Thesis
Software and software developers are becoming essential across every industry. As businesses speed up their digital transformation efforts, security threats and attacks become more prominent. The number of vulnerabilities found in production code reached a record high for the fifth consecutive year in 2021. One study shows that 67% of developers have shipped code with known vulnerabilities. The study’s authors suggest developers lack the knowledge to detect and fix issues.
Meanwhile, there continues to be a shortage of developers globally. There were 26.9 million developers in 2021 and there will be an expected 28.7 million by 2024, but demand exceeds supply. Despite this growth, the global shortage of developers will increase from 1.4 million in 2021 to 4 million in 2025.
Snyk’s platform detects security weaknesses and automates the process of fixing them. its platform enables developers to focus more on improving product functionality. The rising DevSecOps movement acts as a favorable backdrop for Snyk. The company has the potential to become a market leader for developer security.
Founding Story
The company was founded in 2015 by Guy Podjarny, Assaf Hefetz (CTO), and Danny Grander. The CEO, as of July 2023, is Peter McCkay, who began his tenure in 2019.
Prior to founding Snyk, Guy Podjarny had previously co-founded and sold Blaze (a web performance startup) to Akamai and became the CTO of the latter. Assaf Hefetz had been the Director of Technology and Innovation at Supercom and CTO of Snyk until May 2022, when Adi Sharabani replaced him. Before co-founding Snyk, Danny Grander was the CTO of Cognyte (acquired by Verint Systems). They all previously worked in the cyber and intelligence division of the Isreal Defence Force (IDF) cyber and intelligence division (Unit 8200).
Through his initial DevOps experience with Akamai, Guy Podjarny was determined to take a similar developer-first approach to the cybersecurity space. He quit his CTO role in Akamai and embarked on a journey with his former IDF colleagues to build Snyk with the mission to “empower businesses to develop fast and stay secure.”
In July 2019, Guy Podjarny stepped down from the CEO role at Snyk but remained President and Chair of the Board and is helping with the “vision, strategy, and community leadership of the company.” He was replaced by Peter McKay, who has been an investor and board member since 2016. McKay has over 20 years of experience working with startups, including two acquired by IBM and VMWare.
Snyk has over 1.3K employees as of July 2023 working in offices across the globe. Here is a timeline of some of Snyk’s key milestones:
Source: Contrary Research, Snyk
Product
Open-source projects have seen a meteoric rise in the decade of Snyk's founding. About 96% of applications include at least one open-source software component. However, open-source also increasingly presents costly security risks for enterprises. According to one study, 84% of codebases contain at least one open-source vulnerability.
Traditionally, software was not tested for vulnerabilities, and other issues like misconfiguration and license compliance, until the later stages of development (a process done by security teams). The traditional workflow usually creates tensions between developers who want to ship applications as fast as possible and the security teams tasked with securing the software. The discrepancy between developers and security teams creates bottlenecks and long delays.
To mitigate bottlenecks and delays, developers and security teams began embedding security testing practices into the early stages of the software development lifecycle, calling it Shift Left Security. Shift Left Security empowers developers and security teams to detect and fix security issues and vulnerabilities earlier in the development process.
Companies like Snyk were born out of the adoption of Shift Left Security practices. Snyk connects to the DevOps pipeline to scan for and fix any vulnerabilities, bugs, and compatibility issues across open-source dependencies, proprietary code repositories, third-party libraries, packages, containers, and cloud infrastructures. Snyk’s platform enables development and security teams to ship applications without jeopardizing security or slowing down the development cycle.
Source: Momentum Cyber
Products
Snyk Open-Source
Snyk Open-Source is a tool for detecting vulnerabilities in open-source codebases and suggesting actionable fixes to developers. Snyk released the product in 2015 as its first and flagship product.
The company also acquired FossID in 2021 to expand the capabilities of Snyk Open-Source to license compliance and security scanning for C/C++ packages.
Snyk Code
Snyk Code assists developers in finding and fixing security flaws in their proprietary codebases. Snyk released Snyk Code in early 2021 after acquiring Deepcode (a code parsing software) in October 2020. Deepcode used AI to provide real-time semantic code analysis, and Snyk integrated Deepcode’s AI engine into its security products.
