Semgrep

1.1 Identity and Founding

Semgrep, Inc. is an application security company headquartered in San Francisco, California. The legal entity was incorporated on May 15, 2017. The company was originally operated under the name r2c (Return to Corporation) before rebranding to Semgrep as the flagship open-source product gained traction. The founders—Isaac Evans, Drew Dennison, and Luke O'Malley—are all MIT electrical engineering and computer science graduates who met in Simmons Hall as undergraduates and began collaborating on security projects as students. The founding story began with the founders' shared frustration that software security was inaccessible to most developers, requiring specialized skills available only at a handful of large tech companies. In 2016, the founders started exploring the software security landscape and in 2019 discovered a dormant open-source project called sgrep, originally built at Facebook. They revived and expanded it during an internal hackathon, adding broader language support and higher-level code analysis capabilities. In 2020 the project was renamed Semgrep to reflect its new identity and broader mission. The company's mission is to "make it expensive to exploit software" by bringing world-class security tools to both software and security engineers. Semgrep's approach centers on extensibility: security rules look like the source code they analyze, enabling any developer—not just specialists—to write, share, and extend scanning rules. This democratization philosophy has powered a large open-source community and accelerated enterprise adoption. As of May 2026, Semgrep powers 75M+ source-code security scans per year across 40+ programming languages and has shipped 100+ releases including weekly updates. [CO001, CO002, CO003, CO004, CO005, CO006]

1.2 Leadership, Board, and Governance

Semgrep's executive team is founder-led. Isaac Evans serves as Chief Executive Officer, guiding product vision and overall company strategy. Drew Dennison serves as Chief Technology Officer and leads core engineering and technical architecture. Luke O'Malley serves as Chief Product Officer and oversees product management and user experience. All three founders have maintained their original roles since inception—CEO, CTO, and CPO respectively—a structure they identified as natural during a joint MIT project as undergraduates. In conjunction with the February 2025 Series D, Semgrep made two strategic executive hires and one governance addition. Garrett Souza joined as Vice President of Sales, bringing enterprise sales experience from Matillion (SVP Americas) and Snyk (Enterprise Sales Leader). Mark McLaughlin, former CEO of Palo Alto Networks, joined as an Angel Investor and Advisor, providing operational guidance on scaling a security company. Matt Murphy, Partner at Menlo Ventures, joined as a new Board Member upon completion of the Series D. The board and investor base include Menlo Ventures (Series D lead, board seat), Lightspeed Venture Partners (Series C lead), Redpoint Ventures, Sequoia Capital, Felicis Ventures, and Harpoon Ventures. The company does not publicly disclose formal board composition beyond these investors. The three founders remain the primary operational decision-makers, creating a meaningful key-person concentration across Evans, Dennison, and O'Malley. Isaac Evans authored the Series D announcement and public communications, reinforcing his role as the company's primary public voice. [CO013, CO014, CO015, CO016, CO017, CO018]

1.3 Funding History and Capital Structure

Semgrep has raised $204M in total funding across four rounds since its first institutional close in October 2020. The funding trajectory reflects rapid scaling from seed-stage infrastructure to a full enterprise AppSec platform over approximately five years. The most recent round, a $100M Series D announced February 5, 2025, was led by Menlo Ventures with participation from all existing investors: Felicis Ventures, Harpoon Ventures, Lightspeed Venture Partners, Redpoint Ventures, and Sequoia Capital. Prior to the Series D, Semgrep raised a $53M Series C in April 2023 led by Lightspeed Venture Partners. The Series B closed July 2021 and the Series A closed October 2020. The company is privately held and has not disclosed revenue metrics, margins, or annual recurring revenue publicly. Tracxn reports 257 employees as of March 2026. The Series D valuation has not been formally disclosed; contemporaneous reporting placed Semgrep in the unicorn range given the round size, sector comparables, and investor participation, though no official figure has been published. The funds are designated for AI and program analysis talent acquisition, product awareness expansion, and go-to-market team growth including geographic expansion in Europe and Asia-Pacific. The investor syndicate is composed entirely of institutional U.S. venture capital firms with no disclosed strategic or corporate investors. The absence of strategic investors preserves Semgrep's independence as a platform serving multiple enterprise customers who may also be technology partners or competitors of potential strategic investors. Semgrep's disclosure profile is private-undisclosed: no financial statements, ARR, or revenue growth metrics are publicly available as of May 2026. [CO023, CO024, CO025, CO026, CO027, CO028]

1.4 Product Platform and Scale

Semgrep's commercial AppSec Platform comprises four interconnected products built on top of the open-source Semgrep engine. Semgrep Code (SAST) provides static application security testing with cross-file and cross-function taint analysis, supporting 30+ languages. Semgrep Supply Chain (SCA) performs reachability-aware software composition analysis, surfacing only vulnerabilities in code paths that are actually called rather than every CVE in every imported package. Semgrep Secrets detects hard-coded credentials using semantic analysis and entropy analysis with live credential validation. Semgrep Assistant is an AI layer that auto-triages findings, suppresses approximately 20% of SAST false positives on day one (improving to ~40% with codebase learning), generates remediation guidance, and can open pull requests with suggested code fixes. The open-source Semgrep Community Edition (CE) underpins the commercial platform and remains free under LGPL-2.1 for individual and non-commercial use. As of May 2026, the GitHub repository has accumulated 14,300+ stars and is used by hundreds of thousands of developers including security engineers at GitLab, Dropbox, Slack, Figma, Shopify, HashiCorp, and Snowflake. The platform powers 75M+ code scans per year across 40+ languages and supports 3,000+ community-contributed rules. The commercial platform is sold as a SaaS product at $30/month/contributor for SAST or SCA (Teams tier) and $15/month/contributor for Secrets, with custom Enterprise pricing for large organizations and on-premises deployments. An MCP server released in 2025 enables AI coding assistants (Cursor, VS Code, Claude Desktop) to invoke Semgrep scans in real time during AI-assisted development, directly addressing the growing "vibe coding" risk of LLM-generated code containing security vulnerabilities. Semgrep's Managed Scanning feature handles CI/CD configuration on behalf of customers, reducing time-to-first-finding from weeks to hours. [CO033, CO034, CO035, CO036, CO037, CO038]

1.5 Key Milestones and Adverse Events

Semgrep's development from a dormant open-source project to a $204M-funded enterprise platform spans approximately nine years. The company's milestone trajectory is characterized by three phases: open-source community building (2017–2020), enterprise product expansion and funding acceleration (2021–2023), and AI-augmented platform scaling (2024–2026). The most significant adverse event in Semgrep's history is the December 2024 open-source license restriction. Semgrep renamed its OSS project to "Semgrep Community Edition," introduced a proprietary "Semgrep Rules License" restricting commercial use of rules, and migrated features including fingerprinting, tracking ignores, and certain metavariables from the Community Edition to the commercial platform. This triggered significant backlash from the security and developer community. On January 23, 2025, a coalition of 10+ application security companies—including Aikido Security, Endor Labs, Amplify Security, Jit, Orca Security, and Mobb—launched Opengrep, a fork of the last fully-featured CE codebase, restoring the locked features under LGPL-2.1. Critics described the license change as a "rug pull" that alienated contributors who had invested in the Semgrep ecosystem. Semgrep defended the change as necessary to prevent competitors from commercializing its rules, and the underlying engine remains LGPL-2.1 licensed. The Opengrep project has 2,100+ GitHub stars and a dedicated full-time OCaml development team as of early 2026. Despite the controversy, Semgrep announced the $100M Series D just two weeks after the Opengrep fork launch, suggesting investor confidence remained intact. The company added veterans from Palo Alto Networks, Snyk, and Matillion to its leadership team and articulated a clear roadmap toward autonomous AppSec engineering. [CO042, CO043, CO044, CO045, CO046, CO047]

1.6 Exhibits

2.1 Market Boundary and Definition

Semgrep operates in the application security testing (AST) market, specifically the developer-first SAST, SCA, and secrets detection segment. The AST market broadly includes static analysis (SAST), dynamic analysis (DAST), interactive analysis (IAST), runtime protection (RASP), and software composition analysis (SCA) tools. Semgrep's addressable market excludes DAST, IAST, and RASP — categories where it does not currently compete — as well as penetration testing services, red-team consulting, and infrastructure security tools. The market boundary matters because analyst estimates range from $1.83 billion (MarketsandMarkets, narrow AST tool scope, 2025) to $11+ billion (Mordor Intelligence, broad DevSecOps platform scope, 2026). Neither extreme precisely reflects Semgrep's addressable segment; the developer-facing SAST/SCA/Secrets SAM is estimated at approximately $2–3 billion. Status-quo substitutes — manual code review, ad-hoc linting, and no-tool approaches — represent the largest single alternative Semgrep displaces, and winning these situations requires demonstrating speed, low false-positive rates, and minimal integration friction. [CM034, CM039]

