Cloudsmith, raises $72 million in funding... AI proliferation drives increased demand for supply chain security

Startup company Cloudsmith, which manages software components, successfully attracted $72 million in new investment. In Korean won, this amounts to approximately 106.38 billion KRW. Against the backdrop of rapid proliferation of open source and artificial intelligence development, the demand for “software supply chain security” is growing increasingly, and is considered a key factor behind this round of investment.

This Series C funding was led by TCV. TCV was also the largest investor in Cloudsmith’s previous funding round last year. Existing investors as well as Insight Partners participated in this round. As a result, Cloudsmith’s total external funding has exceeded $110 million.

Headquartered in Belfast, Northern Ireland, Cloudsmith offers a cloud platform that allows development teams to centrally manage various application components and files they use. Simply put, it functions more like an enterprise storage and verification platform, consolidating management of “software assets” such as open source projects, configuration scripts, AI models, operating system files, and more.

The service has attracted attention because enterprise environments are becoming increasingly complex. Developers not only download required components from GitHub but also from multiple external repositories. For example, AI models are often obtained from independent platforms like Hugging Face. The problem from a security management perspective is that verifying whether these external elements meet cybersecurity standards individually can be time-consuming and costly.

Cloudsmith focuses on alleviating this burden. Its design philosophy is that administrators do not need to monitor external repositories scattered across multiple sites separately but can manage components uniformly within the platform. Its key feature is that it handles not only simple code storage but also various kinds of “artifacts.” Artifacts refer to all types of files used in software projects.

Integrating container and AI model checks

Cloudsmith also supports storage of software containers. A container may contain dozens or more individual artifacts, each potentially posing a security risk. To reduce this complexity, the company automatically generates a “software bill of materials” (SBOM) for each container. An SBOM is a document that lists the elements that make up a specific working environment.

Security inspection features have also been enhanced. Before releasing open source components in a downloadable state, Cloudsmith first checks for known vulnerabilities. The risk level of vulnerabilities is assessed using a framework called “Exploit Prediction Scoring System” (EPSS). This is a standard that estimates the likelihood of hackers actually exploiting the vulnerability within the next 30 days.

The company states that they also detect issues beyond vulnerabilities. For example, they identify license terms that could burden the software project. This means they can filter out license risks that could directly impact enterprise services, such as conditions prohibiting commercial use.

AI development expansion drives supply chain security demand

Cloudsmith’s clients can also develop automated strategies based on data discovered on the platform. For example, automatically intercept open source components with high-risk vulnerabilities. This automated workflow is written in a dedicated syntax called “Rego,” which is often used in cloud infrastructure configuration.

CEO Glenn Weinstein said, “AI agents are generating vast amounts of software at an extremely fast pace, making it almost impossible for humans to review each one carefully. With its ability and scalability to comprehensively examine the entire open source ecosystem, Cloudsmith can protect enterprises from new threats brought by AI-led development.”

Cloudsmith plans to use the raised funds for future feature upgrades, especially focusing on enhancing cybersecurity controls and AI-based automation functions. The market generally believes that the faster AI development accelerates, the more important the “supply chain security” platform supporting it will become.

TP AI Notice: This article uses the TokenPost.ai basic language model for summarization. The main content may be incomplete or inconsistent with facts.