Socket raises $60M Series C at $1B valuation as AI-generated code fuels software supply chain attacks

Good to see you all. Thanks for

talk soon. Goodbye.

See you. Up next, we have Feras from Socket back on the show uh to discuss an series C by none other than Thrive Capital. We'll bring in Feras from Socket from the waiting room to the TBP and Ultra Dome.

Get that gone ready.

Welcome to the show. How you doing?

What's up?

Good to see you.

How's it going, guys? Thanks for having me back.

I I think last time you were on Oh, we'll see you soon. And here you are. Give us the news first. What happened? Yeah. So, Saka announced its $60 million series C at a billion dollar valuation. Did it again. Did it again.

Yeah. Led by Thrive Capital.

Congrats.

And it's it's a big day for us.

Absolutely massive.

Is what you do important right now?

Yeah. You know, you couldn't have really asked for a better, you know, perfect storm. Um, you know, you have just uh the confluence of, you know, AI, cyber security, and all the different attacks we've been seeing. and we kind of built the perfect product for this moment. Um, and it's been something that we've been building towards for, you know, it seems like it's okay. You know, we just we had the right thing right now, but the reality is, you know, we've been building towards this for, you know, four years plus. Uh, and so, you know, it's an overnight success that took four years, right?

There we go. I love it. Uh, yeah. What what was the key unlock for the new round? Uh, growth needed the capital for specific expansion. uh just the broad tailwinds of the industry, people looking forward to more demand. What what's uh what's changed in the business?

So the business is uh is just inflecting uh you know every year I feel like you know okay this is great you know certainly we're going to get like a regression to the mean or something but uh it just keeps accelerating. So, uh, over the last, uh, while, you know, we've had, uh, 500% plus ARR growth over the last 12-month period. Um, and, you know, it's just, uh, it's it's it keeps going. So, I think it's kind of we're seeing kind of three forces converging all at at once here. We have this kind of like perfect storm between, you know, AI generating more code than ever before. Um you got developers and increasingly non-developers too that are you know pulling in uh open source dependencies and thirdparty code at like a unprecedented velocity and you have more code being written than ever before both by humans and AI agents and the the kind of maybe counterintuitive thing is it actually brings in a lot of thirdparty code uh and that code is is really vetted less than it's ever been before and and that's kind of like the first thing the other thing is you got the the the frontier AI models like Mythos that are that are finding you know thousands of high severity vulnerabilities across you know every major operating system and open source library and um so the total volume of of of vulnerabilities in code is exploding right now and it's going to keep going as as you know we start to to throw these models against you know this backlog of code that's been out there for a long time and has a lot of vulnerabilities and then kind of the third the third piece is that the the attackers have really started kind of uh realizing that they can exploit uh the software supply chain to get into companies um so they're not really like coming in through, you know, finding vulnerabilities, but they're actually kind of realizing if we go into an open source component. Um, that's actually an easy way to get into an organization and not just one, but usually thousands of organizations that all use that same component. So, it's this like perfect storm of of all these factors right now. So, uh, walk me through how your business model interacts with the open source community because, uh, when we see things like Mythos, finding a bunch of bugs in open source repos, uh, you know, we we hope that everyone will just, uh, submit bug reports early for the good of the world. Uh, but I'm interested in like the economics of patching open source if there's a really important package out there that maybe doesn't have a Linux foundation behind it. Like how at some point like at the very least there's inference costs. Uh, who's paying to patch all of the open- source uh software that so many different companies rely on? If you go to a big company, they pay you. you they might patch like their dependencies, but how does this all flow together into an actually uh safer internet?

