Today’s software development moves at lightning speed. Developer teams deploy constantly, rely on countless open-source packages, and navigate complex cloud setups. At the same time, code security threats are increasing at a drastic rate. High-profile incidents like the SolarWinds, Log4J, and Codecov attacks underscore the importance of secure application development practices. We extensively wrote about the importance of code security back in 2022 when we first set eyes on the category.
Yet most application security tools are stuck in the past, designed for a time when releases happened every few months. In today’s world of rapid development and the intensifying threat landscape, security must evolve to match the pace of innovation without sacrificing accuracy.
Enter Semgrep: Security at Development Speed
Semgrep is pioneering a new security philosophy that focuses on the developer experience and where security is not the gatekeeper. Semgrep performs scans at multiple intervals: before the build process, directly in CI/CD, at commit time, in IDE, and during code reviews. It offers immediate feedback even when the code is incomplete. Semgrep provides high speed, low false positives, one-click patches, and leverages AI to filter out noise from signals.

Semgrep’s core scanning engine enables scanning speeds measured in milliseconds rather than minutes across a wide breadth of languages, with accuracy that outperforms traditional tools. The results speak for themselves. It’s challenging to find a security tool that’s equally loved by developers and security engineers, but Semgrep OSS has gained significant open-source traction, boasting 11K GitHub stars and over 75 million project scans each year; it’s also trusted by modern enterprise development teams such as Snowflake and Dropbox.
A Single Platform That Goes Deep
We often hear security leaders talk about fatigue around point solutions or platforms that are tethered by tuck-in acquisitions. One of the unique aspects of Semgrep is that the same Semgrep engine powers all three of its products: first-party code scanning (SAST), third-party code scanning (SCA), and secrets detection.
Now, developing this many products is not trivial, but what’s more impressive is Semgrep’s leading approach to go deep in each product. For example, rather than just flagging vulnerable packages, Semgrep performs reachability analysis to determine if vulnerable code paths are actually called—dramatically reducing the false positives that plague other SCA tools.
AI Appsec Engineer
Semgrep is on a bold mission to deliver on the autonomous application security program. AI is not a side hack but a core mission of Semgrep. Semgrep Assistant helps auto-triage vulnerabilities to surface critical vulnerabilities and helps developers understand the reasoning behind scanning. Semgrep’s assistant doesn’t work in silos but incorporates organization-specific context, development patterns, and historical decisions, which increases the accuracy of prioritization. As coding agents become more prevalent, AI code security capabilities will be paramount for any forward-looking organizations.
A Team Built for the Challenge
Behind Semgrep’s technical excellence is a founding team uniquely qualified for this challenge. The three co-founders—Isaac Evans, Drew Dennison, and Luke O’Malley—combine deep security expertise from the NSA and Palantir with MIT engineering pedigrees. Over numerous dinners and meetings, we’ve been consistently impressed by their profound understanding of both security architecture and developer ergonomics.
When you meet the team, you understand why “Yes, we sCan” is their motto. Their product velocity is remarkable across three products and developer capabilities—shipping 149 releases annually while maintaining enterprise-grade reliability. This balance of speed and stability is rare in early-stage companies and speaks to the team’s exceptional execution. It’s no surprise they’re attracting world-class talent to join their mission—if you’re excited about reshaping the future of security, check out Semgrep’s open roles.

Looking Ahead: The Future of Secure Development
We believe Semgrep represents the future of software security—tools that enhance rather than impede development velocity. Their shift-left approach, embedding security directly into development workflows, is becoming the new standard for modern engineering organizations. Menlo Ventures is thrilled to partner with Semgrep in their mission to make security accessible and effective for all developers. Semgrep hits the sweet spot where AI meets security—an intersection that gets us truly excited. It joins an impressive roster of portfolio companies tackling enterprise-grade security, including Abnormal Security, Mimic, Obsidian, and BitSight, alongside our AI-focused investments like Anthropic, Neon, and Pinecone. If you’re a founder reimagining what’s possible in security and AI, we want to hear from you. Let’s build something extraordinary together.
The post Why We Led Semgrep’s Series D Round: Putting Code Security on Autopilot appeared first on Menlo Ventures.