IriusRisk, a threat modeling platform, today announced that it has raised $29 million in Series B funding led by Paladin Capital Group with participation from BrightPixel Capital, SwanLab Venture Factory, 360 Capital and Inveready. CEO Stephen de Vries told TechCrunch that the proceeds will be used to grow Iris Risk’s US and Europe, Middle East and Africa sales and marketing teams, bringing the company’s total revenue to $40 million.
De Vries, who previously worked as a chief security consultant at cybersecurity firms Corsair, KPMG and ISS, said he realized companies were wasting resources on security testing software developers didn’t design with security in mind. If developers can use threat modeling to understand the security flaws in their designs — that is, identify the types of threats that can cause damage to software — it will reduce the bottleneck caused by security reviews, de Vries theorizes.
Indeed, threat modeling is not seen as top of mind in many organizations. In a Gulfdale Consulting survey conducted last year by cybersecurity vendor Security Compass, fewer than 10% of developers reported that threat modeling was performed on 90% or more of the applications they worked on in their organization. Only 25% said their organizations performed risk modeling in the early stages of software development, such as requirements gathering and design, before moving on to development.
“Threat modeling is now established as an essential activity for secure software development,” said De Vries — citing threat modeling as the “recommended minimum” in President Joe Biden’s recent executive order for securing application code. “Because threat modeling as an activity is still relatively new, there is a need for organizations to share strategies, tips and tricks for what works — and what doesn’t — when launching a risk modeling program.”
IriusRisk uses a rules engine to “weight” client-side and cloud-hosted codebases, to map out threats based on patterns. Users of platforms such as Amazon Web Services (AWS) CloudFormation, HashiCorp Terraform, and Microsoft Visio can tap IriusRisk to import code and automatically generate the diagram and threat model.
IriusRisk also offers an analytics module with reports and logs, which can be used by data analysts and scientists to interpret risk data within their organization. To increase the quality and accuracy of this data, customers can add components of the IriusRisks pattern detection library specific to their industry or organization, including AWS, Google Cloud, Azure and industrial control systems.
“IriusRisk enables technical decision-makers to bake in security from the very beginning of the software development lifecycle, which can easily be converted into an implementation that can be consistently implemented across an organization’s product portfolio and creates security by design scale.” Vries said. “Organizations benefit from IriusRisk’s extensive security standards library, which includes libraries for known entities, comprehensive security standards, and compliance libraries that help teams build secure software first and automatically address regulatory requirements.”
When asked about competition, de Vries admitted that startups like Spectral follow a similar approach to IriusRisk in some respects. But he insists the company’s biggest competitors are behind the curve, doing manual threat modeling “with whiteboards and maybe simple tools.”
“We’re focused on solving the problem of doing threat modeling consistently and at scale with minimal developer friction. We often talk to organizations … from the security team and out to the engineering teams looking to develop their approach,” added de Vries. “We’re making a big investment in the broader threat modeling community.” “
IriusRisk claims to have more than quadrupled its partner base by 2021 and grown its free offering, IriusRisk Community Edition, by 120% from active users (over 5,400). Last year, more than 4,000 projects entered the free platform. When de Vries-Iris Risk launches a new open risk model format, planned in November, it expects the number to grow, which will allow a better interaction between the risk modeling tool and the existing architecture. Safety equipment.
“Our customers include six of the 30 global systemically important banks and nine Fortune 100 companies… Government organizations are using the tool as well as digital forensics companies that support military end users,” said de Vries. “It’s very common for application security or cybersecurity teams to adopt our software and release it to the broader engineering organization to leverage risk modeling capabilities themselves… We’ve grown annual recurring revenue over 106% year-over-year for the past two years and are currently on a 120% year-over-year growth rate.” .
IriusRisk has 137 employees today and plans to increase its headcount to 160 by the end of the year.