access management – Product Management Confabulation

December 6, 2022

Axiom launches its automated identity and access management platform

Axiom, a Tel Aviv-based startup that focuses on automating identity and access management (IAM) for developer platforms, is coming out of stealth today and announcing a $7 million seed round led by S Capital.

The idea here is to provide a single platform that provides developers with easy access to the tools they need and security and operations teams with the security guarantees they require. Axiom promises to automatically orchestrate cloud and SaaS IAM and ensuring that developer get the least-privileged access that still allowing them to get their work down without hassle while reducing the potential attack surface and the blast radius of the inevitable security breach.

To achieve this, Axiom offers just-in-time access rights to developers, with a tight integration into collaboration tools such as Slack. The company’s services also integrate with all major clouds and tools, such as Kubernetes, GitHub, GitLab, Bitbucket, Jira and ServiceNow, as well as database and data lake services like MySQL, PostreSQL, MongoDB, Snowflake, and Databricks. Axiom currently mostly targets DevOps and DevSecOps teams in mid-market companies.

“Two megatrends are colliding to change the way we work,” said Haim Sadger, founding partner at S Capital (and founder of Sequoia Israel). “The evolution of the Cloud, where infrastructure has become far more elastic and scalable than ever, and the evolution of the workforce, where continued adoption of a hybrid IT model has made identity the new perimeter. Axiom works at the intersection of those megatrends to enable a new era of productive security for everyone.”

Image Credits: Axiom

The company was founded by Itay Mesika (CEO) and Ilan Dardik (CTO), who first met in the technological unit of the Israeli Air Force. After working in a number of industry roles, the two co-founders decided to tackle a problem they regularly encountered in their day-to-day jobs. One major trend they both saw was that as the infrastructure has become more dynamic in recent years, identity management hasn’t kept up.

“You have that hybrid IT model that you’re starting to see more and more after COVID — and a plethora of dynamic identities because infrastructure has become far more elastic and scalable than ever,” Mesika said. “Both of these have led to a situation where identities have become the new perimeter of attacks. IAM is the glue that connects identities and the cloud and, unfortunately, it is the thing that has stayed behind and became a bottleneck for people.”

Image Credits: Axiom

He noticed that the core ideas here are obviously not new, by the dynamic nature of cloud access left companies struggling to keep up, especially if they are still relying on manual processes. And while modern zero trust tools help businesses with managing who should have access to a given tool, they don’t necessarily help them decided which kind of access those users should get.

“We have more holistic way of solving the process of cloud access,” Mesika said.” We do this by providing dev, sec and ops teams with an easy-to-use platform that automatically orchestrates all the operations around IAM for cloud and SaaS. We’re minimizing the operational overhead for the security team and also minimizing, at the same time, the user friction and frustration for developers.”

Axiom launches its automated identity and access management platform by Frederic Lardinois originally published on TechCrunch

June 6, 2022

Opal secures $10M for dynamic access management

Opal, a platform that decentralizes access management for enterprise customers, today announced that it raised $10 million in a Series A funding round led by Greylock. CEO Stephen Cobbe says that the proceeds will be put toward product development and expanding the size of Opal’s 25-person team.

It’s Cobbe’s assertion that companies give out too much access to systems. To his point, a 2021 survey by cloud infrastructure security startup Ermetic found that enterprises with over 20,000 employees experienced at least 38% cloud data breaches due to unauthorised access. Employees use systems like Amazon Web Services (AWS), GitHub, and Salesforce in their day-to-day work, and each of these systems has its own way of defining access control (e.g., via roles, groups, resources, permission sets, or policies). With so much variety, defining the right role-based abstraction can be challenging.

“Being an ‘engineer’ might have a well-defined meaning in Jira, where it involves having access to the ‘engineering’ ticketing project. However, in a more complicated system like AWS, being an ‘engineer’ may offer little insight into what a user needs to do their job,” Cobbe explained. “Opal solves this problem by leveraging a more dynamic model of access.”

Opal was founded in 2019 by Cobbe, a former software engineer at Dropbox. Umaimah Khan, Opal’s other co-founder and head of product, came from Collective Health, a self-funded employer health benefits firm.

Image Credits: Opal

Opal offers employees a self-serve catalog that allows them to request and receive access to systems. An analytics dashboard provides usage-based suggestions, visualizations, and insights about access to a customer’s security team. If a user hasn’t accessed a resource in many months, for instance, Opal’s analytics dashboard might recommend that the user’s access be removed.

