ProjectDiscovery, a platform that detects new, exploitable vulnerabilities in codebases, today announced that it raised $25 million in a Series A funding round led by CRV with participation from Point72, SignalFire, Rain Capital, Mango Capital, Accel and Lightspeed.
ProjectDiscovery began as a collaboration between four security engineers — Rishiraj Sharma, Sandeep Singh, Nizamul Rana and Marco Rivoli — who felt the tools they had to identify, find and fix vulnerabilities were too slow to innovate in response to growing threats.
“These tools produced too many false positives, making it hard to prioritize vulnerabilities, and they weren’t customizable to their organizations’ architecture,” Rishiraj, who serves as ProjectDiscovery’s CEO, told TechCrunch via email. “Worse, they made it hard to work on remediation across teams and departments.”
After collaborating together on several open source solutions to attempt to solve these problems, Sharma, Singh, Rana and Rivoli founded ProjectDiscovery, a free vulnerability scanning platform, in 2020. Initially a side project, ProjectDiscovery raised a seed round in January 2021, and the team decided to begin working on it full time following that.
ProjectDiscovery continuously monitors for exploits in websites, apps, APIs, cloud environments and services. Working from templates, IT teams — alongside engineers — can find and remediate vulnerabilities and misconfigurations.
Andy Cao, ProjectDiscovery’s chief operating officer, asserts the ProjectDiscovery represents a “step change” in organizations’ abilities to secure public-facing endpoints.
“Today’s security leaders face an ever-growing list of tools and offerings. But many of those are focused on a single area or on compliance over security,” Cao said via email. “The addressable market for ProjectDiscovery includes enterprises of all sizes around the world.”
That may be true. But it’s also true that ProjectDiscovery is far from the only vendor selling exploit discovery tools. Socket recently raised $20 million for its service that detects security vulnerabilities in open source code, while SonarSource — one of the bigger players in the code-scanning space — last year landed a $412 million investment at a $4.7 billion valuation.
Cao isn’t ignorant of the competition. But he makes the case that ProjectDiscovery has a powerful — and differentiated — resource in its open source community.
“We currently have over 60,000 community members who are contributing to and using our tools, most of whom work for larger enterprises,” he said. “When critical new vulnerabilities emerge, our customers don’t have to wait around in the dark for their vendor to take action. Instead, they benefit from hundreds of engineers working on templates that help them find and remediate those vulnerabilities, and that progress is available to everyone.”
Going the path of countless open source startups, ProjectDiscovery is aiming to monetize that advantage with a managed cloud version of its free offerings. Called ProjectDiscovery Cloud Platform, the paid service handles maintenance and installation of ProjectDiscovery’s growing software suite.
Can ProjectDiscovery users be convinced to pay for what’s already available for free? Perhaps. Cao says that there’s been 3,000 sign-ups for ProjectDiscovery Cloud Platform so far, including from Fortune 500 enterprises. A bigger question in my mind is the open source community’s reception to ProjectDiscovery commercializing their work — without compensation, I might add. But Cao didn’t seem especially concerned.
“The power of open source — and of our community — means that ProjectDiscovery is able to provide a more comprehensive approach focused on protecting against attackers and not just auditors,” Cao said. “Specifically, that means developing a better solution than traditional scanning tools … [and] new ways to streamline collaboration between the teams that are finding vulnerabilities and those that are remediating them.”
To date, ProjectDiscovery has raised $28 million. Cao says that the proceeds from the latest round will be put toward hiring and supporting the launch of ProjectDiscovery Cloud Platform.