r2c raises $27M to scale its security-focused code analysis service

This morning r2c, a startup building a SaaS service around the Semgrep open-source project, announced that it has closed a $27 million Series B. Felicis led the round, which the company said was a pre-emptive deal.

Prior investors firms Redpoint and Sequoia also participated in the fundraising event; r2c last raised a $13 million Series A in October of 2020.

The startup fits into several trends that TechCrunch has explored in recent quarters, including what appears to be a growing number of open-source (OSS) grounded startups raising capital, more rounds coming to exist thanks to investors looking to get the jump on inside rounds before they can form.

On the OSS point, r2c works with Semgrep, which the company likens to a “code-aware grep.” Still confused? Don’t worry, this is all a bit technical, but interesting. Grep is a tool for searching through plain-text that has been around for decades. Semgrep is related, but focused on finding things inside of written code.

Given the sheer volume of code that is written daily in the world, you can imagine that there is an ever-rising demand for finding particular bits of text quickly; Semgrep is an evolution of the original project, that was initially built inside of Facebook.

Per r2c CEO Isaac Evans, however, the project failed to attract much awareness. His startup has built what Evans described to TechCrunch has the “canonical” Semgrep fork, or version, and has crafted a software service around the code to make it easier for other companies to use.

The r2c team, via the company.

There are many ways to generate revenue from open-source software. Two popular monetization routes are througuh support services or offers to host particular projects. But, R2c is a doing something a bit different. The startup sells a monthly, per-developer subscription (SaaS) that packages a broad set of security-focused rules across different coding languages, allowing companies to easily check their own software for possible security issues.

Or as Evans succinctly explained it, r2c offers something akin to application security in a box.

Focusing on cybersecurity is a reasonable tack for the company. Given the ever-growing number of breaches that the public endures, helping companies leak less data, and suffer fewer intrusions is big business.

You don’t have to pay r2c, however. Semgrep is OSS and the rules associated with various languages are available under a LGPL license — more on that definition here. Developers could build their own version of what the company offers. But, Evans argued, it won’t be ready to help you pick which rules you may want to apply to your code, something that his company is happy to help with for a fee.

From a wide lens, r2c fits into the developer tools category. It is content to land and expand inside of companies, perhaps allowing it a lower cost of acquiring customers than we see at some SaaS startups. But that doesn’t mean that the company won’t go to market to sell its service. Per Evans, the startup has historically underinvested in marketing, something that it may now be able to focus more on thanks to its recent financing.

It is not uncommon to see companies with technically-minded founders initially spend too little on the sales and marketing parts of operating a software business. But our impression after discussing the company’s plans with Evans is that r2c intends to get that part of its house in order.

Evans told TechCrunch that his company took aboard more cash because it doesn’t want to build the best search tool for, say, the C programming language. It wants to go broad, fusing what the CEO described as the “customizability of Semgrep” and wide language support.

Let’s see how quickly the company can staff up, bolster its marketing efforts, and take on enterprise clients. Raising a Series C puts the company somewhere past its startup adolescence, so from here on out we can pester the company for concrete growth numbers.