2.2 Market Sizing: TAM, SAM, and SOM

The TAM for Semgrep's ecosystem is anchored by the global DevSecOps platform market, projected at $10.88 billion in 2026 by Mordor Intelligence (CAGR 22.1% through 2031) and $11.07–11.49 billion per Coherent Market Insights and Fortune Business Insights. These figures use the broadest definition, encompassing DevSecOps orchestration, CI/CD security automation, and compliance management alongside SAST/SCA tools. The narrower AST tool market — MarketsandMarkets' scope most directly comparable to Semgrep's product footprint — was $1.83 billion in 2025 (CAGR 26.7% to 2031), implying approximately $2.3 billion by 2026. The SCA standalone market (Grand View Research) grew from $266.2 million in 2023 at a 19.87% CAGR, projected to reach $880.6 million by 2030. These figures are consistent: Semgrep Supply Chain competes within this segment. Multiple analyst sources exhibit wide spread (2:1 to 6:1 ratio) largely explained by differing scope definitions, not methodological error. The SAM for Semgrep — developer-facing SAST/SCA/Secrets for CI/CD-integrated teams — is estimated at approximately $2–3 billion for 2026. Bottom-up validation: GitHub reports 100+ million total developers globally; if 10% are at organizations with formal AppSec programs, and each contributes $30/month at full conversion, the theoretical SOM ceiling exceeds $3.6 billion annually. In practice, penetration is far lower. Semgrep's realistic SOM in a 3–5 year horizon, assuming 6% share of SAM at current growth trajectory, is estimated at $150–300 million. [CM001, CM002, CM003, CM004, CM005, CM006]

2.3 Buyer Segmentation and Adoption Path

The AppSec buyer landscape segments by organization size, budget ownership, and workflow entry point. In large enterprises (1,000+ employees), the CISO or AppSec program lead holds final budget authority; purchases are typically driven by regulatory mandates, breach experience, or board-level security program buildout. This segment controls 64% of AST market revenue by organization size (Business Research Insights). Security engineers are the primary users; procurement involves formal RFP, security questionnaire, and 90–180 day cycles. In mid-market and SMB segments, the VP Engineering or CTO drives purchases with limited CISO oversight. Semgrep's product-led growth (PLG) motion is particularly effective here: developers adopt the Community Edition organically, validate value in CI, and convert to Teams at $30/contributor/month. The free-to-paid transition is triggered by scale (>10 repositories) or security program formalization. Government and regulated verticals (BFSI, healthcare) exhibit different dynamics: compliance officers and formal procurement dominate, timelines are longer, and FedRAMP/HIPAA mandates create predictable demand. North America accounts for 35–42% of the global AST market by geography (consistent across Mordor, MarketsandMarkets, BRI), making it Semgrep's highest-priority market. Asia-Pacific is the fastest-growing region (22–25% CAGR) but with longer sales cycles and distinct regulatory frameworks. [CM010, CM011, CM012, CM013, CM035, CM036]

2.4 Growth Drivers

Four structural tailwinds drive AppSec market growth through 2028 and directly benefit Semgrep. First, AI-generated code is creating a new vulnerability surface. Mordor Intelligence attributes +2.9% to the DevSecOps CAGR from this driver. Gartner (via Veracode) reports 65% of engineering leaders say teams already use AI tools. GitHub Octoverse 2024 reports a 59% surge in generative AI project contributions and 98% increase in AI projects on GitHub in 2024. Sonatype's 2026 report confirms AI-assisted development is increasing dependency change velocity and introducing incorrect package selections. Semgrep's MCP server, AI-native rules, and vibe-coding security positioning directly address this need. Second, regulatory tailwinds are structural: the EU Cyber Resilience Act mandates vulnerability reporting within 24 hours by September 2026 and full enforcement by December 2027, with fines up to €15 million or 2.5% of global turnover. Futurum Group's 2H 2025 survey (n=1,008) found 73.2% of organizations expect cybersecurity budget increases. Third, software supply chain attacks are accelerating: Sonatype identified 512,000+ malicious packages in 2024; 97% of codebases contain open-source components (Black Duck OSSRA 2025). SBOM mandates are converting supply chain risk into a compliance procurement driver for Semgrep Supply Chain. Fourth, shift-left adoption is now mainstream: 56% of developers say their organization has adopted a DevSecOps platform (GitLab 2024); 72% of enterprises with 500+ employees have integrated SAST into pipelines (Grand View Research 2024). [CM014, CM015, CM016, CM017, CM019, CM020]

2.5 Adoption Constraints and Risks

Five material constraints limit AppSec adoption velocity and affect Semgrep specifically. Tool fatigue and false positives are the most acute. Traditional SAST false positive rates run 30–70% per multiple industry studies. Sixty-two percent of respondents in the Cypress Data Defense 2025 survey admitted releasing vulnerable code to meet deadlines. Latio's 2026 report describes AppSec as "a discipline in crisis." The consequence is alert fatigue: 58% of AppSec professionals encounter false positives frequently. Talent shortage compounds this: the global cybersecurity workforce gap is 4.8 million professionals (ISC2 2024). Only 30% of organizations consider themselves at a mature DevSecOps level (Checkmarx 2025). This creates both opportunity (automation substitutes for headcount) and adoption risk (under-resourced teams delay purchase). Market concentration risk exists: 43% of organizations are at the lowest AppSec maturity level (Gartner). This segment is accessible only via the free tier; conversion is complicated by the Opengrep fork offering a free alternative. Platform consolidation by incumbents is accelerating: enterprises managing 7+ security tools (Endor Labs) are consolidating toward platforms with broader code-to-cloud coverage. Checkmarx, Snyk, GitHub Advanced Security, and Wiz are building capabilities that overlap with Semgrep's. Latio 2026 notes the silent death of standalone ASPM as a category. [CM023, CM024, CM025, CM026, CM027, CM028]

2.6 Exhibits

3.1 Competitive Landscape Overview

The application security testing competitive landscape has five meaningful categories relevant to Semgrep: (1) developer-first SAST/SCA peers that compete directly for the same buyer and user; (2) code-quality incumbents with security features; (3) enterprise SAST/SCA platform leaders; (4) the Opengrep fork as a free substitute for Semgrep's OSS community funnel; and (5) cloud security platforms extending into code scanning. Semgrep is not the largest SAST vendor by revenue or enterprise install base. The largest developer-first security company by revenue is Snyk ($407M 2025 revenue, $7.4–8.5B valuation, ~1,278 employees), which offers comparable SAST (Snyk Code), SCA (Snyk Open Source), Container, and IaC scanning. GitHub Advanced Security (GHAS) is structurally advantaged by being native to GitHub's 100M+ developer ecosystem and priced at $30/committer/month — identical to Semgrep Code. SonarQube holds the largest SAST install base by developer count (7M+ developers, 15% SAST market share) but competes primarily on code quality and technical debt rather than security-first analysis. Checkmarx One ($150M+ ARR, 860+ enterprise customers) leads the enterprise SAST/SCA segment. The Opengrep fork, launched January 23, 2025 by a 10-company consortium, directly threatens Semgrep's OSS-to-enterprise adoption funnel by offering free, restored CE-equivalent features under LGPL-2.1. Opengrep has 2,100+ GitHub stars, 26 releases, and claims 3.15x scan speed improvements in some benchmarks vs. Semgrep CE. Status-quo substitutes — manual code review, generic linters, and no-tool approaches — remain the most common alternative for companies that have not formalized an AppSec program. [CP001, CP002, CP003, CP004, CP005, CP006]

3.2 Direct Developer-First Peers: Snyk and GitHub Advanced Security

Snyk is the most direct competitor to Semgrep across product, market, and GTM motion. Snyk Code (SAST, powered by DeepCode AI acquisition, 2020), Snyk Open Source (SCA), Snyk Container, and Snyk Infrastructure as Code overlap all four of Semgrep's commercial products. Snyk's $407M 2025 revenue and 5,000+ customers demonstrate validated enterprise demand for developer-first AppSec. However, Snyk's 2023 layoffs (12% headcount reduction) and decelerated revenue growth suggest the hypergrowth phase has concluded, and the company is optimizing for profitability ahead of a potential IPO or strategic exit. Snyk's pricing overlaps Semgrep's ($25–30/developer/month for SAST); the key competitive dimension is ecosystem breadth (Snyk has Container/IaC; Semgrep has more flexible SAST rule authoring). GitHub Advanced Security (GHAS) represents a structural distribution threat rather than a product technology threat. GHAS is powered by CodeQL (acquired by GitHub 2019), Dependabot (SCA), and Secret Scanning. The March 2025 rebrand split GHAS into two products: GitHub Code Security ($30/committer/month) and GitHub Secret Protection ($19/committer/month). GitHub Copilot Autofix generates PR-ready code patches directly in pull requests, creating a seamless developer UX. GHAS's structural advantage is GitHub's 100M+ developer ecosystem: for any organization using GitHub, GHAS is already present in the platform and requires no additional vendor relationships. Many security teams run both GHAS and Semgrep — CodeQL for deep nightly semantic analysis, Semgrep for fast PR-level pattern-matching — reducing zero-sum competitive dynamics. Semgrep's differentiation vs. both: (1) multi-VCS support (GitLab, Bitbucket, Azure DevOps) vs. GHAS's GitHub-only deployment; (2) 40+ language support vs. CodeQL's ~12 languages; (3) YAML-based custom rule authoring vs. CodeQL's SQL-like query language; (4) integrated Secrets/SCA/SAST/AI platform vs. GHAS's module-separated billing. [CP011, CP012, CP013, CP014, CP015, CP016]