“Opal brings a unique approach to the problem of access management, combining insights with workflows. Most products are one or the other,” Cobbe said. “Opal decentralizes away from overburdened teams like security and IT to resource owners with the most context.”

Opal can automatically discover databases, servers, internal tools, and apps, delegating access requests to the relevant teams and managers. The platform can also automatically remove access when it’s no longer needed, sending reminders to reviewers through Slack and email and monitoring for any changes to access.

“Opal was built to give teams a single pane of glass to manage access scalably and according to the security principle of least privilege where only the minimum amount of access necessary is granted,” Cobbe said. “Broadly, Opal helps enterprises move nimbly while staying secure and maintaining compliance … [We do] this by establishing a culture in which least privilege, the act of giving the least amount of access for someone to complete a ‌task, is an established norm and everyday practice.”

Opal competes with companies large and small in the access management space, including DoControl. But Cobbe, while declining to answer questions about Opal’s revenue, said he’s confident his company can stand out with a customer base that includes Databricks, Blend, and Marqeta.

“Security and compliance are crucial for most companies. Even amidst the current economic environment, we believe there will continue to be a budget for products that drive value in these spaces,” he added.

May 3, 2022

Lumos wants to build an app store for the enterprise

Lumos, a startup that wants to provide an end-to-end solution for enterprises to manage all of the SaaS apps their employees use, is coming out of stealth today. The company plans to take on the SaaS management market by combining security features like role-based access control that IT departments need with the self-service capabilities that employees want and the spending reports (and ability to shut down unused accounts) that the finance department needs.

Lumos also today announced that it has raised a total of over $30 million from the likes of Andreesen Horowitz, Neo, Lachy Groom, Google Cloud CISO Phil Venables, OpenAI CTO Greg Brockman and others.

At its core, Lumos replaces IT tickets with a self-service portal for employees. The team argues that as enterprises increasingly rely on SaaS applications, it’s becoming increasingly difficult for businesses to manage them. Often, this means an added bureaucratic layer of IT tickets to gain access to a service and additional costs for SaaS licenses for users who may not even be using a service or who may have left the company — all while it’s almost impossible for IT and security teams to keep up with the inevitable rise of shadow IT as employees try to route around these systems.

The promise of Lumos is that it can provide access controls but also provide a self-service portal to employees and automatically recognize when a user stops using a SaaS tool, for example, and then de-provision those accounts to save on licensing cost.

Image Credits: Lumos

“As the world has shifted from ‘bring your own device’ to ‘bring your own app’ and now ‘bring your own office,’ the challenge of shadow IT has only continued to compound. We’re very excited to partner with the Lumos team as they build the tool that can bring light to this darkness,” said Peter Levine, a general partner at Andreesen Horowitz.

As Lumos co-founder Andrej Safundzic told me, the idea for Lumos was born out of a privacy-and ethics-focused class he and his co-founder Leo Mehr took at Stanford (with Alan Flores-Lopez rounding out the co-founding team shortly after). That class, he said, made him realize how consumers may have password managers to secure their accounts but no easy way to manage the user accounts they likely have across hundreds of services.

“Then I looked at my phone — and my phone was beautiful, right? I have everything in my home screen,” Safundzic said. “I can delete what I want. I can go to settings and disable location sharing for Facebook. The App Store on Apple made this such a beautiful integrated platform. But if you look at the web, you have 100 websites, Figma, Airtable, Smartsheet — everything. So we just said: hey, let’s create that app store for the web.”

Image Credits: Lumos

That’s still the long-term goal today, but to get started, the team decided to focus on companies because, Safundzic frankly admitted, that’s an easier business model.

Since most services have open APIs to allow Lumos to create and delete accounts, the team didn’t even need to build a partnership team to support get started. The service integrates with existing IT systems, so tickets are still created to ensure everything is logged, but Lumos then orchestrates everything in the background. It supports services like Okta, OneLogin, Google and Azure AD for identify and access management and easy account provisioning for services like Zoom, Salesforce, AWS and Datadog. Like any modern service that focuses on workflows, it also integrates with Slack (with Teams support coming soon).

With Torii, BetterCloud, Intello and others, there are obviously quite a few SaaS management services on the market already. This is, after all, a massive problem for businesses. But the Lumos team argues that these are not end-to-end solutions and don’t offer all of the compliance, self-service and automation features its tool offers.

It’s worth noting that Safundzic has a bit of previous startup experience. Before co-founding Lumos, Safundzic built Tech4Germany, a GovTech startup that was acquired by the German Federal Chancellery.

