Endor Labs vs Snyk
Jan-Erik Asplund
TL;DR: Founded in 2021, Endor Labs built a vulnerability scanner that determines which issues are actually threats, with the aim to eliminate the ~80% of false positives that train developers to ignore alerts. As agentic coding accelerates the output of both code & vulnerabilities, Endor Labs is betting that scanning is the wedge into building a big business in application security. Sacra estimates Endor Labs hit $15M in annual recurring revenue (ARR) at the end of 2025, up ~131% YoY from $6.5M in 2024. For more, check out our full report and dataset on Endor Labs.
Key points via Sacra AI:
- After selling their startups RedLock for $173M (October 2018) and Aporeto for $150M (January 2020), both to Palo Alto Networks (NASDAQ: PANW), Varun Badhwar and Dimitri Stiliadis took over a 400-person engineering org and saw first-hand how the ~80% false positive rate of traditional, Snyk-like static vulnerability scanners taught developers to ignore alerts—inspiring them to start Endor Labs (2021) as a scanner that uses reachability analysis to determine if vulnerable code is actually called by the application. Rather than flag every vulnerability across every open source library used in a codebase, Endor Labs surfaces only those that are actively exploitable, eliminating ~92% of false positives and making developers more productive, monetizing through top-down sales into CISOs and DevSecOps teams at an ARPC of $35K, vs. ~$72K for Snyk.
- Selling into security teams across both high product velocity AI companies (OpenAI, Glean, and Cursor) and tech giants (Atlassian, Navan, Snowflake), Sacra estimates Endor Labs hit $15M in annual recurring revenue (ARR) at the end of 2025, up 131% YoY from $6.5M in 2024, raising a $93M Series B in April 2025 led by DFJ Growth & Salesforce Ventures. Compare to Snyk at $326M ARR in February 2026, up 7% YoY, valued at $3.7B for an ~11x revenue multiple after decelerating from 27% growth the year prior, supply chain security platform Chainguard at $40M ARR in 2025, up 640% YoY, valued at $3.5B for an ~88x revenue multiple, and Palo Alto Networks (NASDAQ: PANW) at $9.56B in revenue in 2025, up 15% YoY, at a $136.6B market cap for a 14.3x revenue multiple.
- With ~25% of production code now generated by AI, but with ~40% of the dependencies imported by AI coding assistants containing security vulnerabilities, the noise of traditional scanning alerts has become a flood, making reachability analysis essential & motivating the launch of Endor Labs’s AURI (March 2026), a Skills plugin, MCP server and CLI for detecting actual vulnerabilities in real time inside coding assistants like Cursor & Claude Code. In contrast to Crowdstrike (NASDAQ: CROWD, $110B market cap), Zscaler (NASDAQ: ZS, $25B market cap) & Wiz (acquired by Google for $32B), no pure-play application security company has gone public or hit $10B+ in value since Imperva in 2011 (taken private for $3.6B in 2024), with Veracode selling to Broadcom ($950M), Checkmarx selling to PE ($1.15B), and Snyk marked now at $3.6B (down from $7.4B)—Endor Labs’s bet is that with AI coding agents generating the majority of new software, agentic application security becomes the necessary unlock for realizing the full revenue acceleration promised by agentic coding.
For more, check out this other research from our platform:
- Endor Labs (dataset)
- Snyk (dataset)
- Wiz (dataset)
- Valimail (dataset)
- Israel's YC of cybersecurity
- Rubrik: the Netflix of data backups
- Zachary Friedman, associate director of product management at Immuta, on security in the modern data stack
- Sam Li and Austin Ogilvie, co-CEOs of Laika, on the compliance-as-a-service business model
- Christina Cacioppo, CEO of Vanta, on the value of SOC 2 compliance for startups
- Shrav Mehta, CEO of Secureframe, on building a TurboTax for security compliance
- How Vanta, Secureframe and Laika are arming the rebels of B2B SaaS
- Rubrik (dataset)
- BigID (dataset)
- Lacework (dataset)
- Noname Security (dataset)
- Cribl (dataset)
- Netskope (dataset)
