r2c's Series B funding

by Isaac Evans on July 07, 2021

Most security tools don't put the developer first, and that's a problem we want to solve at r2c.

Today we're announcing:

  • $27M in Series B funding, led by Felicis Ventures with participation from previous investors Redpoint Ventures and Sequoia Capital.
  • Semgrep is integrating with GitLab! The GitLab Secure team is migrating their analyzers to Semgrep and GitLab 14 ships with the new analyzers for JavaScript, TypeScript, and Python.

We founded r2c to bring world-class security tools to developers because we believe software will run the most exciting parts of the future. In a future where software runs everything from medical equipment to autonomous cars, security is literally life or death. Security teams must enable rather than hinder rapid software development. If developers lack tools that are easy to set up and understand—or if a developer has to convince their manager to spend millions on advanced security tools—the future is bleak. We want developer-first security for all, not just the established companies with big budgets.

r2c is building high-tech tools that feel simple to developers. We want to empower developers to fix issues as they’re written by providing visibility and measurement through the entire development lifecycle.

But most tools marketed as developer-friendly are simply the same tools that previously ran at the end of the waterfall pipeline. Instead of being redesigned in a developer-friendly way, they’ve been awkwardly moved to an earlier spot in the pipeline and are otherwise unchanged. This approach is not enough in a world that uses agile (rather than waterfall) development, codes in dozens of languages, and has far more developers than security experts.

Since last fall when we announced our Series A funding from Redpoint Ventures and Sequoia Capital, we’ve been delighted to see many industry-leading teams adopt Semgrep: companies like Salesforce, Dropbox, Stripe, Netflix, Figma, Snowflake and Chef have adopted Semgrep both as a scanning tool and language to write new scanning rules. World-class security consultancies like Trail of Bits, Latacora, and NCC Group have started writing Semgrep rules. They and others form a growing community of brilliant security researchers and developers contributing rules and Semgrep engine improvements.

We are also excited that we are building an enthusiastic open-source community of talented contributors. Semgrep went from 8 to 17 languages in the past eight months thanks to external collaborators: Sjoerd Langkemper who added C#, Slack who is developing Hacklang support, and collaborators at GitHub who we worked with on improvements to the core parsers.

And for the past several months, we’ve been working with the GitLab team on an integration of Semgrep into GitLab SAST for language agnostic scanning and simplified custom rule development. As of the GitLab 14 release, Semgrep is the default SAST analyzer for JavaScript, Python, and TypeScript, replacing Bandit and ESLint as the analyzers for those languages.

This is a huge vote of confidence in our technology and approach that has really energized our team and been the focus of a lot of great collaborative work between r2c and GitLab. GitLab will be transitioning more analyzers to Semgrep, and we’re looking forward to continuing our work with them to make Semgrep available for more languages in GitLab SAST.

See our technical announcement post for more details on what's new and how to get the latest rules and engine running at your company, for free.