Today, Lumos already has over 30 employees. Current users include the likes of BuzzFeed, Dialpad, Mixpanel, Skydio and Vox Media.

February 23, 2022

Astrix Security emerges from stealth to help organizations spot rogue third-party apps

Astrix Security, an Israeli cybersecurity startup that provides access management for third-party app integrations, has emerged from stealth with $15 million in funding.

The startup was co-founded in 2021 by CEO Alon Jackson and CTO Idan Gour, both former members of Israel’s famed intelligence division Unit 8200, to help organizations monitor and control the complex web of third-party apps connected to their critical systems.

The number of integrations used by organizations has increased dramatically over the past two years as a result of the widespread shift to remote working and, in turn, cloud-based environments. Astrix claims that while businesses are largely on top of managing user access to critical systems, the majority are falling short when it comes to managing API access, which is exposing them to a growing attack surface vulnerable to supply chain attacks, data spillage, and compliance violations. That’s why the startup developed Astrix Security, a platform that equips businesses with full integration lifecycle management.

“Current solutions provide a security score that helps you assess the security posture of apps you want to adopt. Others, such as NoName, look at API security, which focuses on the APIs that you develop and want others to consume,” Jackson, who served as head of R&D at Argus prior to founding Astrix, told TechCrunch. “We look at integrations that are done through third-parties; it could be your CRM on Salesforce or your intellectual property in GitHub. These are all systems that you did not develop, but you have API access enabled to them.”

Astrix Security provides organizations with an immediate inventory of all third-party connectivity to enterprise applications. It automatically detects changes and malicious anomalies within these integrations and low-code or no-code workflow configurations and provides real-time remediations.

This technology, Jackson claims, could have prevented organizations from becoming a casualty of the CodeCov hack last year, which saw attackers breach the company’s software auditing tool to gain access to hundreds of its customers’ networks.

“What happened is exactly what we are building for; the developer just added a new third-party connection on top of his code repository in GitHub. He removed it, but didn’t revoke the access, which led to their entire IP being sold on the dark web,” Jackson said.

Astrix Security is already in the hands of a number of global enterprise customers, spanning the technology, health tech, and automotive sectors. Jackson says the startup plans to use its $15 million seed investment, which was led by Bessemer Venture Partners and F2 Capital, with participation from Venrock and over 20 cybersecurity angel investors, to expand its current team of 20 and to bolster its go-to-market efforts.

November 2, 2021

Microsoft’s new Azure OpenAI Service brings GPT-3 to (a few) more developers

Microsoft today announced the launch of the Azure OpenAI Service, which, as the name implies, makes OpenAI’s machine learning models available on the Azure platform. Specifically, that means GPT-3, OpenAI’s groundbreaking language model that can, under the right circumstances, produce human-like text with just a few prompts.

There is a catch, though. At least for now, not all Azure users will get access to it (even if they are willing to pay). Access will be invitation-only and for “customers who are planning to implement well-defined use cases that incorporate responsible principles and strategies for using the AI technology.” Microsoft will offer safety monitoring and analysis to find cases of abuse or misuse of GPT-3 and it will offer filters to make sure your GPT-3-based chatbot doesn’t start swearing at your executives (even if GPT-3 thinks they deserve it).

Image Credits: Microsoft

It’s worth noting that OpenAI itself already made a GPT-3 API available last year, though there is still a waitlist. Microsoft, too, is already using GPT-3 to power GitHub’s Copilot tool that helps developers write code for them. But while there are already ways to access GPT-3 outside of Azure, Microsoft argues that it can offer “additional layers of security, access management, private networking, data handling protections or scaling capacity.”

Microsoft invested $1 billion in OpenAI back in 2019 and licenses GPT-3, so it’s no surprise that the company is trying to bring it to a wider range of products now.

“GPT-3 has really proven itself as the first powerful, general-purpose model for natural language — it’s one model you can use for all these things, which developers love because you can try things very easily,” OpenAI CEO Sam Altman said. “For a while now, we’ve wanted to figure out a way to scale it as broadly as possible, which is part of the thing that really excites us about the partnership with Microsoft.”

Microsoft invests $1 billion in OpenAI in new multiyear partnership

October 12, 2021

Airbyte launches a hosted version of its integration platform

Airbyte, the well-funded open source data integration startup, always made it easy for data teams to set up their ELT (extract, load and transform) pipelines, but until now, that meant self-hosting and managing the service, with all the complications that come with that. Today, the company announced the official launch of Airbyte Cloud, a hosted service that takes all of the features of the open source version and adds hosting and management, on top of a number of additional support options and enterprise features like access management for teams (though single sign-on support is currently still listed as “coming soon”).

