How Snyk Found the Security Gap Nobody Wanted to Fix
From a free command-line tool to a $7.4 billion developer security giant — and the product philosophy that made it work.
I've been digging into Snyk's story for a while, and what keeps pulling me back isn't the valuation or the funding rounds. It's the insight. Three founders looked at an industry full of security products that developers actively hated using, and instead of building another one, they built something developers actually wanted.
That single philosophical shift is what separates Snyk from every SAST/DAST vendor that came before it. Let me break down how they did it.
The Problem Nobody Was Solving Correctly
By 2015, the open-source ecosystem had become the backbone of modern software. A single Node.js project could pull in hundreds of transitive dependencies and every one of those packages was a potential attack surface.
Security teams knew this. They had tools: Veracode, Checkmarx, HP Fortify. These products were technically capable. They were also slow, expensive, and deeply unpopular with the people who actually needed to act on their findings.
A scan might take overnight and return thousands of findings. The results would land on a developer's desk like a punishment memo, a "wall of shame" with no clear prioritization, no guidance on what to fix first, and certainly no automated path to resolution. Developers, facing sprint deadlines and product pressure, did the rational thing: they ignored the reports entirely.
Security became a silo. The gap between "code being written" and "code being secured" grew wider every year.
The traditional security tools were built for security teams, not developers. They were scanners, not fixers. They told you what was wrong, but left you to figure out the rest.
The core insight that Snyk was founded on wasn't about vulnerability databases or scan accuracy. It was simpler and more fundamental than that:
Open-source vulnerabilities weren't a knowledge problem. They were a workflow problem.
Security tooling needed to live where developers worked, which was in their terminals, their pull requests, and their CI/CD pipelines. Not in a separate dashboard that required a change request to log into.
The Founding Story: Three Backgrounds, One Insight
Guy Podjarny, Assaf Hefetz, and Danny Grander founded Snyk in London in July 2015. What made them unusual in the security landscape wasn't just their technical depth, it was the combination of backgrounds they brought to the table.
Podjarny had been CTO of Akamai's Web Experience business. Grander was a former military intelligence officer with deep vulnerability research expertise. Hefetz brought engineering and product experience. Together, they were rare: people who understood security threats at a technical depth and genuinely understood how developers thought, worked, and made tooling decisions.
The name Snyk stands for "So Now You Know" — and the philosophy was built into the product from day one.
The First Move: Give It Away for Free
Rather than building an enterprise product and hunting for CISO relationships, Snyk launched a free CLI tool that let any developer scan their Node.js project for known vulnerabilities. No sales meeting. No lengthy procurement process. No security team approval required. You typed a command and got actionable results in seconds.
In the security industry of 2015 — where the standard motion was a top-down enterprise sale — this was close to heresy. It turned out to be the entire strategy.
The Business Model: Freemium as a Trojan Horse
Snyk's growth engine is often described as "product-led growth" or "bottom-up adoption," but that undersells how deliberately it was designed. The free tool wasn't charity — it was a distribution strategy built to exploit a specific gap in how enterprise software gets adopted.
The funnel worked like this:
- A developer installs the free CLI.
- They integrate it into their daily workflow
- They introduce it to their team.
- Security or engineering leadership formalizes it
- Customers expand from Snyk Open Source to Code, Container, IaC, and AppRisk
The metric that validated this model was Net Revenue Retention (NRR), which exceeded 130% in late 2022. That means Snyk's existing customers grew their spend by 30% year-over-year — even before counting a single new customer acquisition.
Customers weren't just staying. They were buying more. The freemium tool was the razor; the enterprise platform was the razor company.
Developer-First vs. Security-First: The Decisive Difference
To really understand why Snyk worked where others hadn't, you have to look at the product philosophy side-by-side with incumbents.
Old Guard (CISO-first):
- Long sales cycles to CISOs and security buyers
- Scans ran overnight; results available the next morning
- Thousands of unactionable, unprioritized findings
- Reports only — no automated fix path
- Developers avoided the tools entirely
Snyk (developer-first):
- Bottom-up adoption, led by individual developers
- Results in seconds, inline in the IDE or PR
- Prioritized, context-aware findings
- Automated fix suggestions surfaced as pull requests
- Developers chose to use the tools
That last point deserves its own emphasis. When Snyk detected a vulnerable dependency, it didn't just tell you about it. It opened a PR that fixed it. A developer could see a vulnerability and resolve it in under a minute without leaving GitHub.
This single feature transformed security from a blocker into an accelerant. It aligned perfectly with the "Shift Left" philosophy gaining momentum across the industry: move security earlier in the development lifecycle instead of making it a last-minute gate before deployment.
When security helps you ship faster instead of slowing you down, developers stop avoiding it.
From CLI Tool to Security Platform
Snyk's original product covered one surface: open-source dependencies. Modern applications have many more. The company systematically expanded to cover each one — both organically and through strategic acquisitions:
- Snyk Open Source (2015): The original product. Still the core of the business.
- Snyk Container (2019): Security scanning for Docker images and Kubernetes configurations.
- Snyk IaC (2020): Catches misconfigurations in Terraform, CloudFormation, and Kubernetes YAML before they hit production.
- Snyk Code (2020, via DeepCode acquisition): AI-powered SAST for first-party code. Reached $100M ARR standalone in 2023.
- Snyk AppRisk (2023): Application risk management built from acquisitions of Enso Security and Helios.
- AI Security Platform (2024–25): Tooling for securing AI-generated code and LLM supply chains.
Each new product addressed a real developer workflow problem and could be sold to the same enterprise buyer already paying for Open Source. That's the "land and expand" motion that made NRR above 130% structurally defensible, the upsells were natural extensions, not forced cross-sells.