Yeah. Well, I've been in open source for I think over 15 years now and I maintain a bunch of open source packages and you know have a a real soft spot for the open source community and so um let me tell you they were suffering uh under an enormous burden even before the current you know AI um trends have kind of made it even worse. um you know they don't get much support whether financial or just in terms of you know the number of people working on this really critical infrastructure is super low um for for how critical it is um and so you know we started seeing a lot of AI tools being used to create these slop PRs these slop issues u and that was already kind of causing a burden and then now you have um the various frontier labs that are you know finding with with with um their their models are finding a lot of vulnerabilities that you know were there were always there but but the the community didn't know about. And um I will say they're doing a good job of of providing a patch along with the the the bug that they've identified. So they're doing a lot of the work for the maintainer, but it's still it still takes effort to review the PR. And the thing that people don't realize is when you when you accept a pull request as a maintainer, you're not just kind of it's not this one-time cost. You're actually accepting the burden kind of indefinitely into the future to maintain that code and make sure that that code is is secure uh and you know is kept up to date with all the other changes. And so, um, I think what we're going to see, and we're already starting to see, is, um, despite the kind of best efforts of the Frontier Labs, and they are making good effort, um, you know, maintainers are going to fail to actually accept these patches. And so, we're going to see, um, a lot of libraries that may have a vulnerability in them that like literally have, you know, effectively, you know, code sitting on GitHub that anyone can look at and use to generate an exploit against that vulnerability. Uh and that's there's not going to be an easy path for um companies and for you know developer teams to go and actually patch their libraries because there's no version they can upgrade to because the maintainers just sort of sitting there on that patch and hasn't hasn't accepted it. So it's just creating this real risk where um you know um like there's more volumes than ever before and there's not really like easy paths and so this is actually something we try to solve. Um so we built a um a solution to this called certified patches. And what this is is is basically kind of a deterministic way to in kind of one click make um your vulnerabilities and your open source code go away. Um so we use we use a whole bunch of AI and kind of produce these um patches that make the vone go away without any work um on the on the part of the developer. There's no kind of burden of of um upgrading packages. You just sort of um in a click the vone is gone from your dependencies. Uh and you can kind of keep the rest of your code in your application the same. Uh and and so it's it's really a kind of a quick fix to the problem that we hope, you know, is is going to be part of the solution. And by the way, we're giving away um all the critical um the critical patches to the community for free so we can we can try to disseminate this widely to as many people as possible.

Are there are you able are you finding any companies that are completely asleep at the wheel or is everyone like giving this?

Who should I hack today? Uh no, I just want like I imagine like part of why the business is growing so quickly is this is like a hair on fire problem concern every single day, right? You're seeing uh these like vulnerabilities or issues uh pop up. And so I would have to imagine that every every software company online where the technical leadership there uses the internet which I would imagine is all software companies are like pretty like leaning into this problem. Um, but do you ever do you ever like I'm curious even from like an outbound sales marketing standpoint, are there people that are like, "Ah, this is just like not that important for us right now." Uh, or or or would like a no be like, "We we have a solution. It's with someone else."

We Okay, so we've met one company um that has literally no software. They they produce toilet paper

and they didn't have to of of of business. No. I I I think um yeah, I think that it's it's become a universal problem. When we started, it was kind of this like maybe more niche problem where people said, "Okay, you know, I got a lot of other problems that are more important than this." Um and we we initially had a really good uptake uptake of the product in uh the cryptocurrency community because they have um a lot of software supply chain risk and when when these hacks happen, it's kind of an irreversible thing for them where they like lose all their their funds. Um and then I would say kind of the AI labs were the next to pick it up and sort of you know SF tech companies realized that the kind of people that are ahead of the curve and now it's become uh I mean it's like a top I'd say top one or top two concern at like nearly every company we talk to. Um it's it's a it's it's a board level concern a lot of the times now and um CISOs and heads of engineering are being asked to figure out like what is our solution to make sure the next time one of these things happens um we're protected and the next time is probably going to be like you know tomorrow like it's so it's it's become so for it's literally like you know

every day

yeah literally our end of quarter was uh you know uh the end of last month uh we you know we already were super busy and then there were three major software supply chain attacks that happened that same day uh it's it's wild. It's It's like more than we've ever seen and it's totally unprecedented.

Was the GitHub uh issue that I saw a supply chain attack or was that something else? I've saw like a couple posts, but I didn't get to dig into it

though. I I don't think they've uh released that information yet.

Yeah, there's definitely been some speculation. I mean, the the timing right now, every time a company gets popped or their source code leaks, it's it's uh it's the first question that people think of now. And the group I believe that claimed responsibility uh is this team PCP group that has been responsible for a lot of the attacks. And so you know I wouldn't be surprised if that's what we learn but I I don't think you know that's something that we know right now and I wouldn't want to speculate.

Yeah. I wonder if there will be movements to find like the compute infrastructure for team PCP at some point or like the hackers because at a certain point you would imagine that they're ready.

Well they don't I mean some of this a lot of this is still social engineering right? So it doesn't doesn't they don't necessarily need you know a country of geniuses data center they couple dudes with phones

who knows. Uh well congratulations on