Currently, more than 6,000 companies use Airbyte in some form or another. That’s up from only 250 at the end of January. Over the course of the year, the company has also taken on a seed and Series A round, for a total of just over $31 million in funding. The fact that there were only two months between the seed and Series A round is a pretty good indication of how hot this space is.

Image Credits: Airbyte

And talking about money, Airbyte also decided to mix up its pricing model a bit with Airbyte Cloud. Instead of volume-based pricing, which used to be somewhat of the norm of these kinds of services, the team decided to opt for charging for the compute time these jobs take.

Ideally, this takes away at least some of the friction that is often associated with these kinds of workloads. Traditionally, the Airbyte team argues, enterprises use multiple systems like Fivetran to connect to the most common API sources and internally developed scripts the data engineering teams build for their one-off use cases — and then a system for database replication on top of that.

“We wanted to really commoditize and solve the data integration problem,” Airbyte COO and co-founder John Lafleur told me when I asked about the pricing model. “The only way to do that is really through an infrastructure-type pricing model, like Snowflake: buy credits, consume these credits based on the hours of compute. At that point, because your database replication throughput is very high, it makes it possible. That’s why we went with compute.”

As Airbyte CEO and co-founder Michel Tricot added, this also means that businesses can now think about pricing for virtually all of their data services in the same compute-centric way.

Currently, Airbyte features about 130 connectors to services that range from consumer products like Instagram to BI systems like Google’s Looker and virtually every major database system. As the team noted, a lot of customers also use Airbyte’s open source code to build their own custom connectors. In addition, there are now also vendors who build connectors for their own customers and the team is looking at how it can incentivize its community to maintain connectors over time through the use of some form of revenue share.

Airbyte announces $26M Series A for open-source data connector platform

August 24, 2021

ForgeRock files for IPO as identity and access management business grows

ForgeRock filed its form S-1 with the Securities and Exchange Commission (SEC) this morning as the identity management provider takes the next step toward its IPO.

The company did not provide initial pricing for its shares, which will trade on the New York Stock Exchange under the symbol FORG. The IPO is being led by Morgan Stanley and J.P. Morgan Chase & Co., with the company being valued as high as $4 billion, according to Bloomberg, which is a significant uplift over the $730 million post-money value that PitchBook had for the company after its last round in 2020.

With the ever-increasing volume of cybersecurity attacks against organizations of all sizes, the need to secure and manage user identities is of growing importance. Based in San Francisco, ForgeRock has raised $233 million in funding across multiple rounds. The company’s last round was a $93.5 million Series E announced in April 2020, which was led by Riverwood Capital alongside Accenture Ventures. At that time, CEO Fran Rosch told TechCrunch that the round would be the last before an IPO, which was also what former CEO Mike Ellis told us after the startup’s $88 million Series D in September 2017.

While the timing of its IPO might have been unclear over the last few years, the company has been on a positive trajectory for growth. In its S-1, ForgeRock reported that as of June 30, its annual recurring revenue (ARR) was $155 million, representing 30% year-over-year growth.

While revenue is growing, losses are narrowing as the company reported a $20 million net loss down from $36 million a year ago. There certainly is a whole lot of room to grow, as the company estimates that the total global addressable market for identity services to be worth $71 billion.

Among the many competitors that ForgeRock faces is Okta, which went public in 2017 and has been growing in the years since. In March, Okta acquired cloud identity startup Auth0 for $6.5 billion in a deal that raised a few eyebrows. Another competitor is Ping Identity, which went public in 2019 and is also growing, reporting on August 4 that its ARR hit $279.6 million in its quarter ended June 30, for a 19% year-over-year gain. There have also been a few big exits in the space over the years, including Duo Security, which was acquired by Cisco for $2.35 billion in 2018.

“ForgeRock has a good access management tool and they continue to be a strong player in customer identity and access management (CIAM),” commented Michael Kelley, senior research director at Gartner.

Kelley noted that in 2020, ForgeRock converted most of its core access management services to a SaaS delivery model, which helped the company catch up with the rest of the market that already offered access management as SaaS. Also last year the company expanded into identity governance, introducing a brand new identity, governance and administration (IGA) product.

“I think one of the more interesting products that ForgeRock offers is ForgeRock Trees, which is a no-code/low-code orchestration tool for building complex authentication and authorization journeys for customers, which is particularly helpful in the CIAM market,” Kelly added.