The Growth Numbers
Snyk's revenue trajectory tells a clear story:
| Year | Revenue | Net Loss |
|---|---|---|
| 2017 | $0.1M | — |
| 2018 | $4M | — |
| 2019 | $22M | — |
| 2020 | $55M | — |
| 2021 | $95M | — |
| 2022 | $147M | -$267M |
| 2023 | $220M | -$176M |
| 2024 | $278M | -$167M |
| 2025 ARR | $407.8M | — |
A few phases stand out:
2015–2018 — Seeding the ground. Near-zero revenue while building developer adoption and proving the PLG model worked. Enterprise sales was only just beginning.
2019–2021 — Hypergrowth. The pandemic accelerated cloud adoption and DevOps spend in ways that benefited Snyk enormously. Headcount grew over 200% YoY at peak. The 2021 Series F at an $8.5B valuation reflected both genuine momentum and peak market enthusiasm.
2022 — The reckoning. Revenue doubled to $147M but losses hit $267M. Snyk was spending aggressively to capture market share in a still-frothy funding environment.
2023–2025 — Maturity. The company shifted focus. Two rounds of layoffs reduced costs. Losses began falling. ARR crossed $400M. An IPO entered the conversation.
The Funding Journey: $1.7 Billion Raised
| Round | Year | Amount | Notable Investors |
|---|---|---|---|
| Seed | 2016 | $3M | Boldstart Ventures, Canaan Partners |
| Series A | 2018 | $7M | — |
| Series B | 2018 | $22M | — |
| Series C | 2019 | $70M | Accel Partners |
| Series D | 2020 | $150M | — |
| Series F | 2021 | $530M | Tiger Global, Accel, Salesforce Ventures, Atlassian Ventures |
| Series G | 2022 | $196.5M | Qatar Investment Authority |
The strategic investors are worth noting. Salesforce Ventures and Atlassian Ventures didn't invest purely for returns, they saw Snyk as a natural complement to their developer ecosystems. ServiceNow followed with a $25M strategic investment in early 2023. When your cap table includes the platforms your customers already use every day, distribution gets easier.
The Headwinds Are Real
Snyk's story isn't without complexity. A few genuine challenges are worth examining honestly.
Valuation reset. The implied valuation has dropped more than 50% from the $8.5B peak in secondary market transactions. That's a common story for 2021-era unicorns, but it matters for the IPO narrative.
Growth deceleration. Revenue growth slowed to roughly 12% in mid-2025. For context: Palo Alto Networks, CrowdStrike, and Zscaler are growing at 16–21%, from a significantly larger base. Snyk needs to close that gap before hitting public markets.
Continued losses. At approximately $166M net loss in 2024, profitability isn't imminent. Public market investors will want a credible path.
Platform competition. GitHub (Microsoft) now offers native security scanning. GitLab has embedded security across its entire DevOps offering. Both can make "reduce tool sprawl" arguments to enterprise buyers who already pay them.
Next-gen challengers. Endor Labs raised $188M with a fresh approach to dependency lifecycle management going after the same problem that built Snyk's initial moat.
The AI Tailwind
The most significant variable in Snyk's favor is one that barely existed three years ago: AI-generated code at scale.
GitHub Copilot, Cursor, and similar tools are producing code faster than any security review process can track. That code ships vulnerabilities. Snyk's positioning as a security layer for the AI coding era is genuinely differentiated and it's a problem the old CISO-first vendors are poorly positioned to solve, because the risk lives in individual pull requests, not in enterprise compliance dashboards.
The application security market was valued at $33.7 billion in 2024 and is projected to reach $55 billion by 2029. If Snyk maintains its developer-first positioning while adapting to AI workflows, the market opportunity is still enormous.
What Builders and Security Engineers Can Take Away
After researching this in depth, here are the six lessons I keep coming back to:
1. Find the unloved end user. Everyone was selling to CISOs. Snyk sold to developers. By identifying the end user who was underserved by existing tools, they built genuine, habitual adoption that no enterprise sales motion could replicate.
2. Give away the razor. The free CLI was a distribution strategy. Building a habit before asking for money meant enterprise deals came inbound, not from cold calls.
3. Fix, don't just alert. Telling users about a problem adds friction. Fixing it for them with an automated pull request creates value. The shift from scanner to fixer was Snyk's most consequential product decision.
4. Ride the movement, don't just describe it. "Shift Left" was an industry-wide philosophical transition already in motion. Snyk positioned itself as the category leader of something that was already happening, which is much easier than trying to start a new movement from scratch.
5. Land and expand, but make the expansion natural. Each new product (Container, IaC, Code) addressed a genuine workflow problem — it wasn't just feature-stuffing to inflate ARPU. The upsells worked because they were real.
6. Hypergrowth has a cost, and you will eventually have to pay it. Snyk's 2022 losses of $267M on $147M revenue aren't unusual for venture-scale companies, but they illustrate that "grow at all costs" is a strategy with a defined shelf life. The path to IPO requires a credible profitability story, not just a growth one.
Final Thought
Snyk found a gap the entire security industry had looked past for years: the developer who needed security to be fast, integrated, and actionable — not a compliance checkbox handed down from a security team.
By building for that person instead of the CISO, they created a product people actually wanted to use. That turned out to be a more durable moat than any top-down enterprise relationship.
The open questions — IPO timing, profitability, competition from bundled platforms — are real. But they're the questions of a company that has already won the first battle. The harder question, which Snyk answered early and convincingly, was whether developers would use it at all.
They answered that one a long time ago.
Sources: UK Companies House filings, Contrary Research, Sacra, company announcements, GetLatka estimates. Data current as of June 2026.
