Today we are thrilled to announce Madrona’s investment in Stacklok, software supply chain security for enterprises. Madrona invested in the $17.5M Series A round alongside our friends at Accel.
Madrona has known Stacklok Co-founder and CEO Craig McLuckie since 2016, when we invested in his previous company, Heptio. Over the years, we have developed a profound respect and appreciation for Craig as a brilliant visionary, innovator, and entrepreneur. Craig deeply understands building open-source communities, having co-founded Kubernetes while at Google and founded the Cloud Native Computing Foundation (CNCF). He also has experience scaling enterprise businesses based on open-source software from his time at Heptio and VMware, where he was VP of R&D (VMware acquired Heptio in 2018 for $600M). Heptio was a notable win not only for its successful exit but the incredibly talented team and positive culture it built, its rapid and successful scaling, and its relentless focus on customers and ability to deliver innovative technology consumable to the most demanding enterprises.
Recently, we have also had the pleasure of getting to know Stacklok Co-founder and CTO Luke Hinds. Luke has substantial experience in security, having spent seven years at RedHat, most recently as a distinguished engineer and security engineering lead in the office of the CTO. Luke is also the project founder and largest contributor to Sigstore, one of the most important open-source secure supply chain technology frameworks. Sigstore is employed not only by Stacklok but also by several other software vendors and enterprises, including Google, Cisco, and HPE.
Craig and Luke are brilliant technology and product strategists who complement each other well. They have strong go-to-market and company-building superpowers, and together we believe they can build an enduring and scalable business in this incredibly important category.
In recent years, the number of software supply chain attacks has significantly increased. This is driven by the growing number of companies leveraging open-source software and will be further accelerated by the emergence of LLMs and productivity tools like GitHub Copilot. These attacks involve bad actors injecting malicious code into open-source software, which then runs on production servers. Supply chain security risk, dependency on third-party code, and the lack of visibility into the source and ongoing changes to this code continue to be a top priority and pain point with CISOs and CIOs with whom we regularly speak. Goldman Sachs referenced in their Emerging Security Initiation of Coverage Report in February that they “expect to see the most technology evolution in IaC (also known as code or supply chain security)” driven by “developer workloads and code vulnerabilities creating significant gaps in the attack surface areas.”
With the increasing number of software supply chain attacks, developers, security teams, and operations teams are increasingly aware of breaches and are searching for more secure solutions. “Shifting left” is a trend where developers move from application security to code security. While many companies have adopted this approach, it assumes code is vulnerability-free at build time. However, vulnerabilities are often found retrospectively, so attacks still occur.
This is where Stacklok comes in. Stacklok is an end-to-end software supply chain security platform. The company focuses on Developer Security Posture Management (DSPM), which is the idea of helping developers operate securely. Stacklok’s platform evaluates a company’s software supply chain (i.e., Github code repos and dependencies), recommends security enhancements, and enforces policies throughout the CI/CD process. We love Stacklok’s opportunity to improve the overall security posture of teams by improving their understanding of best practices and the security risk associated with their choices by making an array of tools available effortlessly during their everyday work with an open-source, one-click, single-pane-of-glass approach. The platform also continuously monitors production, providing visibility and insights to developers and security and operations teams. Stacklok achieves this by leveraging the secure supply chain technologies of Sigstore, a new standard and open-source project for verifying and protecting software via a secure, cryptographic ledger. This allows customers to capture provenance and track it through the software lifecycle, across clouds or on-prem, providing dynamic protection over time in production versus simply static verification at build.
The software supply chain security market is fragmented, with many point solution providers but no clear platform leader. We believe Stacklok is uniquely positioned to win given the team’s unique background and ability to create a novel platform solution that is both proactive and remediative across the entire DevSecOps process, providing an elegant and effective approach to CodeSec and naturally expanding over time to AppSec scenarios. For instance, we envision Stacklok will be able to force remediation for a production package when a new day zero vulnerability is discovered and improve visibility into the supply chain by making contextual information useful.
Cybersecurity has long been an investment theme for Madrona, and Stacklok adds to our portfolio of market-changing security companies, including Eclypsium, Tigera, PlexTrac, Clerk, and Extrahop. We are thrilled and humbled to partner with the Stacklok team led by Craig and Luke as they bring software supply chain security to enterprises!