StepSecurity: $3 Million Closed To Protect CI/CD Pipelines And Infrastructure

By Amit Chowdhry • May 7, 2024

StepSecurity, a leader in protecting CI/CD pipelines and infrastructure, announced the closing of its $3 million seed funding round, led by Runtime Ventures. Inner Loop Capital, SaaS Ventures, DeVC, and several notable industry leaders participated as angel investors.

Launched two years ago by cybersecurity leaders Varun Sharma and Ashish Kurmi, StepSecurity rapidly gained momentum within both the open-source community and enterprise sectors. There are 3,000+ open-source projects, including those from the Cybersecurity and Infrastructure Security Agency (CISA), Google, Microsoft, Datadog, Kubernetes, Node, and Ruby, utilizing StepSecurity to harden their CI/CD pipelines. And StepSecurity also recently detected a CI/CD supply chain attack in a Google open-source project.

The urgency of securing CI/CD environments has never been clearer due to recent high-profile security breaches. And several incidents like XZ Utils and SolarWinds originated in CI/CD. So the Center for Internet Security (CIS), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and National Institute of Standards and Technology (NIST) have released guidance and benchmarks urging enterprises to harden their CI/CD environments.

StepSecurity plans to use the funding to invest in its open-source community and expand its enterprise offerings. And StepSecurity already supports GitHub Actions and plans to expand its product to cover other CI/CD environments like GitLab CI, Harness, and Azure DevOps. The company is also actively hiring across engineering, sales, and marketing to support its growth.


“Enterprises typically have robust application and cloud security solutions. However, CI/CD, the crucial link between these two environments, remains unprotected. We analyzed past CI/CD security breaches and built our platform using a first-principles approach.”

  • Varun Sharma, CEO of StepSecurity

“Attackers have learned not only that the CI/CD pipeline represents the weak link in application security, but also that a successful supply chain attack can deliver an exponential impact. Supply chain attacks such as SolarWinds and Codecov impacted thousands of entities given the broad usage of the vulnerable applications. Security leaders have learned the hard way that CI/CD security can no longer be ignored, and StepSecurity is at the forefront of this paradigm shift.”

  • Michael Sutton, General Partner & Co-Founder at Runtime Ventures