days at RSA. We kicked it off Sunday night with a boldstart founders and execs dinner where we talked about what’s next in cybersecurity with some of our portfolio companies like security scorecard, bigid, snyk, stealth co and many friends from the industry representing strategic partners and IT buyers. After a couple more days of straight security talk with lots of new vendors, VCs, strategics and CISOs, I wanted to share a few observations. Many of these are not earth shattering but important to cover nonetheless.

  1. There are way too many cyber security startups. A record $3b went into these companies in 2016 and $2.5b in 2015. Many startups are features or products and not businesses. Each category and mini category used to only have a few vendors and now you can expect up to 10. Lots will struggle and go out of business and industry consolidation is ahead.
  2. That being said, cyber security budgets keep increasing! Banks like JP Morgan spent $500mm on security and yet they are still not secure. While many large cos will still buy from best of breed startup vendors, the landscape is changing as Palo Alto Networks and Symantec keep incorporating new tech and provide an integrated seamless stack.
  3. Which leads me to my next point. One CISO of a large bank told me that his team met with over 300 vendors last year. Large companies can’t possibly integrate all of these disparate technologies and the more you have, the more false positives you have.
  4. Rise of Nation State attacks – more sophisticated and deadly – many are targeting the largest financial institutions.

    Read More