StepSecurity Secures $3 Million Funding to Protect CI/CD Pipelines

StepSecurity, a leader in protecting CI/CD pipelines and infrastructure, announced the closing of its $3 million seed funding round led by Runtime Ventures, with participation from Inner Loop CapitalSaaS VenturesDeVC, and several notable industry leaders as angel investors.

Founded two years ago by cybersecurity leaders Varun Sharma and Ashish Kurmi, StepSecurity has rapidly gained traction within both the open-source community and enterprise sectors.

Over 3,000 open-source projects, including those from the Cybersecurity and Infrastructure Security Agency (CISA), Google, Microsoft, Datadog, Kubernetes, Node, and Ruby, use StepSecurity to harden their CI/CD pipelines. StepSecurity also recently detected a CI/CD supply chain attack in a Google open-source project.

StepSecurity’s enterprise tier continues to gain traction, serving customers in high-tech, crypto, and healthcare industries. “Enterprises typically have robust application and cloud security solutions. However, CI/CD, the crucial link between these two environments, remains unprotected,” said Varun Sharma, CEO of StepSecurity. “We analyzed past CI/CD security breaches and built our platform using a first-principles approach.”

Michael Sutton, General Partner & Co-Founder at Runtime Ventures, commented, “Attackers have learned not only that the CI/CD pipeline represents the weak link in application security, but also that a successful supply chain attack can deliver an exponential impact. Supply chain attacks such as SolarWinds and Codecov impacted thousands of entities given the broad usage of the vulnerable applications. Security leaders have learned the hard way that CI/CD security can no longer be ignored, and StepSecurity is at the forefront of this paradigm shift.”

The urgency of securing CI/CD environments has never been clearer due to recent high-profile security breaches. Several incidents, such as XZ Utils and SolarWinds, originated in CI/CD. As a result, the Center for Internet Security (CIS), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and National Institute of Standards and Technology (NIST) have released guidance and benchmarks urging enterprises to harden their CI/CD environments.

StepSecurity plans to use these funds to invest in its open-source community and expand its enterprise offerings. StepSecurity already supports GitHub Actions and plans to expand its product to cover other CI/CD environments, such as GitLab CI, Harness, and Azure DevOps. The company is also actively hiring across engineering, sales, and marketing to support its growth.