Sacra Logo
View PDF
View Model
Details
Headquarters
Boston, MA
CEO
Peter McKay
Website
Home  >  Companies  >  Snyk
Snyk makes tools for developers to check and fix vulnerabilities in their applications.

Revenue

$300.00M

2024

Valuation

$7.40B

2022

Growth Rate (y/y)

25%

2024

Funding

$1.00B

2022

Revenue

None

Sacra estimates that Snyk hit $300M annual recurring revenue (ARR) in October 2024, up 25% YoY.

At the end of 2022, Snyk had a net retention rate of 130%, a gross retention rate of 90%, and headcount of 1,135 full-time employees for average revenue per employee of $129,515.

Roughly 60% of Snyk's revenue comes from software and tech companies and 10% from fintechs. North America contributes to 70% of its revenue, followed by Europe at 17%.

Valuation

Snyk was last valued at $7.4 billion during its Series G funding round. The company has raised a total of $1.2 billion in venture funding since its founding. Key investors include Qatar Investment Authority (QIA), which led the Series G round, along with prominent firms like Tiger Global and Salesforce Ventures. Additional institutional backers include Evolution Equity Partners, G Squared, and Irving Investors, who participated in the Series G financing.

Product

Snyk was founded in 2015 by Guy Podjarny, Danny Grander, and Assaf Hefetz, leveraging their experience from the Israel Defence Force's cyber intelligence unit. The company's mission was to help developers easily identify and fix vulnerabilities in open-source code.

Snyk found initial product-market fit with Node.js developers seeking to secure open-source dependencies. In October 2015, they launched a free command-line tool that scanned GitHub repositories for vulnerabilities in Node.js projects. By December, 1,000 developers had downloaded the tool, and user registration was implemented in January 2016.

Today, Snyk plugs into the development workflow by integrating not just with code repositories like GitHub and GitLab but all CI/CD pipeline tools like Jenkins and Travis, scans the code against a repository of known vulnerabilities, lists them with severity scores, and suggests ways for developers to fix them.

Before Snyk, code was tested at later development stages by security teams with specialized software, causing deadlines to be pushed out to fix them. This created tensions between developers who wanted to ship the application at the earliest and security teams who wanted to ensure the application was secure. 

Snyk’s key products today include:

Snyk Open Source: Snyk’s first product that scans vulnerabilities and license compliance issues in open-source libraries.

Snyk Container: Scans container images and Kubernetes environments to identify security flaws.

Snyk Infrastructure as Code: Scans platforms like Terraform, AWS, Azure, and Google Cloud for misconfigurations.

Snyk Code: Similar to Snyk Open Source but for developer’s proprietary codebases.

Snyk Cloud: Detects security flaws in code post deployment in the cloud servers.

Snyk Vulnerability Database: A Stackoverflow-like searchable database of vulnerabilities in open-source libraries and ways to fix them.

Business Model

Snyk is a subscription SaaS company that provides developer-first security solutions, focusing on helping companies use open source code securely. Their core revenue model is based on per-developer seat pricing, with tiered plans offering increasing levels of functionality and support.

The company's pricing strategy is built on a freemium model, allowing developers to start using basic features at no cost. This approach has been crucial in driving adoption, with over 2.5 million developers on the platform as of 2023.

As usage and team size grow, customers are encouraged to upgrade to paid plans, which offer more comprehensive security testing, integration capabilities, and governance features.

Initially, Snyk struggled with monetization, pivoting from a self-serve model to enterprise sales in 2017. This shift proved successful, with the company closing its first commercial contract in March 2017 and reaching $100,000 ARR by August 2017.

The pivot to enterprise sales, coupled with expanded language support and governance features, drove significant growth. ARR reached $4M by 2018, $19M by 2019, and an estimated $250M by 2023, representing 25% year-over-year growth.

A key element of Snyk's strategy has been its focus on integrating security seamlessly into the development workflow. By offering plugins and integrations with popular development tools and platforms, Snyk reduces friction for adoption and usage, further fueling its growth. This developer-centric approach sets Snyk apart from traditional security vendors that typically target security teams or upper management.

Snyk has also expanded its product offerings beyond open source security to include container security, infrastructure-as-code security, and cloud security. This expansion allows for significant cross-sell opportunities within their existing customer base, increasing the potential revenue per customer and strengthening their position as a comprehensive developer security platform.

Competition

None

Snyk competes in the rapidly evolving developer security tools market, facing competition across multiple segments as it expands its product offerings.

Application security testing

In its core application security testing business, Snyk faces competition from other cybersecurity companies, which like Snyk, offer a full suite of application security tools like Synopsys ($51.5B), Checkmarx ($1B), and Veracode ($2.5B). Unlike Snyk’s self-serve sales motion, these companies sell to the CIOs/CISOs in a top-down sales motion.

