Spectral exits stealth with $6.2M to protect companies from costly coding mistakes

The lightning-fast DevSecOps scanner ensures developers can code with confidence while protecting companies’ passwords, tokens, API keys and other sensitive data

Spectral left stealth today, announcing $6.2M in funding for their developer-first code security scanner. The Tel Aviv-based DevSecOps startup, founded by Dotan Nahum, Lior Reuven, Uri Shamay and Idan Didi, uses the first hybrid engine that combines hundreds of detectors with AI in order to find, prioritize and block costly coding mistakes. The seed round was led by Amiti and MizMaa.

When a company’s code isn’t secure, their data isn’t secure. Exposing internal API keys or committing passwords and other sensitive access credentials to repositories and cloud providers, can give bad actors unauthorized access to codebase and developer assets, and from there, quickly lead to severe security breaches.

In fact, Spectral’s recent data shows that 35% of organizations that have a strong open-source posture had at least one public leak. In addition, close to 50% of the leaks are due to bad security hygiene originating from personal employee accounts and shadow accounts on cloud services like GitHub, Dockerhub, npm, and others.

With increasing demand to produce more, better quality software in less time, a tiny mistake by an ambitious R&D team can have a disproportionate impact on the business, costing a company millions in fines, lost revenue and reputation. IBM estimates that even small security breaches cost US companies an average of $8.2M.

Dotan Nahum, Spectral’s founder and CEO, saw these challenges while CTO at Como, HiredScore and unicorn Fintech company Klarna. As an established open-source contributor for around 20 years, he saw how the industry was shifting more responsibilities onto developers. Spectral’s customers and deep research activities also indicated that these issues were being compounded by poor developer tools.

“Scanning tools today take long minutes or even hours to run in a given pipeline,” said Nahum. “Developers just don’t have that kind of time, or the funds (many CI providers meter by the minute). Some developers are so overwhelmed by slow, irrelevant, and non-intuitive results that they stop using scanners altogether. There’s an obvious need for a robust yet simple, fast yet extensive product that’s developer-first and won’t slow down DevSecOps and CI/CD pipelines.”

Spectral is a lightning-fast, developer-first cybersecurity solution that finds and protects against costly security mistakes in code, configuration, and other developer assets. In a matter of seconds per average-sized repository, Spectral can detect mistakes across hundreds of tech stacks including the actual source code, providing real-time prevention as well as flagging these issues via a “single pane of glass” to allow each team to productively triage, fix and monitor these issues, charting their own progress and improvements.

Following the principle of “implement strong security measures, but act like you have none,” Spectral protects against the leakage of secrets outside of an organization as well as internally. “We observe that with so many tech stacks, SaaS vendors and integrations, mistakes in private repositories end up appearing in public repos too,” said Nahum, “It’s these things – the things you don’t know that you don’t know about – that really keep you up at night. Spectral helps reveal these blindspots through a Public Scan feature through which we have already discovered breaches in over 20 Fortune 500 companies and counting.”

The Spectral platform monitors, crawls, and protects organizations by intelligently discovering developer-facing systems like Slack, npm, maven, log providers, and more sources, which companies tend not to think about in their active threat modeling.

The Spectral scanner is a developer-first solution. It respects security and privacy practices and never sends a company’s code, configuration or other assets outside of the company’s perimeter, making it more secure, faster and easier for software teams to use internally with integrations to Travis, Jenkins, CircleCI, as well as plugins for popular frameworks and products such as Webpack, Gatsby, Netlify and more.

Spectral includes an ever-growing set of detectors. It can scan any programming language, configuration files and other assets using machine learning-based analysis. Users can also build their own custom detectors using a purpose-built query language called SPEQL.

Founded in mid-2020, Spectral has a team of 15, and already protects millions of lines of code for a significant base of customers, including publicly-listed companies.

“Our solution prevents security breaches on a daily basis,” said Spectral’s co-founder and COO, Idan Didi. “The pain points we’re addressing resonate strongly across every company developing software, because as they evolve from own-code to glue-code to no-code approaches they allow their developers to gain more speed, but they also add on significant amounts of risk. Spectral lets developers be more productive while keeping the company secure.”