Snyk Shifts Toward Code Scanning
Snyk at $326M ARR growing 7% YoY
The decline in Snyk Open Source shows that simple dependency scanning is no longer enough to carry developer security growth. Snyk built its early adoption by letting developers connect a GitHub repo and check third party packages for known flaws, but that workflow became easier for rivals to copy and bundle. New growth has come from higher value products like Snyk Code, while the older scanner has lost share with developers to faster, narrower tools like Semgrep and Endor Labs.
-
Snyk Open Source was the original wedge. It helped Snyk reach 100K developers quickly by scanning open source dependencies in GitHub repos, but those users were hard to monetize because individual developers were often not the security budget owner. That pushed Snyk upmarket into enterprise bundles and governance features.
-
By late 2024, Snyk Code had reached about $100M ARR, or roughly a third of revenue, and its growth was covering for weakness in the older dependency scanning product. That shift matters because code scanning is closer to where AI coding creates risk, inside the developer workflow as code is written and reviewed.
-
Competition also changed shape. Semgrep and Endor Labs both target developers with modern app security tools, while larger platforms like Wiz, Palo Alto Networks, CrowdStrike, GitHub, and GitLab increasingly bundle adjacent security capabilities. That makes standalone open source scanning feel more like a feature than a product.
Going forward, the center of gravity in developer security will keep moving from finding known flaws in third party code to catching risky code changes, AI generated code, and misconfigurations before they ship. Snyk’s path back to faster growth depends on making that broader workflow indispensable inside the IDE, pull request, and enterprise policy stack.