StepSecurity is a company.
StepSecurity has raised $3.0M across 1 funding round.
Key people at StepSecurity.
StepSecurity has raised $3.0M in total across 1 funding round.
Key people at StepSecurity.
StepSecurity has raised $3.0M in total across 1 funding round.
StepSecurity's investors include Blu Venture Investors, Costanoa Ventures, Decibel Partners, Paladin Capital Group.
StepSecurity is a cybersecurity startup that builds a CI/CD security platform focused on securing GitHub Actions and software supply chains.[1][2][3] It serves developers, open-source communities, and enterprises by providing multi-layered protection through visibility, detection, response, and remediation of risks in CI/CD pipelines, addressing vulnerabilities like over-privileged tokens and supply chain attacks.[3][4] The platform solves critical problems exposed by breaches such as SolarWinds and Codecov, enabling teams to baseline network behavior, block unauthorized traffic, vet third-party Actions, and apply one-click security fixes, with strong growth evidenced by recognitions like the Linux Foundation's Secure Open Source Rewards and adoption by companies like Kapiche and endorsements from CISOs at Coinbase, Zscaler, and others.[1][4][5]
StepSecurity was founded by Varun Sharma (CEO & Co-Founder) and Ashish Kurmi (CTO & Co-Founder), both veteran security leaders who previously drove CI/CD security initiatives at major companies including Microsoft, Uber, and Plaid.[1][2] The idea emerged around 2022 amid high-profile supply chain breaches like SolarWinds and Codecov, which highlighted the lack of dedicated CI/CD security tools; after consulting peers and finding no adequate solutions, they began building their product in the open, initially offering it for free to secure open-source developers' pipelines.[1][4] Early traction came swiftly through the open-source SecureWorkflows project, which automated CI/CD fixes for critical projects like Python, Ruby on Rails, and Babel, earning Linux Foundation recognition and integration with OpenSSF Scorecard.[4]
StepSecurity rides the surging wave of software supply chain security, fueled by escalating attacks on CI/CD pipelines—over-privileged GitHub tokens alone pose high risks, as noted by OpenSSF Scorecard, with incidents like Codecov enabling prolonged data exfiltration.[1][4][5] Timing is ideal amid 2020s breaches and regulatory pushes for secure open-source (e.g., Linux Foundation SOS Rewards), positioning it to protect critical projects and enterprises adopting GitHub Actions at scale.[4] Market forces like rising adoption of DevSecOps, AI-driven feedback platforms (e.g., Kapiche case), and supply chain threats favor its specialized, open-source-rooted approach, influencing the ecosystem by hardening OSS pipelines, partnering with OpenSSF, and setting standards for Action vetting that reduce industry-wide risks.[3][4][5]
StepSecurity is poised for expansion by deepening GitHub integrations, scaling enterprise adoption (building on Coveo, Kapiche, and CISO endorsements), and extending beyond Actions to broader CI/CD environments amid persistent supply chain threats.[1][3][5] Trends like zero-trust pipelines, automated remediation, and OSS security mandates will propel growth, potentially evolving it into a full-spectrum release security leader. As pioneers who turned breach-driven urgency into open-source impact, StepSecurity exemplifies how targeted CI/CD defenses fortify the foundational pipelines powering modern software.
StepSecurity has raised $3.0M across 1 funding round. Most recently, it raised $3.0M Seed in April 2024.
| Date | Round | Lead Investors | Other Investors |
|---|---|---|---|
| Apr 1, 2024 | $3.0M Seed | Blu Venture Investors, Costanoa Ventures, Decibel Partners, Paladin Capital Group |