3.3 Platform Incumbents: Checkmarx, SonarQube, and Veracode

Checkmarx One is the dominant enterprise SAST/SCA platform, with $150M+ ARR (Oct 2025), 30%+ YoY ARR growth, 860+ large enterprise customers, and Gartner Magic Quadrant AST Leader status. Checkmarx competes in deals above $100K ACV where CISOs require breadth (SAST + DAST + SCA + API Security + ASPM), compliance documentation, and SOC 2/FedRAMP certification. Checkmarx's weakness is developer experience: its scan times, rule complexity, and UX are oriented toward security teams rather than developers. Semgrep's competitive opportunity in Checkmarx accounts is developer-led expansion into the engineering team before the CISO selects a platform. SonarQube/SonarCloud (SonarSource) holds the largest SAST install base by developer headcount: 7M+ developers, 500,000+ organizations, with ~15% SAST market share. SonarQube's focus is code quality and technical debt alongside security; its 6,500+ rules are 85% quality-focused and 15% security-focused. Security detection efficacy benchmarks show Semgrep outperforms SonarQube on pure security findings (46% detection rate vs. 19% in independent 2026 tests). SonarQube's SAST competitive threat is modest for security-first buyers; however, its dominance as the default CI code quality tool means it often occupies the "security tool" budget line before Semgrep can land. Veracode (private equity, TA Associates/Francisco Partners) targets the enterprise compliance segment with 3,000+ customers, including Fortune 500. Veracode's strength is audit-ready compliance documentation and DAST capabilities Semgrep does not offer. Its weakness is developer experience: scan-as-a-service is perceived as slow. Veracode is not a meaningful competitor for developer-led, mid-market PLG motions. [CP021, CP022, CP023, CP024, CP025, CP026]

3.4 Opengrep Fork and Status-Quo Substitutes

Opengrep is uniquely positioned as both a competitive threat and an indicator of Semgrep's strategic error. Launched January 23, 2025 — two weeks before the Semgrep Series D announcement — by a consortium of Aikido Security, Endor Labs, Amplify Security, Jit, Orca Security, and Mobb, Opengrep restores the CE features (cross-function taint analysis, fingerprinting, tracking ignores, specific metavariables) that Semgrep restricted in December 2024. Opengrep is governed by a multi-vendor Open Governance Consortium, developed by a dedicated OCaml team, and released under LGPL-2.1. As of early 2026, Opengrep has 2,100+ GitHub stars, 26 releases, 61+ contributors, and benchmarks showing 3.15x faster scan speed in certain rule-load scenarios. The Opengrep threat is specifically to Semgrep's OSS-to-enterprise adoption funnel. Organizations that would have used Semgrep CE as a free scanning layer — the entry point for eventual Teams/Enterprise conversion — can now use Opengrep with restored functionality and no commercial relationship with Semgrep Inc. Semgrep's PLG moat depends on Semgrep CE being the natural starting point; Opengrep erodes this by offering a genuinely compelling free alternative. Status-quo substitutes remain the most common alternative: ESLint (JavaScript), Bandit (Python), Flawfinder (C/C++), PMD (Java), GoSec (Go), and generic linters for other languages. These tools are fragmented across languages, lack cross-language orchestration, and have no rules marketplace — weaknesses Semgrep addresses. Manual code review, ad-hoc scripts, and no-tool approaches are the default for organizations at AppSec maturity level 1. [CP030, CP031, CP032, CP033, CP034, CP035]

3.5 Switching Costs, Lock-In, and Moat Durability

Semgrep's competitive moats fall into three categories: community and rule network effects, technical differentiation, and GTM/distribution. The rule network effect is the most durable moat: Semgrep's 3,000+ community rules and 20,000+ commercial Pro rules represent years of contribution and institutional knowledge that cannot be replicated overnight. However, most OSS rules are YAML patterns that are portable to any rule-compatible engine — including Opengrep. The rule moat is strongest for the commercial Pro rule set, which is proprietary and licensed only to paying customers. Technical differentiation: Semgrep's Pro Engine provides cross-file and cross-function taint analysis in 40+ languages at CI speeds — a combination competitors have not matched. CodeQL offers deeper semantic analysis but is 5-10x slower, making it suitable for nightly builds but not for every-commit PR checks. Semgrep's MCP server integration positions it uniquely for the AI coding assistant market (Cursor, VS Code, Claude Desktop). GTM and distribution: The OSS→Teams→Enterprise PLG motion enables land-and-expand with low CAC compared to direct enterprise sales. The risk is that GHAS's GitHub-native distribution eliminates this motion for GitHub-centric organizations that have not yet tried Semgrep. Semgrep's multi-VCS flexibility is its clearest counter. Switching costs are moderate: Semgrep CI integrations (GitHub Actions, GitLab CI, Jenkins) are standard YAML that takes 1-2 days to install and configure. Custom rules take longer to migrate; the Pro rule set is non-portable. Enterprise platform deals with SSO/SAML, SCIM provisioning, policy dashboards, and audit logs create modest stickiness. Net overall: Semgrep has real but not structural lock-in; churn risk is higher for free-tier and Teams-tier than Enterprise. [CP037, CP038, CP039, CP040, CP041, CP042]

3.6 Exhibits

4.1 Revenue Model and Revenue Streams

Semgrep's revenue model is a product-led growth (PLG) SaaS structure with three monetization tiers built on top of the open-source Community Edition (CE). The PLG motion generates a developer acquisition funnel at zero variable cost — developers discover and adopt Semgrep CE, validate security value in CI, and upgrade to Teams or Enterprise as usage scales or security program formalization occurs. Revenue Stream 1 — Teams Tier ($30/contributor/month for Code or Supply Chain; $15/contributor/month for Secrets): This is the primary self-serve revenue generator. The trigger is scale (>10 repositories or >10 contributors exceeding the free tier limit) or access to Pro rules and AI triage. Teams tier is billed per active contributor, a metric Semgrep controls and audits through its CI integration. Revenue Stream 2 — Enterprise Contracts (custom pricing): Enterprise revenue is negotiated directly, typically with CISO or VP Engineering budget owners at organizations with 500+ employees. Enterprise contracts include SSO/SAML, SCIM provisioning, Managed Scanning, SLA guarantees, audit logging, on-premises deployment option, and access to the full Pro rule set (20,000+ rules). ACV likely ranges from $50K to $500K+. Revenue Stream 3 — Professional Services and Implementation (small): Semgrep offers implementation services for Managed Scanning. This is not a primary revenue generator and likely represents <5% of total revenue. Revenue recognition: Annual or multi-year subscription contracts in advance (typical SaaS). No evidence of per-scan pricing, consumption metering, or transaction-based billing. Revenue is ratable over the contract term; upfront annual payments create positive working capital dynamics. [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 GTM Motion and Sales Efficiency Proxies

Semgrep's go-to-market motion is primarily product-led (bottom-up) with an emerging enterprise direct sales layer. The PLG motion is architected around three conversion events: (1) individual developer or small team adoption via GitHub Actions or CLI, (2) team-level upgrade at the $30/contributor/month Teams threshold, and (3) enterprise consolidation via direct sales contact. The PLG motion reduces traditional CAC significantly. For self-serve Teams tier customers, Semgrep's effective CAC is primarily the cost of developer marketing (conferences, open-source sponsorship, documentation, and community management) rather than traditional inside sales cycles. The February 2025 Series D hired Garrett Souza as VP Sales, signaling a deliberate build-out of the direct enterprise sales motion. This represents a structural shift from pure PLG toward a hybrid model. SaaS PLG benchmarks (OpenView 2025) indicate PLG companies with a developer-first free tier typically achieve free-to-paid conversion rates of 3–8%, with CAC payback periods of 6–18 months at scale. Applying these benchmarks to Semgrep's 75M+ annual scans and 14,300+ GitHub stars suggests a substantial top-of-funnel, but the conversion efficiency is unverifiable without internal data. Sales cycle proxies: Enterprise sales cycles in the SAST/SCA market typically run 90–180 days for 500+ employee organizations (CISO-level approval) and 30–60 days for mid-market engineering leader deals. Semgrep's Managed Scanning feature (handles CI/CD configuration on behalf of customers) reduces time-to-first-value from weeks to hours, a likely conversion accelerant. Revenue per employee: $33.6M ARR / 210 employees (Sept 2025) = ~$160K per employee. This is below top-tier SaaS benchmarks ($200–300K/employee) but consistent with growth-stage Series D companies with heavy engineering investment. Series D headcount expansion (257 employees per Tracxn, March 2026) suggests revenue is growing but employee count has also scaled. [CI007, CI008, CI009, CI010, CI011, CI012]

