Legit Security, a cybersecurity company developing a platform to identify app vulnerabilities from code, has raised $40 million in a Series B funding round led by CRV with participation from Cyberstarts, Bessemer Venture Partners and TCV.

“Today, application security is a diverse industry with dozens of point solutions that have not yet consolidated into broader, more capable platforms,” Fuchs told TechCrunch in an email interview. “There are enormous opportunities to modernize App Security and bring a broader platform to market to address these needs.”

Fuchs and Legit’s two other co-founders, Liav Caspi and Lior Barak, all served together in the cyber warfare division of the Israel Defense Forces (IDF). After leaving the IDF, the trio worked in cybersecurity at companies including Microsoft and Checkmarx, the app security testing firm.

From their experiences in government and the private sector, Fuchs, Caspi and Barak came to believe that traditional app security scanners have largely failed to help businesses understand risk, prioritize resources and take action.

“Traditional scanners are highly technical, lack broader context and provide focus on a very narrow section of overall application risk,” Fuchs said. “In addition, securing apps requires cooperation between security, engineering and DevOps, which is very challenging to operationalize at scale — and requires new solutions to help bridge the gap.”

So in 2020, Fuchs, Caspi and Barak launched Legit, which delivers real-time visibility and security control across dev environments while providing a “unified” plane from which to orchestrate apps.

Legit started as a platform to secure software supply chains. But today, the service aggregates vulnerabilities from different sources, integrating with traditional app security tools and risk scoring their vulnerabilities alongside the native vulnerabilities found by Legit.

Legit Security

Image Credits: Legit Security

Fuchs claims that Legit can secure the “entire” app dev environment from “code to cloud” by enforcing security policies in CI/CD pipelines, servers and other infrastructure. Legit, he avers, is able to discover and map pre-production dev pipelines and third-party security tools automatically, including their dependencies, misconfigurations and security vulnerabilities.

“Code scanning alone is insufficient for app security today. You need to also scan your dev pipelines for gaps and leaks, the infrastructure and systems within those pipelines and the people and their security hygiene as they operate within it,” Fuchs said. “You need a unified plane to secure the overall environment, not just myopically on the code alone. And modern software supply chains are constantly changing, so the solution must have automated discovery and analysis and provide continuous assurance that software releases remain secure all the way from code creation to cloud deployment.”

To this end, Legit can also trace vulnerabilities found in cloud production environments back to the pipeline and source code where the vulnerability originated. And it can spotlight duplicate and redundant tools to reduce a company’s waste, in theory helping to save costs.

Legit is a part of an emerging category of security tools known as application security posture management (ASPM). Coined by Gartner earlier this year, ASPM helps to manage app risk by collecting, analyzing and prioritizing security issues from across the software lifecycle.

The demand for ASPM is growing — Gartner estimates that 40% of security teams will have an ASPM tool in 2026, up from just 5% today — but Legit isn’t the only player in the nascent market. Asked about rivals, Fuchs says that he sees Apiiro, Cycode and ArmorCode as Legit’s closest competition.

Apiiro is especially well-funded — the startup last year raised $100 million from VC backers. But Fuchs believes that Legit is sufficiently differentiated — and, perhaps more importantly, has early-mover advantage.

Legit’s customers include Google, the New York Stock Exchange, Kraft Heinz and Takeda Pharmaceuticals. And, while Fuchs was loathe to disclose Legit’s annual recurring revenue, he revealed that the startup struck a $2.25 million customer deal this year. Legit’s deal sizes in Q2 were averaging around $341,000.

That’s a good place to be, one might argue, in a fairly down period for cybersecurity startups. Crunchbase recently reported that cybersecurity startup mergers and acquisitions are on pace for their weakest year since 2017.

“The ASPM category is hot right now, and customer interest is increasing due to the combination of improved security and risk management and productivity and cost savings,” Fuchs said. “Legit’s platform is differentiated from other ASPM vendors by the strength of it’s auto-discover, correlation and analysis capabilities.”