Snyk Container
Snyk Container helps monitor container-based systems and workloads for vulnerabilities. The product also helps teams to prioritize the highest priority risks. As of July 2023, the company claims Snyk Container has fixed "tens of millions" of container vulnerabilities.
Snyk Infrastructure as Code (IaC)
Development teams misconfigure their software deployments on platforms like Terraform, AWS CloudFormation, Azure Resource Manager, and Google Cloud Deployment Manager. Snyk Infrastructure as Code (IaC) enables development teams to fix IaC misconfigurations. IaC misconfiguration can lead to security problems such as exposing sensitive data.
Snyk Cloud
In July 2022, Snyk announced Snyk Cloud with a focus on cloud security, a product that competes with the likes of Palo Alto Networks, Wiz, and others. In early 2022 Snyk acquired Fugue and built its cloud security offering around that existing product. Now developers will not only be able to secure their code before deployment (e.g. Snyk Code, etc.) but also engage in a feedback loop around security within its cloud environment.
Market
Customer
Snyk’s primary users are developer teams looking for application and security testing early in the development cycle. They can use Snyk instead of leaving security testing for security teams to deal with at the end of the development cycle.
Developers usually start with the free tier of Snyk with limited monthly tests for each product before upgrading to the paid tier. Over 2.5K customers are working with Snyk, including Google, Intuit, MongoDB, New Relic, Revolut, Segment, and Salesforce.
Market Size
Snyk is riding “Shift Left” security trends and the adoption of developer security practices in DevSecOps.There were 26.9 million developers in 2021 and there will be an expected 28.7 million by 2024, but demand exceeds supply. Despite this growth, the global shortage of developers will increase from 1.4 million in 2021 to 4 million in 2025.
Using an annual price of $624 per developer for Snyk’s Team tier, the 2021 total addressable market for the company is roughly $17 billion. That opportunity only increases as Snyk tackles other opportunities within DevSecOps.
The launch of Snyk Cloud further expands the size of this market as Snyk Cloud is not exclusively sold to developers, but impacts the overall efforts of a Chief Information Security Officer (CISO). Peter McKay, the CEO of Snyk, described the opportunity for Snyk Cloud this way:
“Snyk’s developer-first approach disrupted the application security industry and we’re now aiming to apply many of those lessons learned to the fastest growing segment of cybersecurity today: cloud security. Predicted to be worth $77.5 billion by 2026, this is an area ripe for change. Today’s news represents another important milestone for the developer security movement, and we look forward to the industry’s response to our vision of uniting AppSec and CloudSec teams to secure today’s apps more efficiently.”
Competition
Snyk faces competition across the different pillars of its product offerings.
For instance, Aqua offers a suite of similar solutions from container and Kubernetes security to source code and open-source scanners. Snyk Open-Source competes against Mend, a company automating open-source security and compliance, and Snyk Code competes with Veracode and GitHub. Veracode offers cloud-based intelligence and security verification services, and GitHub launched Dependabot for checking outdated dependencies in code repositories. Palo Alto Networks is also competing in the IaC security market after they acquired Bridgecrew, a company offering code-to-cloud security coverage with native developer integrations.
On the other hand, the launch of Snyk Cloud puts the company in competition against other cloud security platforms like Palo Alto Networks, Wiz, Orca Security, and others. The competitive landscape in cloud security will likely hinge on whether shift-left continues to put the emphasis on cloud security on the developer or the CISO. More established cloud security platforms are much less developer-centric than Snyk.
One major differentiator for Snyk is the developer experience it offers. Developers often have specific preferences for the way their tools interact with each other. The ability for Snyk to work well within their existing workflows will be critical. For example, Snyk doesn’t prevent developers from shipping code with vulnerabilities, it simply informs them that they exist, how to remediate them, and how severe they are. By doing that Snyk doesn’t add unnecessary friction to the development lifecycle.
Another significant differentiator for Snyk is its vulnerability database which provides up-to-date threat disclosures and security fixes across languages and open-source libraries. The database empowers developers to investigate libraries for vulnerabilities and how to fix them before using them to build applications. This also creates a network effect where developers have more advantages from working with Snyk because they’re seeing vulnerabilities across a much wider spectrum of projects.
Business Model
Synk employs a freemium business model with two subscription plans and one free tier with limited monthly tests. The company charges by developer seats.