4.3 Cost Structure, Gross Margin, and Capital Intensity

Semgrep is a cloud-hosted SaaS business with a developer tooling architecture. Cost of goods sold (COGS) consists primarily of: (1) cloud hosting for the scan execution layer and data pipeline (AWS/GCP), (2) CI/CD API integrations and webhook processing, (3) professional services headcount for enterprise implementation, and (4) third-party data feeds for Supply Chain vulnerability intelligence. Gross margin estimation: No public disclosure. Based on developer security SaaS benchmarks, gross margins of 75–80% are typical; companies with heavy professional services components (e.g., Veracode) have lower margins (~60–70%). Semgrep's architecture — a core static analysis engine with cloud-hosted rule execution — is inherently high-margin. The AI triage layer (Semgrep Assistant) adds LLM inference costs (OpenAI/Anthropic API costs), which could compress margins by 3–7% if not priced appropriately. Operating expenses: private. Estimated R&D at approximately 50–60% of ARR (typical for growth-stage developer tools), S&M at 40–50% of ARR (building enterprise GTM), and G&A at 10–15% of ARR. At $33.6M ARR, these estimates imply cash operating expenses of $45–75M annually, suggesting a negative FCF position of $15–40M/year at current scale. Capital intensity: Low. Static analysis software has no hardware manufacturing or physical asset requirements. Capex is minimal. Cloud costs scale with scan volume, creating a variable cost element at scale, but the incremental cost of each additional scan is very low once the infrastructure is provisioned. [CI013, CI014, CI015, CI016, CI017]

4.4 Public Traction Metrics vs. Private Financial Gaps

Semgrep's publicly available operational metrics provide indirect evidence of commercial traction but cannot substitute for financial disclosures: Operating metrics (public): 75M+ annual code scans (company-claimed), 14,300+ GitHub stars (observable), 3,000+ community rules, 20,000+ Pro rules, 40+ supported languages, 257 employees (Tracxn, March 2026). Customer names referenced publicly include Figma, Dropbox, Slack, Snowflake, HashiCorp, GitLab, and Shopify. Revenue estimate: Latka reports $33.6M ARR for September 2025 based on crowdsourced revenue data. This is consistent with 210 employees at $160K/employee, a typical Series D-stage ratio for developer security companies. No independent verification exists; CBInsights lists Semgrep's financials as undisclosed. The Sacra estimate for Semgrep has not been published as of May 2026. Key gaps: ARR, growth rate, gross margin, NRR/GRR, CAC, LTV, customer count, ACV distribution, and burn rate are all undisclosed. The funding multiple (valuation / ARR) cannot be validated without ARR confirmation. At a hypothetical $1B valuation and $33.6M ARR, the revenue multiple would be ~30x — aggressive but not unprecedented for high-growth developer security SaaS in 2025. [CI018, CI019, CI020, CI021, CI022, CI023]

4.5 Capital Adequacy and Financing Dependency

Semgrep closed a $100M Series D on February 5, 2025, led by Menlo Ventures with participation from Lightspeed, Redpoint, Sequoia, Felicis, and Harpoon. Total cumulative funding is $204M across four rounds. The Series D announcement specified deployment toward AI and program analysis talent, product awareness, and GTM (geographic expansion in Europe and Asia-Pacific). Burn rate estimate: With 257 employees in San Francisco (as of March 2026) and typical developer tooling company cost structures, estimated monthly cash burn is $4–7M, placing total annual cash consumption at $48–84M. This estimate incorporates payroll (~50–55% of burn at $200–250K average fully-loaded cost per employee), cloud infrastructure, and G&A. Runway estimate: If $80–90M of the $100M Series D remained undeployed immediately post-close (after account for pre-close costs and transition), and burn is $4–7M/month, runway extends approximately 13–22 months from February 2025, placing the Series E financing window at approximately Q1 2026 – Q4 2026. Given the analysis date (May 2026), Semgrep may be approaching a financing inflection point within the next 6–12 months absent meaningful ARR acceleration. Debt and project finance: No disclosed debt. The company is equity-funded exclusively. No project finance obligations, customer financing, or government contract requirements identified. Capital adequacy verdict: The $100M Series D provides adequate runway for a 12–24 month acceleration phase. The critical dependency is ARR growth: Semgrep must demonstrate a meaningful step-up from the $33.6M ARR base (e.g., toward $50–70M) to justify a Series E at a higher valuation. If ARR growth has stalled post-Opengrep fork, the fundraising window becomes more challenging. [CI025, CI026, CI027, CI028, CI029, CI030]

4.6 Exhibits

5.1 Product Definition and Customer Workflow

Semgrep's product is a developer-first application security platform that scans source code at commit time — in the developer's IDE, in CI/CD pull requests, and in full-repository scheduled scans — to identify security vulnerabilities before they reach production. The platform is organized around four primary products: **Semgrep Code (SAST):** Static application security testing engine that finds security vulnerabilities by pattern matching and dataflow analysis against a library of 20,000+ Pro rules (curated by Semgrep engineers) and 3,000+ community rules. The Pro Engine adds cross-file and cross-function taint tracking, enabling detection of vulnerabilities that span multiple modules — the technical capability that most distinguishes Semgrep from simple pattern-match tools like grep or basic SAST scanners. **Semgrep Supply Chain (SCA):** Open-source dependency analysis that goes beyond simple CVE-list matching by applying reachability analysis — verifying whether a vulnerable function in a dependency is actually called by the application's code. This "reachability-aware SCA" dramatically reduces noise: Semgrep claims to surface only 2–5% of the CVEs flagged by list-matching SCA tools as "reachable" in a given codebase. **Semgrep Secrets:** Hardcoded credential detection for API keys, tokens, passwords, and private keys embedded in source code. Includes live validation (pinging endpoints to confirm a detected secret is active) and PR-blocking to prevent secrets from being merged. **Semgrep Assistant:** AI-powered triage and remediation layer, launched in 2024, built on top of large language models (likely OpenAI GPT-4 or Claude). Assistant automatically triages scan results, filters confirmed false positives, explains findings in natural language, and generates suggested code fixes. Assistant is bundled with Enterprise and optionally available in Teams tier. The customer workflow begins with developer self-service adoption via GitHub Actions or CLI (Community Edition → Teams upgrade), then expands to enterprise-wide deployment via direct sales with the Managed Scanning feature, which automates CI/CD configuration across all repositories without requiring per-team developer involvement. [CE001, CE002, CE003, CE004, CE005, CE006]

5.2 Architecture and Operating Model

Semgrep's software architecture has three layers: **Layer 1 — The Scanner Engine (OSS Core):** The foundational static analysis engine is written in OCaml and released as open-source (previously LGPL-2.1, now under the Semgrep Open Source License with December 2024 CE rule restrictions). It uses tree-sitter grammars for language-specific AST (Abstract Syntax Tree) parsing across 40+ programming languages. The OSS engine performs syntactic pattern matching and intra-procedural analysis available to all tiers. **Layer 2 — The Pro Engine (Paid):** The Pro Engine extends the OSS core with inter-procedural taint analysis (cross-file, cross-function dataflow), the full 20,000+ Pro rule library, and advanced language-specific analyzers. The Pro Engine runs in Semgrep's cloud infrastructure (not locally), meaning scan results are transmitted to Semgrep servers for Pro-tier analysis. This creates a cloud dependency for all paying customers. **Layer 3 — The AppSec Platform (Cloud):** The web-based management console (semgrep.dev) provides repository management, finding triage, rule configuration, policy enforcement, user management (SSO/SAML/SCIM), reporting dashboards, AI triage (Semgrep Assistant), Managed Scanning orchestration, and API access. The platform stores finding history and trends. **Data pipeline:** Source code is scanned locally by the Semgrep CLI (run in CI/CD); findings metadata (file paths, rule IDs, matched text snippets, line numbers) are transmitted to the cloud platform. Full source code is not transmitted by default; only matched code snippets and context lines are sent. This architecture is critical for enterprise security approval processes. **Dependency map:** The platform is tightly integrated with GitHub, GitLab, Bitbucket, and Azure DevOps via OAuth and webhook APIs. Semgrep Assistant depends on third-party LLM APIs (OpenAI or Anthropic) for code explanation and fix generation. Supply Chain depends on CVE/NVD databases (NIST), GitHub Advisory Database, and Semgrep's proprietary reachability analysis. The OSS engine is a hard dependency for the entire platform. [CE007, CE008, CE009, CE010, CE011, CE012]