Snyk differentiates itself through its developer-first approach, integrating security scanning directly into the development workflow. This allows developers to catch and fix vulnerabilities earlier in the software development lifecycle, potentially reducing costs and improving efficiency compared to traditional "gate-keeper" security models.

Snyk's focus on open-source security gives it an edge in this space. Its vulnerability database, which covers multiple programming languages and frameworks, allows developers to proactively check for known issues in their dependencies. This is particularly valuable given that modern applications often consist of up to 80% third-party code.

Container and infrastructure security

As Snyk expanded into container and infrastructure-as-code (IaC) security, it began competing with specialized vendors like Aqua Security, Twistlock (now part of Palo Alto Networks), and Bridgecrew (also acquired by Palo Alto Networks).

In this segment, Snyk's advantage lies in its integrated platform approach, allowing customers to secure their entire software development pipeline - from code to cloud - within a single tool.

Snyk Container, for instance, not only scans for vulnerabilities in container images but also provides actionable remediation advice, leveraging Snyk's extensive vulnerability database. This integration with its core product allows Snyk to offer a more comprehensive security solution compared to point products.

Cloud security

With the launch of Snyk Cloud in 2022, the company entered the cloud security posture management (CSPM) market, competing against established players like Wiz, Orca Security, and Palo Alto Networks' Prisma Cloud.

This move expanded Snyk's total addressable market significantly but also placed it in competition with well-funded, fast-growing startups and large cybersecurity incumbents.

In this crowded field, Snyk aims to differentiate itself by leveraging its developer-centric approach and existing customer base. By integrating cloud security into its platform, Snyk can offer a unified solution that covers the entire software development and deployment process, potentially simplifying security management for its customers.

However, Snyk faces challenges in this space, as it lacks the deep expertise in cloud infrastructure that specialized CSPM vendors possess. Its success will depend on how effectively it can integrate its developer-focused strengths with robust cloud security capabilities.

GitHub + GitLab

Popular DevOps platforms like GitHub and GitLab have code scanning tools similar to Snyk’s Code and Open Source products, making them a viable alternative. With their existing relationships with millions of developers and developer-friendly tools, these can become key competitors to Snyk in the future.

TAM Expansion

Snyk has tailwinds from the growing importance of cybersecurity in software development and the shift towards DevSecOps practices. The company has the opportunity to grow and expand into adjacent markets like cloud security, API security, and enterprise-wide security platforms.

New verticals

Snyk recently launched Snyk Cloud for cloud security, the fastest-growing cybersecurity segment, expected to be worth $77B by 2026. API security is another large segment, expected to cross $10B by 2032 at a CAGR of 28%. By taking verticals that are still top-down and making them developer-first through developer-friendly tooling and documentation, Snyk can meaningfully expand its market.

New geographies

With 70% of Snyk’s revenue coming from North America, it can diversify to other countries. For instance, Asia Pacific and Japan contribute 10% to its revenue, and Snyk is doubling down on its presence there. It recently added more channel partners in Asia Pacific and Japan, growing its network 3x in 2022. 

Price increases

Snyk increases its bundle's price by adding new tools to it. For instance, in 2020, when it sold Snyk Open Source and Snyk Container, it priced the Team subscription at $1319 (25 seats) and the Business subscription at $3298 (50 seats). When it added Snyk Code and Snyk IaC to the bundle, it doubled the subscription price, with the Team subscription costing $2675 and the Business subscription $6916. As it adds more verticals like cloud and API security, it can further increase prices to expand revenue.

None

Risks

1. Serving different personas: As Snyk expands beyond its core developer-focused products into areas like cloud security that target CISOs, it risks diluting its developer-centric brand and expertise. Managing products for different personas (developers vs. security teams) requires distinct go-to-market strategies and product philosophies. This expansion could lead to internal conflicts, confused messaging, and suboptimal products if not carefully managed. Snyk may mitigate this by maintaining separate product teams with clear mandates.

2. Platform integration challenges: Snyk's strategy of expanding its platform through both internal development and acquisitions creates integration complexity. Ensuring a seamless user experience across internally-built and acquired components is critical but challenging. Poor integration could frustrate users and create openings for more focused competitors. To address this, Snyk must prioritize platform cohesion and potentially slow its acquisition pace to focus on integration.

3. Competition from code hosting platforms: GitHub and GitLab pose a significant threat as they expand their security offerings. These platforms have massive developer user bases and could rapidly gain market share by deeply integrating security features. Their existing relationships with developers could make it difficult for Snyk to maintain its position. Snyk may need to double down on its security expertise and consider deeper integrations or partnerships with these platforms to stay competitive.

Team
Peter McKay
CEO
Guy Podjarny
Founder and President
Ken Macaskill
CFO
Adi Sharabani
CTO
Jeff Yoshimura
CMO
Manoj Nair
CPO
Steve Kinman
CISO
Adriana Bokel Herde
Chief People Officer

News

DISCLAIMERS

This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.

This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.

Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.

Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.

All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.