Semgrep
AI-powered code security platform that finds and fixes vulnerabilities across the development lifecycle.
- Founded
- 2017
- Headquarters
- San Francisco, CA
- Latest Round
- Series D
- Est. Valuation
- ~$1,000M
Investment Thesis
Semgrep is a code security platform that uses program analysis and AI to find and fix vulnerabilities across the software development lifecycle. Originally known as r2c (Return to Corporation), the company builds lightweight static analysis tools that developers actually want to use, combining the precision of traditional SAST with AI-powered capabilities.
With $204 million in total funding, Semgrep serves developers and security teams who need to ship secure code fast. The open-source Semgrep engine has been widely adopted by the developer community, and the commercial platform adds enterprise features including custom rules, CI/CD integration, and AI-assisted remediation. The company operates in a hybrid model with hubs in San Francisco, Boston, Denver, London, and New York.
Application security scanning is plagued by false positives, slow scan times, and rules that don't understand modern code patterns โ leading developers to ignore security findings rather than fix them.
Semgrep combines lightweight static analysis with AI-powered code understanding to find real vulnerabilities fast, with a developer experience so good that engineers actually want to use it โ shifting security left without slowing down shipping.
Used by Dropbox, Slack, Figma, and thousands of engineering teams; 40,000+ community-contributed rules; trusted to scan code at companies processing billions of dollars in transactions.
AI-generated code is flooding into production at unprecedented scale via Copilot and similar tools, dramatically increasing the need for automated security scanning that can keep pace with the volume of code being written.