ForgeRock was founded in 2010, but its roots go back even further to an open-source single sign-on project known as OpenSSO that was created by Sun Microsystems in 2005. When Oracle acquired Sun Microsystems in early 2010, a number of its open-source efforts were left to languish, which is what led a number of former Sun employees to start ForgeRock.

Over the last decade, ForgeRock has expanded significantly beyond just providing a single sign-on to providing an identity platform that can handle consumer, enterprise and IoT use-cases. The company’s platform today handles identity and access management as well as identity governance.

The ability to scale is a key selling point that ForgeRock makes in the S-1, noting that its platform can handle over 60,000 user-based access transactions per second per customer.

“As of June 30, 2021, we had four customers with 100 million or more licensed identities, the company stated in the S-1. “Our ability to serve mission-critical needs in complex environments for large customers enables us to grow our base of large customers and expand within each of them. “

July 22, 2021

Microsoft’s cyber startup spending spree continues with CloudKnox acquisition

Microsoft has acquired identity and access management (IAM) startup CloudKnox Security, the tech giant’s fourth cybersecurity acquisition this year.

The deal, the terms of which were not disclosed, is the latest cybersecurity acquisition by Microsoft, which just last week announced that it’s buying threat intelligence startup RiskIQ. The firm also recently acquired IoT security startups CyberX and Refirm Labs as it moved to beef up its security portfolio. Security is big business for Microsoft, which made more than $10 billion in security-related revenue in 2020 — a 40% increase from the year prior.

CloudKnox, which was founded in 2015 and emerged from stealth two years later, helps organizations to enforce least-privilege principles to reduce risk and help prevent security breaches. The startup had raised $22.8 million prior to the acquisition, with backing from ClearSky, Sorenson Ventures, Dell Technologies Capital, and Foundation Capital.

The company’s activity-based authorization service will equip Azure Active Directory customers with “granular visibility, continuous monitoring and automated remediation for hybrid and multi-cloud permissions,” according to a blog post by Joy Chik, corporate vice president of identity at Microsoft.

Chik said that while organizations were reaping the benefits of cloud adoption, particularly as they embrace flexible working models, they often struggled to assess, prevent and enforce privileged access across hybrid and multi-cloud environments.

“CloudKnox offers complete visibility into privileged access,” Chik said. “It helps organizations right-size permissions and consistently enforce least-privilege principles to reduce risk, and it employs continuous analytics to help prevent security breaches and ensure compliance. This strengthens our comprehensive approach to cloud security.”

In addition to Azure Active Directory, Microsoft also plans to integrate CloudKnox with its other cloud security services including 365 Defender, Azure Defender, and Azure Sentinel.

Commenting on the deal, Balaji Parimi, CloudKnox founder and CEO, said: “By joining Microsoft, we can unlock new synergies and make it easier for our mutual customers to protect their multi-cloud and hybrid environments and strengthen their security posture.”

Microsoft confirms it’s buying cybersecurity startup RiskIQ

June 10, 2021

RSA spins off fraud and risk intelligence unit as Outseer

RSA Security has spun out its fraud and risk intelligence business into a standalone company called Outseer that will double down on payment security tools amid an “unprecedented” rise in fraudulent transactions.

Led by CEO Reed Taussig, who was appointed head of RSA’s Anti-Fraud Business Unit last year after previously serving as CEO of ThreatMetrix, the new company will focus solely on fraud detection and management and payments authentication services.

Outseer will continue to operate under the RSA umbrella and will inherit three core services, which are already used by more than 6,000 financial institutions, from the company: Outseer Fraud Manager (formerly RSA Adaptive Authentication), a risk-based account monitoring service; 3-D Secure (formerly Adaptive Authentication for eCommerce), a card-not-present and digital payment authentication mapping service; and FraudAction, which detects and takes down phishing sites, dodgy apps and fraudulent social media pages.

Outseer says its product portfolio is supported by deep investments in data and science, including a global network of verified fraud and transaction data, and a risk engine that the company claims delivers 95% fraud detection rates.

Commenting on the spinout, Taussig said: “Outseer is the culmination of decades of science-driven innovation in anti-fraud and payments authentication solutions. As the digital economy continues to deepen, the Outseer mission to liberate the world from transactional fraud is essential. Our role as a revenue enabler for the global economy will only strengthen as every digital business continues to scale.”

RSA, meanwhile, will continue to focus on integrated risk management and security products, including Archer for risk management, NetWitness for threat detection and response, and SecureID for identity and access management (IAM) capabilities.

