Estonian cybersecurity startup Patchstack have raised a new $5M funding round to further their mission of covering the entire lifecycle of open-source security to provide the fastest mitigation to the emerging security threats.

Patchstack’s Series A round was led by Karma Ventures, an early-stage venture capital fund focusing on deep-tech software companies, with  participation from G+D Ventures, the German TrustTech investor, and Emilia Capital, the investment firm of Yoast founders Marieke van de Rakt and Joost de Valk.

On average, it takes over 200 days to patch a critical security vulnerability. Patchstack helps developers to quickly identify, prioritize and auto-mitigate new vulnerabilities and provides the fastest vulnerability protection in real-time. By combining their vulnerability intelligence with application vPatching technology, Patchstack doesn’t require user interaction or code changes, thus preserving the application’s full integrity.

The company now released their free tool co-funded by the EU for open-source software vendors that helps commercial projects to comply with the upcoming Cyber Resilience Act early on. The final version of the Cyber Resilience Act was confirmed in March 2024 and is expected to be passed as a law later this year. The Cyber Resilience Act (CRA) is an EU regulation for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates.

Today, over five million websites are scanned through Patchstack’s vulnerability intelligence, and millions of vulnerability attacks are prevented with the help of Patchstack’s vulnerability mitigation. Their current customers include GoDaddy, Digital Ocean, Plesk/cPanel, and many others. While the company’s first solution was made for WordPress, the world’s largest open-source content management system which powers over 40% of all websites, it is preparing to support other CMSs and plans to expand to the broader open-source software ecosystem.

Patchstack’s unique strength is its access to vulnerability data. The company launched its first gamified bug bounty program and managed the Vulnerability Disclosure Program (VDP) for WordPress plugins, attracting thousands of ethical hackers to find and report new security vulnerabilities. This program’s success made Patchstack the leading open-source security intelligence provider and the largest CVE (Common Vulnerabilities and Exposures) Naming Authority by volume in 2023.

Last year, Patchstack published 76% of all known WordPress-related security vulnerabilities, demonstrating their market dominance. Earlier in 2023, Google selected Patchstack for their AI for Cybersecurity accelerator program to help expand their AI capabilities using their unique and extensive data set – the world’s largest dataset of open-source security vulnerabilities.

Patchstack founders met on a PHP Security subreddit back in 2016. Oliver Sild, the CEO, was then doing incident response and researching malware, and Dave Jong, the CTO, was conducting web application penetration testing. They have been building Patchstack ever since.

“I have been following Patchstack’s progress for some time, have had many great discussions with Oliver, and think that the team is on a noble and exciting mission to protect users of open-source technologies from cyber threats. I’m really glad that Oliver and his team chose to partner with Karma Ventures and I’m looking forward to working on this opportunity together with the team and our co-investors,” said Kristjan Laanemaa from Karma Ventures.

Patchstack aims to become the leading open-source software security company and help companies and software vendors comply with the upcoming European Cyber Resilience Act. The act adds great momentum and customer demand for Patchstack as it requires companies to have vulnerability management and software supply chain oversight. Additionally, software developers need to have VDP programs, which Patchstack provides as they cover the entire lifecycle of open-source software vulnerabilities.

“We are pleased to join Patchstack’s vision of automating open-source software security with its unique approach of proactively protecting applications against vulnerabilities. We are particularly impressed by Patchstack’s exceptional leadership and remarkable talent, alongside its focus on delivering value based on the quality and execution for its customers and partners. We look forward to a hands-on partnership with both the Patchstack team and investors, shaping a more secure digital future together,” stated Alberto Pérez Arranz from G+D Ventures.

“We are a small yet very effective team. With the data and technology we possess, we believe we could potentially hyper-automate the entire open-source software security process,” said co-founder and CEO Oliver Sild. “Two years ago, the European Innovation Council supported our R&D efforts with a 2 million EUR grant, which then allowed us to build an amazing product and grow our recurring revenue organically two to three times annually. Now, with the Series A, we plan to accelerate Patchstack product development and build a top-level sales and marketing team,” he added.