IriusRisk raises $29 million to automate threat modeling for apps •


IriusRisk, a threat modeling platform, today announced it has raised $29 million in a Series B funding round led by Paladin Capital Group that includes BrightPixel Capital, SwanLab Venture Factory, 360 Capital and Inveready. Speaking to, CEO Stephen de Vries said the proceeds will be spent on growing IriusRisk’s sales and marketing teams in the US and Europe, the Middle East and Africa, as the company’s total raised $ 40 million approaching.

De Vries, who previously worked at cybersecurity firm Corsaire, KPMG and ISS as chief security consultant, said he came to realize that companies are wasting resources running security tests on software developers haven’t designed with security in mind. If developers could understand the security flaws in their designs through threat modeling — that is, identifying the types of threats that harm software — that would reduce the bottleneck caused by security assessments, de Vries theorized.

Indeed, threat modeling does not seem to be the top priority for many organizations. In a Golfdale Consulting questionnaire Commissioned last year by cybersecurity vendor Security Compass, fewer than 10% of developers reported that threat modeling was performed on 90% or more of the apps they developed at their organizations. Only 25% said their organizations performed threat modeling during the early stages of software development, such as requirement gathering and design, before moving on to development.

“Threat modeling has now been established as a required activity for secure software development,” de Vries said, pointing to President Joe Biden’s recent statement. executive order establishing threat modeling as a “recommended minimum” for verifying app code. “Since threat modeling as an activity is still relatively new, there is a need for organizations to share strategies, tips, and tricks for what works when deploying a threat modeling program — and what doesn’t.”

IriusRisk uses a rules engine to “reason” about client-side and cloud codebases, and adopts a pattern-based approach to threat modeling. Users of platforms such as Amazon Web Services (AWS) CloudFormation, HashiCorp Terraform, and Microsoft Visio can tap IriusRisk to import code and automatically generate a diagram and threat model from it.


The IriusRisk Threat Modeling Dashboard. Image Credits: IriusRisk

IriusRisk also offers an analytics module with reports and logs, which can be used by data analysts and scientists to interpret threat data from within their organization. To increase the granularity and accuracy of this data, customers can add to IriusRisks’ pattern detection library components unique to their industry or business, including those for AWS, Google Cloud, Azure and industrial control systems.

“IriusRisk empowers technical decision makers to build security in from the beginning of the software development lifecycle, making it an easy-to-implement practice that can be applied consistently across an organization’s product portfolio, enabling security-by-design at scale. created,” de Vries said. “Organizations benefit from IriusRisk’s comprehensive libraries of security standards, including existing threat models for known components, comprehensive security standards, and compliance libraries, which help teams build secure software first and automatically meet regulatory requirements.”

When asked about competition, De Vries admitted that startups like Spectral have an approach similar to IriusRisk in some ways. But he claimed his company’s biggest competitors are lagging behind and doing threat modeling manually using “whiteboards and perhaps rudimentary tooling.”

“We are focused on solving the problem of performing threat modeling consistently and at scale, with minimal developer friction. We often talk to organizations … who want to develop their approach by taking it out of the security team and into technical teams,” added de Vries. “We are making a significant investment in the wider threat modeling community.”

IriusRisk claims to have more than quadrupled its affiliate base by 2021 and increased its free offering, IriusRisk Community Edition, by 120% in terms of active users (to just over 5,400). More than 4,000 projects ran through the free platform last year, De Vries said. security tools.

“Our customers include six of the 30 global systemically important banks and nine Fortune 100 companies… Government organizations use the tool, as well as a digital forensics company, which supports military end users,” said de Vries. “It’s very typical for application security or cybersecurity teams to adopt our software and then roll it out to the wider technical organization so they can provide a threat modeling capability of their own… We’ve grown annual recurring revenue at over 106% per year . over the past two years and currently have a 120% annualized growth rate.”

IriusRisk has 137 employees today and plans to increase the workforce to 160 by the end of the year.