The spinout comes less than a year after private equity firm Symphony Technology Group (STG), which recently bought FireEye’s product business for $1.2 billion, acquired RSA Security from Dell Technologies for more than $2 billion. Dell had previously acquired RSA as part of its purchase of EMC in 2016.

It also comes amid a huge rise in online fraud fueled by the COVID-19 pandemic. The Federal Trade Commission said in March that more than 217,000 Americans had filed a coronavirus-related fraud report since January 2020, with losses to COVID-linked fraud totaling $382 million. Similarly, the Consumer Financial Protection Bureau fielded 542,300 fraud complaints in 2020, a 54% increase over 2019.

RSA said that with the COVID-19 pandemic having fueled “unprecedented” growth in fraudulent transactions, Outseer will focus its innovation on payments authentication, mapping to the EMV 3-D Secure 2.x payment standard, and incorporating new technology integrations across the payments and commerce ecosystem.

“Outseer’s reason for being isn’t just focused on eliminating payments and account fraud,” Taussig added. “These fraudulent transactions are often the pretext for more sinister drug and human trafficking, terrorism, and other nefarious behavior. Outseer has the ability to help make the world a safer place.”

Valuation information for Outseer was not disclosed, nor were headcount figures mentioned in the spinout announcement. Outseer didn’t immediately respond to TechCrunch’s request for more information.

Dell sells RSA to consortium led by Symphony Technology Group for over $2B

May 11, 2021

Cycode raises $20M to secure DevOps pipelines

Israeli security startup Cycode, which specializes in helping enterprises secure their DevOps pipelines and prevent code tampering, today announced that it has raised a $20 million Series A funding round led by Insight Partners. Seed investor YL Ventures also participated in this round, which brings the total funding in the company to $24.6 million.

Cycode’s focus was squarely on securing source code in its early days, but thanks to the advent of infrastructure as code (IaC), policies as code and similar processes, it has expanded its scope. In this context, it’s worth noting that Cycode’s tools are language and use case agnostic. To its tools, code is code.

“This ‘everything as code’ notion creates an opportunity because the code repositories, they become a single source of truth of what the operation should look like and how everything should function, Cycode CTO and co-founder Ronin Slavin told me. “So if we look at that and we understand it — the next phase is to verify this is indeed what’s happening, and then whenever something deviates from it, it’s probably something that you should look at and investigate.”

Cycode Dashboard. Image Credits: Cycode

The company’s service already provides the tools for managing code governance, leak detection, secret detection and access management. Recently it added its features for securing code that defines a business’ infrastructure; looking ahead, the team plans to add features like drift detection, integrity monitoring and alert prioritization.

“Cycode is here to protect the entire CI/CD pipeline — the development infrastructure — from end to end, from code to cloud,” Cycode CEO and co-founder Lior Levy told me.

Cycode raises $4.6M seed round to keep your source code safe

“If we look at the landscape today, we can say that existing solutions in the market are kind of siloed, just like the DevOps stages used to be,” Levy explained. “They don’t really see the bigger picture, they don’t look at the pipeline from a holistic perspective. Essentially, this is causing them to generate thousands of alerts, which amplifies the problem even further, because not only don’t you get a holistic view, but also the noise level that comes from those thousands of alerts causes a lot of valuable time to get wasted on chasing down some irrelevant issues.”

What Cycode wants to do then is to break down these silos and integrate the relevant data from across a company’s CI/CD infrastructure, starting with the source code itself, which ideally allows the company to anticipate issues early on in the software life cycle. To do so, Cycode can pull in data from services like GitHub, GitLab, Bitbucket and Jenkins (among others) and scan it for security issues. Later this year, the company plans to integrate data from third-party security tools like Snyk and Checkmarx as well.

“The problem of protecting CI/CD tools like GitHub, Jenkins and AWS is a gap for virtually every enterprise,” said Jon Rosenbaum, principal at Insight Partners, who will join Cycode’s board of directors. “Cycode secures CI/CD pipelines in an elegant, developer-centric manner. This positions the company to be a leader within the new breed of application security companies — those that are rapidly expanding the market with solutions which secure every release without sacrificing velocity.”

The company plans to use the new funding to accelerate its R&D efforts, and expand its sales and marketing teams. Levy and Slavin expect that the company will grow to about 65 employees this year, spread between the development team in Israel and its sales and marketing operations in the U.S.

Data is the world’s most valuable (and vulnerable) resource