Kusari is a software supply‑chain security company that builds a SaaS platform to give DevSecOps teams continuous, provenance‑aware visibility into dependencies, prioritize real risks from SBOMs and scanners, and automate remediation and policy enforcement across an organization’s codebase and build pipeline.[3][6]
High‑Level Overview
- Kusari’s product: a cloud‑native software supply‑chain security platform that maps components, shows provenance and blast radius, correlates scanner/SBOM noise into actionable risk, and enforces org policies across repos and pipelines.[3][6]
- Who it serves: security, DevOps, and engineering teams at regulated and enterprise organizations that need to manage dependency risk, compliance, and supply‑chain provenance.[3][6]
- Problem it solves: the platform reduces time lost triaging noisy vulnerability alerts and incomplete SBOMs by identifying which components actually matter, who owns them, where they run, and how to fix them.[3][6]
- Growth momentum: founded in 2022, Kusari raised pre‑seed/seed capital (about $8M) from investors including J2 Ventures, Glasswing Ventures and Unusual Ventures and has grown from a small founding team while positioning its product around open‑source standards such as GUAC it helped develop.[2][1][4]
Origin Story
- Founders and background: Kusari was founded in 2022 by Tim Miller (CEO), Michael Lieberman (CTO) and Parth Patel (CPO); the founders bring senior engineering and security experience from firms like Citi, Raytheon and other financial institutions and are active contributors/maintainers on open‑source supply‑chain projects such as GUAC and in‑toto.[2][4]
- How the idea emerged: the team encountered the practical problem of not knowing which software components were actually in use and how dependencies propagate across apps, which made vulnerability response, licensing/compliance and maintenance slow and error‑prone; they built Kusari to provide transparency and actionable guidance.[2]
- Early traction/pivotal moments: early product strategy leaned on integrating the GUAC open‑source project for software heritage and dependency analysis; seed funding and public coverage in TechCrunch and a claim of internal customer results (e.g., an 87% vulnerability reduction in a 30‑day internal trial) supported early momentum.[2][3]
Core Differentiators
- Open‑source founding and standards leadership: founders are maintainers/contributors to GUAC and CNCF in‑toto projects, so Kusari’s platform is tightly coupled to provenance standards rather than being a closed proprietary scanner.[2][4]
- Provenance + blast‑radius mapping: the product emphasizes lineage/provenance to show when a CVE actually affects an app and where it originated, reducing false positives from SBOMs and scanners.[3][6]
- Actionable remediation and ownership: Kusari surfaces who owns components, when risks appeared, and what to fix first—aligning security and developer workflows to accelerate fixes.[3][6]
- Enterprise/regulatory focus: features for org‑wide policy enforcement, role‑based collaboration, and examples targeted at regulated industries (medical devices, finance, utilities) show positioning for compliance‑sensitive customers.[6]
- Noise reduction and risk prioritization: the platform claims to convert large volumes of scanner alerts into a small set of prioritized issues that materially affect production.[3]
Role in the Broader Tech Landscape
- Trend it rides: accelerating focus on software supply‑chain security after high‑profile attacks and new regulation (e.g., EU Cyber Resilience Act) has raised demand for provenance, SBOM management, and continuous supply‑chain visibility.[1][2]
- Why timing matters: organizations face increasing regulatory pressure and complex microservice/third‑party dependency graphs; tools that translate SBOMs and scanner outputs into actionable, organization‑wide context are in higher demand now.[1][3]
- Market forces in its favor: greater adoption of cloud‑native development, infrastructure as code, and continuous delivery increases dependency churn and the need for real‑time dependency mapping and policy automation.[6]
- Influence on the ecosystem: by contributing to GUAC and in‑toto, Kusari helps shape open standards for provenance and encourages more interoperable tooling for supply‑chain security rather than siloed vendor lock‑in.[2][4]
Quick Take & Future Outlook
- Near term: expect Kusari to continue productizing provenance insights, expand integrations with scanners, CI/CD systems and package registries, and push features aimed at compliance and enterprise governance to win regulated customers.[3][6]
- Medium term trends to watch: tighter regulation around software supply chains, wider adoption of SBOMs and provenance standards, and consolidation in supply‑chain security will create both partnership and acquisition opportunities for specialist platforms like Kusari.[1][2]
- Risks and catalysts: success depends on broad adoption of provenance standards (which Kusari helps advance) and on differentiating vs. larger application security posture and SCA vendors that may add provenance capabilities; strong open‑source ties are a double‑edged sword—helpful for trust and adoption but requiring continued community leadership.[2][4]
Quick take: Kusari is a standards‑savvy, provenance‑first entrant in a fast‑maturing supply‑chain security market, positioned to help enterprises turn SBOMs and scanner noise into prioritized, actionable security work—its growth will hinge on execution, enterprise go‑to‑market and continued leadership in open provenance standards.[3][2][4]
