IriusRisk lands $29M to automate threat modeling for apps

IriusRisk, a threat modeling platform, today announced that it raised $29 million in a Series B funding round led by Paladin Capital Group with participation from BrightPixel Capital, SwanLab Venture Factory, 360 Capital and Inveready. In a conversation with TechCrunch, CEO Stephen de Vries said that the proceeds will be put toward growing IriusRisk’s U.S. and Europe, Middle East and Africa sales and marketing teams as the company’s total raised nears $40 million.

De Vries, who previously worked at cybersecurity firm Corsaire, KPMG and ISS as a principal security consultant, said he came to the realization that companies were wasting resources performing security testing on software that developers didn’t design with security in mind. If developers could understand the security flaws in their designs by threat modeling — i.e. identifying the types of threats that cause harm to software — it’d reduce the bottleneck caused by security reviews, de Vries theorized.

Indeed, threat modeling doesn’t appear to be top of mind at many organizations. In a Golfdale Consulting survey commissioned last year by cybersecurity vendor Security Compass, less than 10% of developers reported that threat modeling was performed on 90% or more of the apps they developed at their organizations. Only 25% said their organizations conducted threat modeling during the early phases of software development, like requirements gathering and design, before proceeding with development.

“Threat modeling is now established as a required activity for secure software development,” de Vries said — pointing to President Joe Biden’s recent executive order establishing threat modeling as a “recommended minimum” for verifying app code. “Since threat modeling as an activity is still relatively new, there is a need for organizations to share strategies, tips and tricks for what works when rolling out a threat modeling program — and what doesn’t.”

IriusRisk leverages a rules engine to “reason over” client-side and cloud-hosted codebases, taking a pattern-based approach to modeling threats. Users of platforms like Amazon Web Services (AWS) CloudFormation, HashiCorp Terraform and Microsoft Visio can tap IriusRisk to import code and automatically generate a diagram and threat model of it.

IriusRisk’s threat modeling dashboard. Image Credits: IriusRisk

IriusRisk also provides an analytics module with reports and logs, which can be used by data analysts and scientists to interpret threat data from within their organizations. To increase the granularity and accuracy of this data, customers can add to IriusRisks’ pattern detection library components unique to their industry or company, including those for AWS, Google Cloud, Azure and industrial control systems.

“IriusRisk allows technical decision makers to bake in security right from the start of the software development life cycle, turning it into an easily implemented practice that can be consistently applied across an organization’s product portfolio, creating security-by-design at scale,” de Vries said. “Organizations benefit from IriusRisk’s extensive security standards libraries which include existing threat models for known components, comprehensive security standards and compliance libraries, which helps teams to build secure software first and automatically address regulatory requirements.”

When asked about competition, de Vries conceded that startups like Spectral take an approach similar to IriusRisk in some respects. But he asserted that his company’s largest competitors are behind the curve, performing threat modeling manually with “whiteboards and maybe rudimentary tooling.”

“We are focused on solving the problem of performing threat modeling consistently and at scale, with minimal developer friction. We often talk to organizations … who are looking to mature their approach by taking it out of the security team and into engineering teams,” de Vries added. “We are making a significant investment into the wider threat modeling community.”

IriusRisk claims to have more than quadrupled its partner base through 2021 and grown its free offering, IriusRisk Community Edition, by 120% in terms of active users (to just over 5,400). More than 4,000 projects ran through the free platform over the last year, de Vries said — a number he expects will grow when IriusRisk launches a new open threat model format, scheduled for November, to allow better interoperability between threat modeling tooling and existing architectural and security tools.

“Our customers include six of the 30 globally systemically important banks and nine Fortune 100 companies … Government organizations are using the tool, as well as a digital forensics company, which supports military end-users,” de Vries said. “It is very typical for application security or cyber security teams to adopt our software and then roll it out to the wider engineering organization so that they can self-serve a threat modeling capability … We have grown annual recurring revenue at over 106% year-over-year for the last two years and are currently at a 120% year-over-year growth rate.”

IriusRisk has 137 employees today and plans to expand its headcount to 160 by the end of the year.

IriusRisk lands $29M to automate threat modeling for apps by Kyle Wiggers originally published on TechCrunch