In a strong signal of rising enterprise concern around software supply-chain risk, Cloudsmith has raised $72 million in a Series C funding round led by TCV. The investment is aimed at expanding Cloudsmith’s capabilities in policy enforcement, auditability, and real-time package risk analysis—areas that are rapidly becoming central to CISO priorities.
Cloudsmith operates as a cloud-native artifact management platform, but with a security-first architecture. The new funding will accelerate three core areas:
- Policy Enforcement: Ensuring only trusted, compliant packages enter development pipelines
- Auditability: Providing full traceability of software components across environments
- Real-Time Risk Analysis: Continuously scanning packages for vulnerabilities, tampering, or malicious code
This aligns with emerging frameworks like Software Bill of Materials (SBOM) and zero-trust software principles, where every component must be verified before execution.
Competitive Landscape:
Cloudsmith operates in a rapidly evolving segment alongside players in DevSecOps and artifact security. However, its differentiation lies in treating package management not just as infrastructure, but as a security control plane.
This becomes crucial as enterprises move toward platform engineering models, where internal developer platforms abstract complexity—but also concentrate risk.
The Strategic Context:
Modern software development is no longer confined to in-house code. Enterprises increasingly rely on open-source components, third-party packages, and AI-generated code. While this accelerates innovation, it also introduces invisible dependencies—each one a potential attack vector.
High-profile incidents like the SolarWinds supply chain attack and vulnerabilities such as Log4j have exposed how deeply embedded risks can cascade across ecosystems. Today, attackers are no longer targeting endpoints alone—they are compromising the very building blocks of software.
Cloudsmith’s positioning is clear: secure the “artifact layer” where code packages are stored, shared, and deployed.
The AI Factor: A Double-Edged Sword
The rise of AI-assisted coding tools is amplifying both productivity and risk. Developers increasingly rely on AI-generated snippets, often without full visibility into their origins. This creates a new class of “unknown dependencies.”
Cloudsmith’s expansion comes at a time when CISOs are asking a critical question:
How do you secure code that was never fully written—or even reviewed—by humans?
The answer lies in shifting security left—embedding controls directly into development workflows rather than relying on post-deployment fixes.
Cloudsmith’s $72 million raise is not just a funding milestone—it reflects a structural shift in cybersecurity thinking. The battlefield is moving upstream, from runtime environments to development pipelines.
For enterprises, the message is clear:
If you don’t control your software supply chain, you don’t control your risk.
As AI, open-source ecosystems, and distributed development continue to expand, platforms like Cloudsmith are positioning themselves at the center of a new security paradigm—where trust is continuously verified, not assumed.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
