Irius Risk, a threat modeling platform, today announced that it has raised $29 million in a Series B funding round led by Paladin Capital Group with participation from BrightPixel Capital, SwanLab Venture Factory, 360 Capital and Inveready. In a conversation with TechCrunch, CEO Stephen de Vries said that the proceeds will be focused on growing IriusRisk’s sales and marketing teams in the US and Europe, the Middle East and Africa as the total The company’s proceeds reached nearly 40 million USD.
De Vries, who previously worked at cybersecurity firm Corsaire, KPMG and ISS as lead security advisor, said he realizes that companies are wasting resources doing security checks. security on software that the developers did not design with security in mind. If developers can understand the vulnerabilities of their designs by threat modeling – i.e. identifying the types of threats that harm software – that will reduce the congestion caused by security assessments, de Vries hypothesized.
Indeed, threat modeling does not seem to be at the forefront of many organizations. In a Golfdale Consulting survey authorized last year by cybersecurity vendor Security Compass, less than 10% of developers report that threat modeling is implemented on 90% or more of the applications they have developed at its organization. Only 25% said their organizations had conducted threat modeling in the early stages of software development, such as requirements collection and design, before proceeding with development.
“Threat modeling is now established as a mandatory activity for secure software development,” said de Vries – recently pointed out by President Joe Biden executive order set the threat model as a “recommended minimum” for application code verification. “Since threat modeling as an activity is still relatively new, organizations need to share strategies, tips and tricks for what works when implementing a threat modeling program – and what not.”
IriusRisk uses a rules engine to “interpret” client-side and cloud-hosted codebases, using a template-driven approach to threat modeling. Users of platforms such as Amazon Web Services (AWS) CloudFormation, HashiCorp Terraform, and Microsoft Visio can tap IriusRisk to enter the code and automatically generate its diagrams and threat models.
IriusRisk also offers an analytics module with reports and logs, which can be used by data analysts and scientists to interpret threat data from within their organization. To increase the granularity and accuracy of this data, customers can add to the IriusRisks pattern detection library components that are unique to their industry or company, including components for AWS, Google Cloud, Azure and industrial control system.
“IriusRisk enables engineering decision makers to apply security at the very beginning of the software development lifecycle, making it an easy implementation that can be consistently applied across the product portfolio. organization, creating security by design at scale,” says de Vries. “Organizations benefit from IriusRisk’s extensive security standards libraries, including existing threat models for known components, comprehensive security standards, and compliance libraries, helping teams build secure software first and automatically address regulatory requirements.”
When asked about the competition, de Vries admitted that startups like Spectral have a similar approach to IriusRisk in some respects. But he insists that his company’s biggest competitors are behind the curve, doing the threat modeling manually with “whiteboards and possibly rudimentary tools.”
“We are focused on solving the problem of implementing threat modeling consistently and at scale, with minimal developer friction. We often talk to organizations… who are looking to perfect their approach by moving it out of the security team and into the engineering team,” added de Vries. “We are investing significantly in the broader threat modeling community.”
IriusRisk claims to have more than quadrupled its partner base through 2021 and growing its free offering, IriusRisk Community Edition, to 120% in terms of active users (just over 5,400). De Vries said more than 4,000 projects ran through the free platform last year — a number he expects to grow as IriusRisk launches its new open threat modeling format, expected in November. , to enable better interoperability between the threat modeling engine and existing architecture and security tools.
“Our customers include six of the 30 systemically important banks globally and nine Fortune 100 companies… Government organizations are using the tool, as is a digital forensics company, supporting military end users,” said de Vries. “It is very typical for cybersecurity or application security teams to take our software and then deploy it to the broader engineering organization so that they have self-service relationship modeling capabilities. We’ve grown recurring revenue year-over-year at over 106% year-over-year over the past two years and are now at 120% year-over-year growth.”
IriusRisk currently has 137 employees and plans to expand its headcount to 160 by the end of the year.