Ideally, when it comes to building secure applications, it’s best to check the code as it moves through the development process, so that vulnerabilities can be found before it gets into production. That’s exactly the kind of solution that Semgrep, formerly r2c, a San Francisco startup, has been building over the last five years.
Today, the company announced it has raised a $53 million Series C. What’s more, in a time where VC dollars are much harder to come by, they weren’t even looking for this funding. The investors approached them, according to company CEO and founder Isaac Evans.
The company’s solution combines open source with a SaaS offering. “So we have two things that are open source: we have this engine, which is kind of like a Google search for code. You write rules for it, and then [the code] runs through the engine, and then that tells you, ‘hey, this specific line has an issue,’” he said.
But they don’t stop there. “But then the rules themselves are also available under a free license. So you’ve got both the engine and the rules that combined deliver a tremendous amount of value to a lot of people, much more so than many of our competitors. And then we also have a vertically integrated SaaS solution that sits on top of that,” Evans explained.
Semgrep shows developers’ security errors in the code. Image Credits: Semgrep
Evans said when the company launched in 2017, he had this vision of doing something like this and set out to build it, but they were having trouble building something specifically for developers. It wasn’t until he hired Yoann Padioleau, a former Facebook engineer the following year, who pointed out that there was an open source product out there that did what they were trying to do.
“He was like, ‘hey the product that you’re building reminds me of this thing that I built at Facebook.’ So you know, we didn’t even actually realize when we hired him that he had built this thing.”
Evans said he wasn’t actually ready to hear it, but when Padioleau presented it to the company soon thereafter they knew he was onto something. “And so at the next hackathon, like a week later, he polished it up and showed us how it could work, added support for a modern language like Python, because it only supported PHP from the Facebook era, and we were at least smart enough to admit that we were wrong,” he said.
That moment was key for the company and they would go onto release the open source version at the end of 2020, and today the open source tooling has around 2 million users. The company’s revenue-producing products grew 7.5x last year, so it appears that the products have resonated with the developers they were trying to reach, and the security teams who want to keep the code base safe.
Today, the company has 90 people with plans to add around 50 more this year. He says he thinks about building a diverse team and it requires taking a slower, more deliberate approach to hiring, but it’s one he’s been willing to do.
“The thing that I’ve learned is that there’s this trade-off where if you want to go fast, you can use in-referral, in-network hires, and that will make you go faster, but it tends to result in less diversity across the team,” he said. His preference is to take the extra time and look outside of the easy channels to look for candidates who aren’t as well connected.
Evans says that he wasn’t planning on fundraising quite yet and he got an offer he couldn’t refuse. “We had not been planning to fundraise until the summer. We had plenty of runway, but we got preempted and we had a very attractive offer on the table. And we knew that having the cash in the bank would also allow us to be more aggressive in terms of [balancing product development with more go-to-market activities],” he said.
Today’s round was led by Lightspeed Venture Partners with participation from previous investors Felicis Ventures, Redpoint Ventures and Sequoia Capital. The company has now raised a total of $93 million.