5.3 Deployment, Integrations, and Roadmap

**Deployment modes:** - CLI: `semgrep scan` runs locally against any git repository; requires Python 3 or Docker - CI/CD native: GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, Azure DevOps, Bitbucket Pipelines — official action/plugin maintained by Semgrep - IDE plugins: VS Code extension, IntelliJ/JetBrains plugin, LSP-compatible editors - Managed Scanning: Semgrep deploys and maintains CI/CD configuration across all repositories via GitHub App or GitLab integration, eliminating per-team developer configuration burden - API: REST API for finding export, SBOM generation, and CI status webhook integration with JIRA, Linear, PagerDuty, Slack **Platform integrations:** Semgrep integrates with JIRA (ticket creation from findings), Slack (PR notifications), GitHub/GitLab Security Dashboards (SARIF output), Snyk dependency data (historical, pre-Snyk-compete overlap), and SIEM tools via webhook. SAML 2.0, Okta, Azure AD, and Google Workspace are supported for SSO. **Roadmap trajectory (2025–2026):** - AI-first direction: expanding Semgrep Assistant to auto-fix generation, IDE-first triage, and developer-facing remediation coaching - Managed Scanning GA: reducing time-to-deploy from hours to minutes for enterprise customers - Supply Chain expansion: broader reachability analysis for interpreted languages (Python, Ruby, PHP) - Geographic expansion: European and APAC data residency options to satisfy GDPR and regional data laws - Rule quality: continuous expansion of Pro rules library; community rules remain open [CE013, CE014, CE015, CE016, CE017]

5.4 Technology Differentiation and IP

Semgrep's primary technical differentiation claims are: 1. **Rule language and portability:** The Semgrep rule language (YAML-based pattern DSL) allows security engineers to write rules without deep compiler knowledge. A rule written for one language framework is typically adaptable to another in minutes. This portability creates network effects: 3,000+ community rules have been contributed by users for frameworks and languages that Semgrep's team has not prioritized. 2. **Pro Engine dataflow precision:** Cross-file and cross-function taint analysis is computationally expensive; Semgrep implements it via compositional interprocedural analysis that scales to enterprise-sized codebases in reasonable scan times. Competitors like CodeQL (GitHub) also offer interprocedural analysis, but CodeQL requires a proprietary query language with a steep learning curve. Semgrep's claim is higher developer accessibility without sacrificing precision. 3. **Reachability-aware SCA:** The Supply Chain product's reachability analysis (calling-graph computation on top of dependency graph) is a genuine technical differentiator in the SCA market. Most SCA tools flag all CVEs in the dependency graph regardless of code paths; Semgrep reduces this by 95%+ in published benchmarks. 4. **Data moat via scan telemetry:** 75M+ annual scans generate anonymized pattern telemetry that informs rule quality and false-positive rates. This data advantage compounds over time if Semgrep can use it to train rule classifiers. 5. **Speed:** Semgrep OSS is designed for developer-time feedback loops; scan times target <60 seconds for incremental scans on changed files. The Opengrep fork claims 3.15x performance improvement in full-repo benchmarks as of early 2025, which, if accurate, represents a competitive threat to Semgrep's developer experience advantage. **IP position:** No public patent portfolio identified. IP is primarily embedded in the Pro Engine's proprietary dataflow analysis and the Pro rule library. The OCaml engine source code is open (with license restriction post-Dec 2024). The Pro Engine and Pro rules are proprietary trade secrets. [CE018, CE019, CE020, CE021, CE022, CE023]

5.5 Trust, Security, Compliance, and Quality Controls

**Security certifications:** Semgrep maintains SOC 2 Type II certification, covering security, availability, and confidentiality controls. The compliance report is available under NDA to enterprise customers via trust.semgrep.dev. **GDPR compliance:** Semgrep has published a Data Processing Agreement (DPA) for European customers and supports GDPR data deletion requests. As of 2025, code snippet data transmitted to the Semgrep platform was subject to GDPR retention and deletion controls. **FedRAMP:** Not in FedRAMP Authorized status as of May 2026. This is a blocking factor for U.S. federal government sales and limits addressable market in regulated U.S. government sectors. Semgrep has been noted as "FedRAMP Ready" in progress; completion timeline is unknown. **HIPAA:** No public HIPAA BAA offering identified; Semgrep does not target healthcare as a primary vertical. **Data handling policy:** Semgrep does not train its AI models on customer code by default; opt-in for telemetry improvement programs. The privacy documentation states that code snippets sent to the Semgrep cloud platform for Pro Engine analysis are not used for rule training without explicit customer consent. **Status and reliability:** Status page (status.semgrep.dev) reports uptime SLA of 99.9% for Enterprise tier. No major publicly disclosed outages identified as of May 2026. **Quality controls:** Semgrep publishes false-positive rate benchmarks for Pro rules; typical Pro rule FP rate is claimed to be <5% on the benchmarked rulesets. Community rules have no enforced FP rate standard. **Vulnerability disclosure:** Semgrep has a published responsible disclosure policy. No public CVEs attributed to the Semgrep SaaS platform identified. [CE024, CE025, CE026, CE027, CE028, CE029]

5.6 Exhibits

6.1 Customer Base Segmentation

Semgrep's customer base consists of three distinct segments with fundamentally different acquisition dynamics, usage patterns, and revenue contribution: **Segment 1 — Community Edition (CE) / Open Source Users (Free):** Estimated hundreds of thousands of developers who use the Semgrep CLI for personal projects, side projects, or evaluated installations. This group contributes zero direct revenue but is the source of Semgrep's PLG pipeline. CE users generate the 75M+ annual scan signals that provide telemetry for rule improvement. The December 2024 CE license restriction has created uncertainty in this segment, with the Opengrep fork offering an alternative CE path. **Segment 2 — Teams Tier (Self-Serve Paid):** Engineering teams at companies of 10–500 employees who have exceeded the CE free tier limits or need Pro rules, AI triage, or Secrets scanning. Buyer is typically an engineering lead or developer security champion. Purchase is self-serve via credit card or annual invoice. Customer economics: $30/contributor/month × 12 months = $360/contributor/year minimum. A 50-person engineering team paying $30/contributor would contribute ~$18K/year. **Segment 3 — Enterprise (Direct Sales):** Organizations with 500+ employees, typically CISO-led buying, requiring SSO/SAML, SCIM, audit logging, SLA, Managed Scanning, and security compliance documentation. This segment contributes the majority of ARR (estimated 60–70% based on typical PLG enterprise revenue mix). Average contract value is estimated at $50K–$300K/year based on comparable SAST enterprise vendors. Multi-year contracts are typical. Key verticals: SaaS/cloud-native, fintech, enterprise software, consumer technology. **Geographic concentration:** North America is the primary market (headquarters San Francisco; most named customers are U.S.-based). European and APAC expansion was announced as a Series D priority, but no European enterprise customer case studies have been published. **Vertical concentration:** The named customer set is concentrated in software-native companies (Figma, Dropbox, Slack, GitLab, Shopify) — companies with large engineering teams, sophisticated security programs, and developer-first cultures. This creates vertical concentration in "tech company" buyers rather than broad industry penetration. [CU001, CU002, CU003, CU004, CU005]

6.2 Adoption Trajectory and Public Traction

Semgrep's publicly observable adoption metrics paint a picture of strong developer community adoption, with more limited visibility into commercial traction: **Community metrics (high confidence, publicly verified):** - 75M+ annual code scans — company-claimed as of 2025; represents the total scan count across all CE + paid tiers - 14,300+ GitHub stars — verifiable on github.com/semgrep/semgrep; above-average for developer security tools - 3,000+ community rules contributed by external developers — evidence of ecosystem depth - 40+ languages supported — broad language coverage reducing friction for polyglot organizations **Review platform metrics (medium confidence):** - G2: 30+ reviews, average rating 4.5/5 as of early 2026; most positive reviews highlight rule accuracy and developer-friendliness; most negative reviews cite false positive noise on community rules and CI performance overhead - Gartner Peer Insights: limited data; Semgrep is not yet listed in the Gartner Magic Quadrant for Application Security Testing (as of 2025; Snyk, Checkmarx, and Veracode dominate) - Capterra and PeerSpot: smaller review sets; consistent with G2 sentiment **Revenue proxy traction:** - ARR ~$33.6M (Latka, Sept 2025 est.) with 210 employees — implied customer base of 100–400 paid accounts at typical SAST enterprise ACV ranges - Revenue per employee at $160K/employee is below peak developer SaaS benchmarks but consistent with growth-stage expansion **Adoption freshness risk:** The December 2024 CE license restriction and the January 2025 Opengrep fork represent a potential inflection point in new CE adoption. If new developer installations are migrating to Opengrep rather than Semgrep CE, the top-of-funnel CE acquisition rate may be decelerating, which would eventually slow Teams and Enterprise pipeline growth. [CU006, CU007, CU008, CU009, CU010, CU011]

