Cycode
announced a $20 million Series A round led by Insight
Partners, with participation
from seed investor, YL Ventures. The new funding brings total investment to $25 million
and positions Cycode to accelerate growth into securing enterprise DevOps tools
such as source control management systems, build systems and cloud infrastructure.
In
addition to the Series A funding, Cycode also announced the signing of new
customers including: Grubhub, Databricks, Flexport, Rapyd, Copart and Cobalt. Further,
Cycode has hired Dor Atias as VP of R&D, Tom Kennedy as VP of Sales and
Andrew Fife as VP of Marketing.
As the
Software Development Lifecycle (SDLC) has become faster and more automated,
slow application security processes have often been deprioritized in favor of
new feature velocity. Additionally, many of the new tools that drive the
automation and efficiency in application development have opened up new attack
surfaces and created new security challenges. The adoption of Everything as
Code means attacks no longer have to start in production. In development,
gaining access to source control management systems enables code tampering,
finding passwords to critical systems and modifying cloud configurations
(through code) to allow unauthorized access.
"Modernizing
the SDLC has created new security gaps that attackers are readily exploiting,"
said Ronen Slavin, CTO and co-founder of Cycode. "Recent supply chain attacks
like SolarWinds and Codecov, major source code leaks from Microsoft and Nissan,
and attacks targeting developers like Sawfish and XcodeSpy demonstrate that the
battlefield is already shifting."
Cycode
protects DevOps tools such as source control management systems, build systems,
registries and cloud infrastructure. The solution addresses multiple layers of
security, including access and authorization, security configurations,
compliance and scanning engines. This enables customers to identify code
tampering, code leakage, hardcoded secrets, Infrastructure as Code (IaC)
misconfigurations, excess privileges and more, all from a single platform.
To ensure
customers never have to choose between security and speed, Cycode provides
workflows to automate remediation. Customers can also seamlessly integrate
remediation into their developers' workflows via pre-built integrations with
pull requests, alerting and ticketing systems.
"As the
leading Pentest as a Service company, our internal security has always been
paramount," said Ray Espinoza, CISO at Cobalt. "Cycode has saved us a massive
number of hours hardening our source control management system, enforcing
security configurations and preventing secrets from entering our code. Plus, by
plugging seamlessly into our developers' workflows, our team adopted Cycode
right away."
Today,
Cycode launches its knowledge graph to derive security insights from the
rapidly increasing volumes of data and alerts that are overwhelming security
teams. Through an agentless architecture, Cycode collects asset information and
user activity from DevOps tools, infrastructure and security scanners, which is
then mapped in its knowledge graph. By correlating events across the SDLC,
Cycode's knowledge graph creates contextual insights, helps prioritize
remediation, reduces false positives and ensures the integrity of the pipeline
to prevent code tampering incidents, such as the breaches at SolarWinds and
Codecov.
"The
problem of protecting CI/CD tools like GitHub, Jenkins and AWS is a gap for
virtually every enterprise," said Jon Rosenbaum, principal at Insight Partners,
who will join Cycode's board of directors. "Cycode secures CI/CD pipelines in
an elegant, developer-centric manner. This positions the company to be a leader
within the new breed of application security companies -- those that are
rapidly expanding the market with solutions which secure every release without
sacrificing velocity."
"With
these new funds, part of the focus will naturally be on expanding sales and
marketing efforts," said Lior Levy, CEO and co-founder of Cycode. "What I'm
really excited about is expanding Cycode's platform with even more integrations
into CI/CD and security tools to increase the power of our knowledge graph.
Furthermore, we're releasing a low-code query engine and a knowledge-sharing
community that will enable security teams without development expertise to
leverage the full power of the graph."