What if you could increase your engineering productivity and feature development velocity by 50% without adding a single headcount?
In many organizations, engineers are spending upwards of 50% of their time addressing security vulnerabilities, negotiating priorities, and deploying and managing DevSecOps tools in pipelines. We call all that time spent on security-adjacent work - The Dev Productivity Tax. This tax is imposed on developers when security tools create unnecessary work for developers that actually doesn’t affect the risk posture of your applications.
But what if your application security tools could surface the 20% of issues that cause 80% of risk?
When we started Endor Labs, we sought out to identify the areas where the productivity tax is heaviest. Where were developers losing cycles to application security? Market research, experience, and conversations with our customers led us to three main sources:
SCA and open source governance - Over 90% of code in modern applications comes from open source components, yet only 12% of it is typically in use. This means that most of the time developers spend investigating vulnerabilities in open source dependencies, is wasted. That code is not in use, and the vulnerabilities are unreachable. Paired with the fact that traditional SCA tools do not provide visibility into transitive dependencies, and only prioritize risk based on severity of CVEs - a hefty productivity tax is levied on developers.
Integrations in CI - Security and SRE teams are forced to integrate and maintain dozens of tools into the development pipeline to get the required security coverage. The development effort on such implementations often conflicts in priority with actual work needed to ship your applications.
Pipeline governance and secrets hygiene - Secret scanners add security noise by surfacing unvalidated secrets, while CI/CD security is often a gray area between dev and security that no one is paying attention to.
Over the past year, achieving a better way to do SCA has been our focus. The Software Composition Analysis Landscape, Q1 2023 report from Forrester cites that SCA is poised to overtake DAST by 2026, and the latest Hype Cycle for Application Security from Gartner calls SCA a transformational technology that’s less than 2 years away from mainstream adoption.
With our incredible team of program analysis experts, we’ve made several breakthroughs in vulnerability prioritization through reachability analysis across the most popular programming languages. Our customers get function-level reachability data, which lets them prioritize risks that actually matter, and get the evidence and context they need to help developers address these issues.
This level of insight into code behavior also allows us to encompass operational risk, such as unmaintained, unused, or out-of-date dependencies. Finally, this approach leads to more accurate SBOMs and VEX documents, which are quickly becoming crucial for regulatory reasons.
Yet, none of these accomplishments compare to the satisfaction of hearing directly from our customers, like Five9, RocketLawyer, and Navan, about how our focus on surfacing risks that truly matter has freed up their AppSec and engineering teams to focus on adding value to their business. “The investment Endor Labs has made in reachability analysis makes them truly stand out,” says Greg Pettengill, Principal Security Engineer at Five9, an Endor Labs customer. “Traditional Software Composition Analysis (SCA) tools drown developers in false positives, while Endor Labs surfaces risks that actually matter, freeing up AppSec and engineering teams to focus on providing value to our customers.”
I am immensely proud to announce that Endor Labs has raised a staggering $70M in Series A financing. My team and I are humbled to have the support of an extraordinary group of investors including Lightspeed Venture Partners (LSVP), Coatue, Dell Technologies Capital, Section 32, and over 30 industry-leading CEOs, CISOs, and CTOs. The new round of funding, which includes $22M that converted to equity from the previously announced Seed round, and comes only 10 months after the company’s launch, will help Endor Labs create effective application security programs that don’t impose a productivity tax on developers.
Arif Janmohamed of Lightspeed, Sri Viswanath of Coatue and former CTO of Atlassian; and Deepak Jeevankumar of Dell Technologies Capital will be joining the Endor Labs Board.
“We love to partner early with outstanding entrepreneurs who have clarity of vision, and support them through every stage of the company’s journey,” said Arif Janmohamed, Partner at Lightspeed. “Varun and team are not only addressing a massive, unmet need in the application security world, but are laying the foundation for an enduring company in a fast-growing market. Lightspeed is proud to have invested in Endor Labs' Seed financing, and to lead their Series A round."
“In order to achieve application security, every company needs to be thinking about their developer team’s productivity and workstream,” explains Sri Viswanath, general partner at Coatue and former CTO of Atlassian. “The Endor Labs team is building a mission critical solution that will not only improve security levels but also vastly improve developers’ ability to build and ship their products. I am thrilled to be joining the Endor Labs Board as they make several breakthroughs in this long ignored space.”
Human capital remains paramount for any startup. When Dimitri and I embarked on our journey with Endor Labs, we set a distinct goal: of our initial 15 engineers, no more than two would hail from the same company. This self-imposed challenge, while certainly demanding, led us to bring aboard talent from renowned firms like Uber, Meta, GitHub, Microsoft, and Cisco. Such a diverse blend of software engineering backgrounds has been pivotal. Every company harbors its unique engineering practices; by embracing this diversity, we ensure our products resonate with a myriad of engineering teams and their distinct cultures.
Today, with over 55 dedicated professionals spanning numerous countries and a robust leadership team in place, we're poised to sculpt a vast and prosperous enterprise.
Carving out a niche in a market of this magnitude demands meticulous strategizing, emotional fortitude, and agile decision-making. It's worth noting that many at Endor Labs have previously played instrumental roles in conceptualizing and amplifying market leading products in the Cloud Access Security Broker (CASB), Cloud Security Posture Management (CSPM) and Cloud Native Application Protection Platform (CNAPP). Drawing from our past triumphs—and the lessons from our setbacks—I have unwavering faith in our capability to establish a legacy.
What Lies Ahead
I see this funding round as both an affirmation of our progress so far, and a springboard for what's to come. It's a validation of our approach to application security, but it's also a reminder of the challenges that lie ahead.
We are now on the cusp of a transformative period for application security. Most security professionals are beginning to view their engineering counterparts as internal customers, and are seeking platform approaches that reduce cognitive load, and help them focus on the issues that matter the most. This is the future we envision at Endor Labs.
As we continue to drive towards this vision, I am extremely grateful to our investors, partners, customers, and most importantly, our dedicated and hard-working team. This is an exciting journey we are on, and I am thrilled to have all of you by my side. Here's to reimagining and reshaping application security – together!
If you’re attending Blackhat, we would love to connect with you! You can find a list of our events here.