6.3 Named Customer Evidence

Semgrep has published named customer references and case study blog posts for several high-profile organizations. The quality of evidence varies by customer: **Figma:** Public blog post and Semgrep landing page reference confirm production use of Semgrep Code for SAST at scale across Figma's engineering team. Figma has a 150+ person engineering organization and uses Semgrep to enforce custom security rules in CI/CD, with specific rules written by their security team. This is a high-quality enterprise reference — production deployment, custom rule authoring, and engineering team-specific outcomes. **Dropbox:** Semgrep published a case study on Dropbox's use of Semgrep for developer-led security remediation. Dropbox is a large engineering org (1,000+ engineers) using Semgrep to scale security review coverage without growing the security team proportionally. High reference quality. **GitLab:** GitLab, both a competitor (native CI/CD with SAST) and a customer, uses Semgrep CE rules in GitLab Ultimate's SAST scanner under an OEM/integration arrangement. This represents a partnership-as-distribution dynamic. GitLab embedding Semgrep rules validates technical quality but also means GitLab can switch rule engines at any time. **Snowflake:** Named on Semgrep's customer page; no detailed case study published as of May 2026. Snowflake has a large engineering team and complex codebase; the reference implies enterprise-grade deployment. **HashiCorp:** Named on Semgrep's customer page; blog posts reference HashiCorp engineers contributing community rules. This is a developer-community engagement rather than a direct commercial reference. **Slack (acquired by Salesforce):** Named customer; Slack's engineering team adopted Semgrep for custom rule enforcement pre-Salesforce acquisition. Reference freshness is uncertain (Slack engineering org post-acquisition may have different tooling). **Shopify:** Named on Semgrep customer page; Shopify has a significant security engineering team. No detailed case study; reference indicates enterprise-level deployment. [CU012, CU013, CU014, CU015, CU016, CU017]

6.4 Retention, Durability, and Satisfaction

Semgrep has not publicly disclosed customer retention metrics (NRR, GRR, churn, renewal rates, or cohort data). All estimates below are author-derived from industry benchmarks and behavioral signals: **Enterprise tier retention proxy:** Enterprise contracts with SSO/SAML, SCIM, Managed Scanning, and multi-year commitments have structurally high switching costs. SAST tools, once deployed via Managed Scanning across an organization's full repository set, require security teams to reconfigure CI/CD, migrate finding histories, retrain developer habits, and re-certify the new tool for compliance purposes. This creates natural stickiness analogous to other developer infrastructure tools. Estimated enterprise GRR: 85–95%. **Teams tier retention proxy:** Self-serve Teams tier customers have lower switching costs — migration requires changing the GitHub Actions workflow file and moving rules. However, once an engineering team has customized rules and integrated findings into their JIRA workflow, switching friction is non-trivial. Estimated Teams tier GRR: 70–85%. **CE / Free tier retention:** CE users are by definition not revenue-contributing; CE "retention" (continued use of Semgrep CE rather than migrating to Opengrep) is unverifiable. The December 2024 license change may have accelerated CE churn toward Opengrep. **G2 satisfaction signals:** 4.5/5 average across 30+ reviews indicates strong developer satisfaction. Common positive themes: rule quality, ease of rule writing, CI integration, low friction. Common negative themes: Pro Engine scan latency on large codebases, community rule false positive rate, documentation depth for advanced use cases. **NPS proxy:** Semgrep has not published Net Promoter Score data. The consistent G2 positive reviews and active community rule contribution (3,000+ community rules) suggest a developer Net Promoter Score above 50, which is typical for developer tools with strong OSS community engagement. [CU019, CU020, CU021, CU022, CU023, CU024]

6.5 Expansion Dynamics and Concentration Risk

**Expansion motion:** Semgrep's land-and-expand model operates at two levels: (1) within a customer, expanding from Code (SAST) to Supply Chain (SCA) to Secrets to Assistant ("breadth expansion") and (2) within a customer, expanding contributor count as more developers adopt Semgrep across teams ("seat expansion"). Both levers drive revenue growth without requiring new customer acquisition. The typical enterprise expansion progression: Teams tier adoption by one security engineer → pilot deployment to 3–5 teams → Managed Scanning enterprise-wide deployment → cross-sell Supply Chain and Secrets → platform ACV 2–4x initial contract. **Concentration risk:** No customer revenue concentration data is disclosed. Based on the named customer set (Figma, Dropbox, Slack, Snowflake, HashiCorp, GitLab, Shopify), the addressable base is heavily weighted toward large-cap tech companies with mature security programs and large engineering headcounts. This implies: - The top 10 customers likely represent 30–50% of ARR (estimated, not confirmed) - Loss of any named enterprise customer would be material at $33.6M total ARR - No evidence of distribution channel (reseller, MSSP, marketplace) customers at meaningful scale **Platform concentration risk from GitLab integration:** GitLab embeds Semgrep rules in GitLab Ultimate's SAST scanner. If GitLab were to switch to a different rule engine (e.g., built in-house or using CodeQL/Sonar rules), Semgrep would lose an indirect distribution channel. This is not a direct revenue dependency but a community/pipeline dependency. **Vertical concentration:** Semgrep's public customer references are concentrated in software-native companies. Expansion into regulated industries (financial services, healthcare, government) requires FedRAMP Authorization, HIPAA BAA, or sector-specific compliance certifications that Semgrep does not yet offer at scale, limiting the addressable market in those verticals. [CU025, CU026, CU027, CU028, CU029, CU030]

6.6 Exhibits

7.1 Risk Overview and Severity Ranking

Semgrep operates at the intersection of enterprise security software, open-source development, and AI-powered tooling — three domains with distinct and compounding risk profiles. The following seven risk categories are assessed from most to least severe based on potential investment impact: **1. Competitive commoditization (Critical):** GitHub Advanced Security (GHAS) + Copilot Autofix bundles SAST scanning and AI-powered code fixes into the GitHub Enterprise platform at zero marginal cost for existing GitHub Enterprise customers. Semgrep's core Teams tier and Semgrep Assistant value propositions are directly substitutable. This risk is structural and worsening: GitHub's distribution advantage (50M+ developers) creates an asymmetric acquisition moat. **2. Open-source fork / community fragmentation (High):** The Opengrep fork (January 2025) directly threatens Semgrep's developer acquisition funnel. Opengrep claims 3.15x performance improvement, provides CE feature parity, and is licensed under AGPLv3 (fully open). If Opengrep reaches critical community mass, new developer installations will prefer Opengrep CE, starving Semgrep's PLG pipeline at the top of the funnel. **3. Financial opacity / capital risk (High):** All operating metrics are undisclosed. Estimated burn ($4–7M/month) against estimated cash position ($50–90M) implies a Series E financing window within 12–18 months. If ARR growth has not accelerated sufficiently, fundraising at a flat or declining valuation becomes a structural risk, with potential for down-round or strategic pressure. **4. License legal risk (Medium-High):** The December 2024 license change modified the Semgrep CE license from LGPL-2.1 to a proprietary Semgrep Open Source License (SOSL) with restrictions on competing commercial use. This change may have created legal exposure if the transition did not comply with LGPL-2.1 relicensing requirements (which typically require consent from all copyright contributors). No litigation has been filed, but the risk exists. **5. Regulatory / compliance risk (Medium):** FedRAMP Authorization gap blocks U.S. federal market. EU AI Act obligations for AI-assisted security tooling are ambiguous. GDPR data residency for EU customers is an incomplete capability. **6. Operational / technology dependency risk (Medium):** LLM API provider dependency (OpenAI/Anthropic) for Semgrep Assistant creates concentration and pricing risk. GitHub API dependency for primary CI/CD integration creates platform risk. **7. Key person / execution risk (Medium):** Co-founders Isaac Evans (CEO) and Drew Dennison (CTO) are the primary leaders with no disclosed succession plan. Series D GTM build-out (VP Sales hired) represents a new execution challenge for an engineering-led organization. [CR001, CR002, CR003, CR004, CR005]

