Cycode is a well-funded startup that offers an end-to-end application security posture management platform — that is, a tool that continuously scans code (and the libraries it relies on) for potential security vulnerabilities throughout the software development life cycle and then helps remediate those issues. Today, the company announced that it has acquired Bearer, a static application security testing (SAST) startup that focuses on making the developer experience as smooth as possible while still providing them with essential security feedback. With its recently launched AI assistant, Bearer also bet on generative AI to suggest code fixes and explain vulnerabilities.
Bearer raised an $8 million seed round led by Alven in 2022. Cycode has raised over $81 million in funding so far, including a $56 million Series B round in 2021. That’s what put the company in a position to make today’s acquisition, though the two companies did not disclose the price.
As Cycode co-founder and CEO Lior Levy told me, this acquisition now provides the company with all of the capabilities it needs to become a full-fledged application security platform. Like so many startups, that’s not necessarily what the team was focused on when Cycode first launched. At the time, Cycode was one of the earlier players in the software supply chain space. Today, the company addresses a far wider range of attack vectors.
“Day one, we were focused on what we wanted to build around software supply chain security,” he told me. “But then, as time progressed, we realized that there was additional value that we needed to capture. It’s the right approach to become a platform and this is what we’ve heard from customers. So we adopted and addressed those needs.”
The Cycode and Bearer teams first started talking last August and stayed in touch after that. According to Levy, it was Dor Atias, Cycode’s co-founder and VP of R&D, who realized that Bearer’s technology would nicely complement — and complete — the larger startup’s existing solution. “Our mission is to be a complete platform,” Atias said. “The missing part was a SAST tool that can be fast and connected easily to the Cycode platform. And the Bearer team invested a lot in the brain of the SAST engine — not only the rules and stuff like that — but the engine itself. I tested it a few times and saw that it could be integrated easily.”
And that’s what the Cycode team has already done, even though the deal only closed last week. Now, Atias said, the team is looking at how it can bring that Bearer engine to other parts of the platform, too. That includes some of Bearer’s AI solutions as well, including its remediation capabilities. Levy believes that using AI to fix issues before they even go into the source control is something akin to the “secret sauce for security” and will help reduce the burden on developers and security teams.
Cycode co-founder Ronen Slavin, the company’s CTO, also noted that this acquisition fits in well with the company’s focus on both putting security and the developer experience first. “Developers were not hired to fix security issues,” he said. “They get frustrated and they end up with false positives. Bearer has the highest rate of precision in terms of the rate of false positives. In terms of GenAI, one of the components is the context for the remediation that developers get that they wouldn’t get otherwise, which is also tied to the improved experience.”
While Bearer still exists as a stand-alone product for now, Cycode plans to move its customers over to its platform over time.
“We are thrilled to be joining forces with Cycode, a company that shares our vision for making developer security a team sport,” said Bearer CEO Guillaume Montard. “This union marks a critical milestone in our journey, amplifying our reach and impact to the world’s best security and development teams. Together, we’re set to continue redefining the standards of the complete approach to application security posture management.”