Fortifying modern application security and vulnerability management: Why we invested in ArmorCode

Today, we are happy to announce our investment in ArmorCode, an emerging leader in the application security and vulnerability management space. We have been following Nikhil Gupta's journey for over two years and we are in awe of Nikhil and his team's drive to build a category-defining product. We believe that ArmorCode has reached a critical inflection point and are proud to invest in their $40MSeries B round along with HighlandX, and existing investors Ballistic Ventures, Cervin Ventures, and Sierra Ventures.

Application Security – Now and then

Software is increasingly becoming a core competency for business continuity. Enterprises have recognized 'cycle time' (time from feature ideation to delivery) as acritical parameter for revenue improvement and competitiveness. This recognition has led to high-velocity release cycles and the growing complexity of software environments. Enterprises have adopted new tooling to test, track, and secure software and infrastructure assets throughout the development and deployment lifecycle. The previous generation of AppSec tools were limited to static code security and were designed for low-velocity release cycles. The push towards high-velocity release cycles has created a pressing need for securing the entire software supply chain resulting in a complex tool chain. While the number of application security testing and infrastructure monitoring tools has grown substantially over the last decade, the ratio of security engineers to developers has remained relatively constant.

Without a comprehensive view of the deployment architecture and complete visibility into vulnerabilities across the sprawl of application, infrastructure, and cloud testing tools, security teams often face alert fatigue, struggling to understand the security posture of their software products. The disconnect between development and security teams leads to fragmented and ineffective software security programs. The need to unify and prioritize vulnerabilities across applications and infrastructure assets at scale with a focus on remediating critical issues continuously is a pain point felt by both development and security teams.

The current wave of security tools like ArmorCode reflects a broader shift in the industry towards a more integrated and continuous approach to software security. This new generation of software security tools need to balance the security team's need to prioritize effectively with the development team's need to push secure code rapidly in highly complex environments. They serve as a control plane over scanners, pen test tools, API security tools, and various attack surface management tools and provide capabilities such as risk-based correlation and vulnerability management, tight integration with DevSecOps workflows, and a highly configurable view of all the tools contributing to effective and coherent software security programs.

Investing in ArmorCode

When we first met Nikhil two years ago, we'll be honest - this tectonic shift wasn't obvious to us. But as we spoke to more and more security practitioners, it became clear to us that just like Security Incident and Event Management (SIEM)and Security Orchestration and Automation and Response (SOAR) became table stakes in the SoC (Security Operations) world, there is a growing white space that needs to be addressed in the software security world. This led us to build conviction in the category and we are proud to back ArmorCode for three key reasons:

An excellent team in the making: Like any venture investment, it all starts with the team. Nikhil is a force of nature and brings a rare combination of strong technology leadership and commercial skills. We have consistently been impressed by his strong work ethic and ability to surround himself with experienced team members. When it comes to company building, Nikhil thinks 10 steps ahead and is extremely thoughtful about bringing on board the right talent at the right time.

A crystal-clear understanding of enterprise pain points: There are different ways to tackle the new wave of software security problems. We have seen solutions that offer the next generation of scanners to solutions that embed themselves deeply into cloud-native workflows. While some of these approaches are ideal for de novo software development, most enterprises have varied environments (on-prem, delivered through the cloud, cloud-native, etc.). We found that of all the different entry points into this market, orchestration capabilities had the strongest resonance among enterprise buyers. Enterprise security and product teams truly appreciate ArmorCode's ability to go wide with 200 integrations. ArmorCode offers best-in-class orchestration capabilities and can integrate across security tools to de-dupe, correlate, and orchestrate findings, delivering holistic visibility, agility, and collaboration across all levels of an organization. ArmorCode has taken a unique platform approach to solving this problem, which we believe provides a more holistic solution to address software security challenges. It is holistic as it unifies application security, infrastructure vulnerability management, and supply chain security as opposed to traditional application security tools that look at each of these challenges in silos.

Without a solution like ArmorCode, security leaders have trouble answering basic questions like a) What are the top business-critical risks in production right now? b) how many microservices and endpoints could be exploited? c) are my development teams working on the most critical business risks? The platform has built capabilities that let them quickly integrate with any scanning tool across application security, infrastructure vulnerability management, and supply chain security, including custom tools standard at large enterprises. They can also integrate with workflow management tools like Jira and Service Now to close the loop on security vulnerabilities that must be addressed. To date, ArmorCode has captured over 4B+ findings which will help them progress toward adding unique value through AI.

Fast-growing customer base: The ArmorCode team has been able to marry their laser-sharp focus on the large enterprise customer base with strong execution over the last 18 months resulting in best-in-class growth despite the tough macro environment. With top enterprise customers in industries such as Media and Entertainment, Hotels, Industrial Controls, Healthcare, Consulting, etc. ArmorCode has designed its offering to cater to development and security teams on different legs of their cloud journey. We believe this sharp focus on the enterprise segment will help them continue to drive growth in the future.

The future of application security is here, and it is continuous, unified, and relentlessly proactive. We are excited to partner with the ArmorCode team in the next leg of their journey as they look to scale their enterprise GTM motion. We believe ArmorCode is a fantastic addition to our existing cybersecurity portfolio which includes Security Scorecard, Immuta, Akeyless, and Perception Point. Congratulations to the ArmorCode team and welcome to the NGP family!

If you have thoughts on the space or are building the next big thing in cybersecurity, please reach out to divya@ngpcap.com or eric@ngpcap.com.

‍