7.2 Legal, License, and Regulatory Risks

**Open source license change legal risk:** In December 2024, Semgrep modified the license for the CE rules repository from LGPL-2.1 to the Semgrep Open Source License (SOSL), a proprietary license restricting competing commercial use. LGPL-2.1 requires that relicensing of derivative works receive consent from all copyright contributors. The community rule registry contained contributions from thousands of developers under LGPL-2.1; if any contributor challenges the unilateral relicensing, Semgrep faces potential LGPL violation claims. No litigation has been filed as of May 2026, but community members on Hacker News and GitHub Discussions raised specific legal concerns about the transition process. **IP ownership and contributor agreements:** Semgrep's community contribution process (via GitHub pull requests) uses an implicit "inbound = outbound" licensing assumption rather than a formal Contributor License Agreement (CLA) for all rule contributions. If Semgrep does not have proper CLAs covering the 3,000+ community rules, the relicensing may be legally precarious. **FedRAMP Authorization gap:** Semgrep is classified as FedRAMP Ready but not Authorized. Without FedRAMP Authorization (In-Progress or full), Semgrep cannot be used in U.S. federal information systems, blocking the U.S. federal government sector entirely. FedRAMP Authorization typically takes 12–24 months once ATO (Authority to Operate) sponsorship is secured. **EU AI Act (potential scope):** The EU AI Act, which entered into force in August 2024, may impose obligations on AI-powered code scanning tools in categories affecting software development. Semgrep Assistant's AI-generated code fixes could be classified under limited-risk or general-purpose AI provisions, requiring transparency disclosures and documentation. Regulatory interpretation is pending; specific compliance obligations for developer tooling AI are unresolved. **Data privacy — GDPR:** Semgrep processes code snippets (including potentially personally identifiable developer data in code comments or variable names) on cloud infrastructure not yet offering EU data residency. GDPR Art. 44 restrictions on international data transfers require Standard Contractual Clauses (SCCs); Semgrep's DPA covers SCCs, but EU data residency customers have flagged data transfer latency and compliance clarity as procurement concerns. [CR006, CR007, CR008, CR009, CR010]

7.3 Operational, Security, and Technology Risk

**LLM API dependency (Semgrep Assistant):** Semgrep Assistant relies on third-party LLM APIs (OpenAI or Anthropic) for AI triage and code fix generation. This creates three distinct risks: (1) pricing risk — LLM inference costs may increase materially; (2) availability risk — LLM API outages or rate limiting directly impair the Semgrep Assistant feature; (3) data risk — code snippet transmission to a third-party LLM may violate enterprise data security policies, requiring additional procurement hurdles. **GitHub API dependency:** Semgrep's primary CI/CD integration is via GitHub Actions and GitHub App (for Managed Scanning). GitHub has historically maintained backward compatibility, but any changes to GitHub Actions runner environments, API authentication, or webhook delivery could disrupt customer scans. GitHub also competes with Semgrep via GHAS. **Cloud infrastructure concentration:** Semgrep's cloud platform is hosted on a single cloud provider (AWS or GCP, unconfirmed). A major outage to the primary cloud provider would impair the Semgrep AppSec Platform availability including findings management, policy enforcement, and Managed Scanning orchestration. **Security of the Semgrep scanning pipeline itself:** Semgrep analyzes code from customer repositories. A supply-chain attack targeting the Semgrep scanner (malicious rule injected into the Pro rules registry) could compromise customer CI/CD pipelines. Semgrep's rule signing and distribution security has not been independently audited. **Scan result data integrity:** False negative vulnerabilities (security bugs that Semgrep fails to detect) represent an operational liability. If a Semgrep customer suffers a security breach from a vulnerability class that Semgrep's Pro rules should have detected, the reputational and potential legal (negligence/warranty) exposure could be significant. **Performance degradation on large codebases:** Opengrep's 3.15x performance claim (full-repository benchmarks) suggests that Semgrep CE has accumulated technical debt in its scan engine. For enterprise customers with 100M+ LOC monorepos, slow scan times increase CI/CD cycle times, reducing developer experience quality and creating a procurement objection for performance-sensitive organizations. [CR011, CR012, CR013, CR014, CR015]

7.4 Partner and Dependency Risks

**GitHub platform risk (structural):** Semgrep's GTM depends on GitHub as the primary code host for its customer base. GitHub owns the CI/CD pipeline integration surface (GitHub Actions), the PR comment interface (where Semgrep posts findings), the repository permission model (required for Managed Scanning), and the competing product (GHAS + Copilot Autofix). GitHub could restrict third-party security tool API access, change GitHub App permission scopes, or tighten Actions runner security in ways that impair Semgrep's functionality. **Opengrep as a community substitute:** Opengrep is both a competitive and a dependency risk. As a fork, it depends on continued community investment in the OSS engine quality. If Opengrep attracts significant investment or corporate backing (e.g., a large tech vendor sponsoring Opengrep as a free community tool), the competitive pressure on Semgrep's PLG funnel intensifies dramatically. **LLM provider dependency:** If OpenAI or Anthropic changes API pricing, terms of service, or access policies, Semgrep's Assistant feature economics change materially. Migrating between LLM providers (e.g., OpenAI → Anthropic → Google Gemini) requires re-prompting, re-evaluation, and re-certification of fix quality, creating switching latency. **NVD/CVE data feed dependency (Supply Chain):** Semgrep Supply Chain depends on NIST NVD and GitHub Advisory Database for vulnerability data. NVD has experienced processing backlogs (documented in 2024: 93% of CVEs published in 2024 were NOT analyzed in NVD within 30 days). If these data quality degradations persist, Semgrep Supply Chain reachability analysis will lag the threat landscape, impairing the product's commercial value proposition. **Customer concentration risk:** Estimated top-10 customers represent 30–50% of total ARR. Loss of 2–3 named enterprise accounts (Figma, Dropbox, Snowflake) would represent a material ARR decline. No multi-year contract status for individual customers has been confirmed. [CR016, CR017, CR018, CR019, CR020]

7.5 People and Execution Risk

**Key person dependency — co-founders:** Isaac Evans (CEO) and Drew Dennison (CTO) are the founding technical and commercial leaders. No succession plan, deputy CEO, or COO has been publicly named. The loss of either co-founder would be a material disruption to the company's technical roadmap and investor relationships. Both are active contributors to the company's public identity (blog posts, conference talks, media interviews). **Enterprise GTM execution risk:** Semgrep hired Garrett Souza as VP Sales in early 2025 as part of the Series D GTM investment. Building an enterprise direct sales function from near-zero to $50M+ ARR requires: (1) recruiting enterprise account executives with SAST/AppSec domain expertise, (2) building SDR and marketing operations, (3) developing enterprise procurement processes (security questionnaire responses, legal contract templates, renewal infrastructure). This is a known-hard organizational transition for engineering-led PLG companies; failure to execute typically shows up as ARR stagnation 12–18 months after the VP Sales hire. **Talent competition for OCaml engineers:** Semgrep's core analysis engine is written in OCaml, a specialized functional programming language with a limited talent pool. OCaml engineers command premium salaries and are recruited by Jane Street, Meta (Hack compiler), and other specialized employers. Semgrep's ability to maintain and extend the Pro Engine depends on a narrow specialized hiring pool. **Cultural transition from engineering-led to enterprise-sales organization:** Semgrep's founding culture is engineering-first, community-first. The shift to enterprise direct sales requires hiring sales, marketing, and customer success personnel who may have different incentive structures and cultural norms. Managing this transition while retaining engineering quality is a known execution challenge. [CR021, CR022, CR023, CR024, CR025]

7.6 Mitigations, Monitoring Triggers, and Thesis-Break Events

**Risk mitigations in place:** - SOC 2 Type II certification addresses enterprise security objections - GDPR DPA and privacy documentation addresses EU customer procurement requirements - FedRAMP Ready status provides a pathway to Authorization (blocks federal sales but does not prevent enterprise commercial) - Managed Scanning reduces enterprise deployment friction (addressing operational risk) - Pro Engine differentiation (cross-file dataflow) provides technical moat vs. simple pattern-match competitors - $100M Series D provides runway for at least 12–18 months, cushioning capital risk **Thesis-break triggers (investor should exit or materially discount position if any occur):** 1. GitHub announces GHAS price reduction or feature parity with Semgrep Code for all GitHub Enterprise customers — would directly cannibalize the enterprise SAST market 2. Semgrep ARR confirmed below $25M or YoY growth below 20% — would imply the PLG growth stall thesis is confirmed 3. LGPL-2.1 copyright infringement lawsuit filed against Semgrep over December 2024 license change — would create existential legal risk 4. Two or more named enterprise customers publicly churn to a competitor — would signal product-market fit erosion 5. Opengrep reaches 20,000+ GitHub stars or a major VC/corporate backer announces Opengrep sponsorship — would accelerate CE funnel attrition **Monitoring indicators (quarterly review):** - GitHub star growth rate for both semgrep/semgrep and opengrep/opengrep repositories - G2 and Gartner Peer Insights rating trends - Semgrep job postings (by function) as proxy for revenue growth investment - GHAS pricing and feature announcements - Latka ARR estimate updates - FedRAMP marketplace listing status [CR026, CR027, CR028, CR029, CR030]