All subscription models offer essential features like unlimited code, open-source, container and IaC tests, license compliance, integration to Jira, and cloud source code management tools such as GitHub, GitLab, and Bitbucket. Customers can integrate with their own self-hosted source code management tools and container registers in the custom Enterprise plan.
Traction
Snyk has over 2.2 million developers on its platform and was generating an estimated $217 million in ARR by the end of 2022. The company claims to have grown its top line by 4X in 2019, 200% in 2020, 150% in 2021, and 100% in 2022, while also having a net revenue retention rate of over 130% as of December 2022. The number of paid customers increased from 700 in March 2021 to over 2.5K in April 2023. In 2021, the Gartner Magic Quadrant for Application Security Testing also named Snyk a visionary company in the IaC industry.
Valuation
Snyk raised a total of $1.2 billion as of July 2023. Notable investors include Addition, Alkeon, Atlassian Ventures, Tiger Global, G Squared, Baillie Gifford, Lone Pine Capital, T. Rowe Price, Boldstart Ventures, Canaan Partners, Coatue, and Salesforce Ventures.
Its $196.5 million Series G round in December 2022 was led by Qatar Investment Authority, the sovereign wealth fund of Qatar. The round’s $7.4 billion valuation at the time of the Series G represented a 14% decrease from the company’s $8.6 billion valuation on its September 2021 funding round from Salesforce and Atlassian Ventures. T
his Series G round was immediately followed by a strategic investment of $25 million in January 2023 from ServiceNow, a publicly traded enterprise software company. However, the company's valuation fell significantly since the Series G round, dropped more than 50% to just $3.3 billion on the secondary market in July 2023.
Key Opportunities
API Security
Having entered the cloud security market in February 2022 through the acquisition of Fugue, expansion into the API security space could be an opportunity for Snyk. The API management market is expected to grow at a 5-year CAGR of 25%, from $4.5 billion in 2022 to $13.7 billion in 2027.
Meanwhile, API attacks and exploits are on the rise. One study found that 94% of organizations suffered API-related security issues within the 12 months ending in July 2022, while over 50% delayed the rollout of a new application due to API security concerns. Similar to proprietary codes and third-party dependencies, API vulnerabilities and misconfigurations — which could cause sensitive data exposure — remain enterprises’ most significant concerns. Companies like Salt Security and Noname Security currently focus on API security.
Snyk has the opportunity to build real-time API scanning solutions for detecting weaknesses during the development lifecycle, flag outdated APIs, and identify misconfiguration. Also, the company could cross-sell the API security product to its existing customers since the two markets have overlapping target customers.
Key Risks
Serving Different Personas
One of the most significant risks to Snyk, as it continues to grow, will be successfully managing products that serve different personas. Historically, Snyk’s products have been targeted at developers. Even in the way it interacts with security teams, the company's focus is still on building developer-centric products. With the launch of Snyk Cloud, it will have to serve the needs of a CISO, which is a very different sales and adoption motion.
Code Hosting Platforms
Potential competition from code hosting and management platforms like GitHub and GitLab poses a significant threat to Snyk. GitHub already offers Depandabot, a code scanning tool, and GitLab has a focus on building a broad developer platform that would include DevSecOps. Both GitHub and GitLab could continue to expand into open-source and code security. Both companies have large user bases to increase the adoption of their potential products competing directly with Snyk.
Mix of Internal Product Innovation and M&A
While Snyk IAC Security and Snyk Container Security were built internally, the company has also extended its platform through several acquisitions like Snyk Code and Snyk Cloud. Snyk’s strategy has worked so far, but there is a lot of complexity when a platform includes both internally-built tools and externally acquired components. Executing on the integration of the overall platform will be critical, especially with the company’s promise in December 2022 that it will use its cash to continue expanding inorganically.
Summary
Reliance on open-source and third-party dependencies is here to stay. Tools like Snyk are becoming essential for secure software supply chains. Developers are expected to act as the first line of defense and watch for any vulnerabilities during the development process. Snyk has the potential to become a leader in its large and growing market. The company continues to show tremendous growth in top-line and user metrics and a successful product expansion through acquisitions. The key question remains as to whether Snyk can continue to innovate on its product to keep up with the increasingly competitive landscape.