7.7 Exhibits

8.1 Investment Recommendation and Confidence

**Recommendation: Conditional Interest — Invest Pending Data Room Confirmation** Semgrep is an investment-grade company in an investment-grade market with a differentiated technical product and strong developer brand. The investment case is **not structurally broken** but is **not actionable at current information quality** without data room access to confirm: 1. Current ARR and YoY growth rate (the $33.6M estimate is 9 months old and crowdsourced) 2. Net Revenue Retention (NRR) and cohort retention by tier (Teams vs. Enterprise) 3. Actual cash burn, runway, and Series E timeline Without these three confirmations, a conviction buy recommendation is not supportable. With them, the recommendation could upgrade to **Conditional Buy** (if NRR > 120% and ARR growth > 60%) or downgrade to **Pass** (if NRR < 100% and growth < 30%). **Confidence level: Medium** — material evidence gaps in financial performance (all metrics undisclosed) prevent high-confidence recommendation. **Risk rating: Elevated** — competitive commoditization (GHAS), Opengrep fork, capital dependency, and key person risk are all present simultaneously; not acute but require active monitoring. **Valuation stance: Current valuation appears reasonable if ARR growth > 50% YoY** — at $33.6M ARR and 50-80% YoY growth, a Series D valuation of $400–750M (12–22x ARR) is within range of developer security comparables. The valuation becomes stretched at 20–30% ARR growth and is cheap at 80%+ growth. [CV001, CV002, CV003, CV004, CV005]

8.2 Investment Thesis and Anti-Thesis

**Investment Thesis (Bull):** Semgrep is the only enterprise AppSec platform that combines developer experience (fastest scan setup, lowest friction deployment), technical precision (Pro Engine interprocedural dataflow), and product breadth (SAST + SCA + Secrets + AI triage) in a single developer-native platform at $30/contributor/month. As the AppSec market grows from $8.6B to $25B+ by 2030, Semgrep is positioned to capture the growing enterprise developer security budget that requires more precision than GHAS native SAST while costing less than Snyk ($65–80K+/year enterprise) or Checkmarx ($100K+/year legacy). The PLG → enterprise motion (CE free → Teams → Enterprise → multi-product) creates a compounding acquisition engine that, once the enterprise direct sales function matures, could accelerate to $100M+ ARR within 24–36 months. **Anti-Thesis (Bear):** GitHub's structural distribution advantage means that GitHub Enterprise customers will default to GHAS + Copilot Autofix once feature parity with Semgrep Teams is achieved. This is a matter of "when," not "if." Simultaneously, the Opengrep fork undermines the top-of-funnel CE developer acquisition channel that Semgrep has historically relied on for PLG-to-Teams conversion. Without an independent top-of-funnel and without a distribution moat, Semgrep is a niche enterprise AppSec vendor with $33M ARR and a $400–750M Series D post-money that implies 12–22x ARR multiples — a challenging return profile if growth stalls. The investment thesis requires a narrow conjunction of events (rapid ARR growth + GHAS failing to achieve feature parity + Opengrep not gaining critical mass) that is not supported by strong disconfirming evidence for any element. [CV006, CV007, CV008, CV009, CV010]

8.3 Bull / Base / Bear Scenarios

**Bull Case (20–25% probability):** ARR grows at 70–80% CAGR, reaching $100M+ in 2027 and $180M+ in 2028. NRR is 120%+ indicating strong expansion from the multi-product cross-sell (Code + SC + Secrets + Assistant). Enterprise direct sales function ramps to 50+ AEs by 2026. Series E at $1B+ valuation in 2026–2027. Exit via IPO or strategic acquisition (Google, Microsoft Azure, JetBrains, Palo Alto Networks) at $1.5–3B in 2027–2029. Return to Series D investors: 2–4x on invested capital. **Base Case (50–55% probability):** ARR grows at 40–60% CAGR, reaching $70M in 2027 and $120M in 2028. NRR is 105–115% indicating modest expansion. Enterprise direct sales ramps to 20–30 AEs. Series E at $500–800M valuation in 2027. Exit via strategic acquisition (Palo Alto, Broadcom/Symantec, Rapid7, Qualys) at $600M–$1.2B in 2028–2030. Return to Series D investors: 0.8–1.5x on invested capital at current price, depending on dilution from Series E. **Bear Case (20–30% probability):** ARR growth stalls below 30% YoY as Opengrep fork reduces CE top-of-funnel and GHAS adoption by enterprise customers impairs enterprise pipeline. NRR falls below 105% indicating churn or contraction. Series E financing is at flat or down-round valuation ($300–500M). Company executes strategic sale to a security acquirer (Broadcom, Tenable, HCL) or strategic recap at $200–350M. Return to Series D investors: 0.2–0.5x on invested capital with significant preference overhang dilution. The key swing factor is NRR: at NRR > 120%, the base case upgrades to bull; at NRR < 105%, the base case degrades to bear. This single metric, currently undisclosed, is the most important data point for investment thesis confirmation. [CV011, CV012, CV013, CV014, CV015]

8.4 Comparable Set and Valuation Context

**Developer security public/private comparables:** Snyk is the closest public comparable: $350M+ ARR (2024 est.), $7.4B valuation (secondary market, 2024), implying ~21x forward ARR at scale. Snyk achieved this multiple at 100%+ NRR with $200M+ ARR; applying Snyk's multiple to Semgrep's $33.6M ARR implies a $700M valuation if ARR is growing 60%+ with 120%+ NRR — consistent with the Series D range. Checkmarx was acquired by Hellman & Friedman in 2022 at ~$1.15B on ~$100M ARR (~11.5x ARR), providing a strategic floor valuation for an enterprise AppSec platform of Semgrep's profile when it reaches $100M ARR. GitHub Advanced Security (GHAS) is bundled into GitHub Enterprise Cloud at enterprise tiers, with no disclosed separate ARR. GitHub's $7.5B acquisition by Microsoft in 2018 valued the full developer platform, not security specifically. GHAS is not a tradeable comparable but sets a reference point for the value embedded in GitHub's developer distribution. SonarSource (SonarQube) closed a $412M fundraise in 2022 at an undisclosed valuation from Warburg Pincus, providing a private comparable for developer-focused static analysis platforms; SonarSource is larger ($100M+ ARR) but confirms investor appetite for this category at scale. Veracode (acquired by Broadcom in 2023 for $550M from Broadcom after prior PE ownership) provides an M&A floor: a mature SAST/DAST vendor with $250M+ ARR sold to a large enterprise acquirer at ~2x ARR, reflecting legacy product discount but confirming strategic buyer demand. **Valuation sensitivity:** At Semgrep's $33.6M ARR, the implied valuation range is: - 10x ARR (legacy/stagnating): $336M (bear floor) - 15x ARR (moderate growth, 40% CAGR): $504M - 20x ARR (high growth, 60% CAGR): $672M - 30x ARR (hypergrowth, 80%+ CAGR, NRR > 120%): $1.0B+ The Series D post-money valuation is estimated at $400–750M based on the $100M raise size, Menlo Ventures' typical check-to-ownership ratio (15–25%), and comparables in the developer security category. [CV016, CV017, CV018, CV019, CV020]

8.5 Exit Readiness and Final Diligence Asks

**Exit readiness:** Semgrep has multiple plausible exit paths: IPO (requires $100M+ ARR with 20%+ growth and a favorable market environment, likely 2028+ for base case), strategic acquisition by a cybersecurity platform (Palo Alto Networks, CrowdStrike, Broadcom, Rapid7, Tenable, JetBrains), or financial sponsor acquisition (PE or growth equity at $500M+ enterprise value). The Series D investor base (Menlo, Lightspeed, Sequoia) has strong IPO and M&A relationships; exit paths are available at multiple ARR milestones. IPO path requires: 1. $100M+ ARR with 40%+ growth 2. NRR > 115% demonstrating land-and-expand viability 3. GAAP gross margin > 70% demonstrating SaaS economics 4. Reduction in key person dependency (succession planning for CEO/CTO) 5. FedRAMP Authorization for U.S. federal market access Strategic acquisition path is available at $200M–$1.5B+ depending on ARR, NRR, and buyer strategic fit. The most likely strategic acquirers in priority order: (1) Palo Alto Networks (active AppSec M&A, Prisma Cloud expansion); (2) JetBrains (developer tooling synergy, editor + SAST integration); (3) CrowdStrike (Falcon platform expansion to developer AppSec); (4) Google/GitHub indirect (via platform partnership with GHAS competitive threat). **Final diligence asks (minimum viable data room):** 1. ARR as of Q1 2026 with YoY growth confirmation 2. NRR and GRR for last 4 quarters by tier 3. Cash burn, cash position, and Series E pipeline 4. Customer count by tier (CE MAU, Teams, Enterprise) 5. Legal opinion on LGPL-2.1 relicensing compliance and CLA status 6. Enterprise AE headcount and 2025 direct sales new ARR attribution [CV021, CV022, CV023, CV024, CV025]

8.6 Exhibits