October 27, 2020 Investment Themes

The Need for Developer-Centric Application Security: Our Investment in Stackhawk

The Need for Developer-Centric Application Security: Our Investment in Stackhawk

Over the last decade we have seen the benefits of DevOps come to life as we removed barriers between development and IT operations teams. Innovations like agile, virtualization and automation of the CI/CD pipeline made way for faster development and widespread adoption of DevOps principles. More recently microservices, containerization and developer-centric performance monitoring has unlocked even more speed so organizations can deliver value to their customers faster. 

But throughout this transformation, application security has been left behind – as a bolt on process after development – and sometimes after deployment. Simultaneously, the cultural and technical barriers between security and development teams have grown, preventing security processes from entering the development pipeline. The groups have been separated by entirely different goals and operating procedures that frequently leave the two at odds. 

At Costanoa, we believe the next frontier for application security is to have it embedded in the development process. While the transition to DevOps has allowed companies to release software quickly, there is no clear path to release secure software quickly today. The result is that development teams spend excessive energy in “after the fact” remediation of problems that could easily have been prevented. Leading engineering teams have recognized this bottleneck and have shifted security left (sometimes called DevSecOps). There is a strong demand for tools that automate security testing in CI/CD which is why we’re thrilled to partner with StackHawk as they build a modern approach to dynamic application security testing.

Modernizing application security within engineering teams

StackHawk is an application security platform that is built for developers. The platform makes it easy to find and fix security vulnerabilities before they hit production. The tool integrates into the CI/CD process so users can run a scan for security vulnerabilities as part of the build pipeline. 

The Need for Developer-Centric Application Security: Our Investment in Stackhawk
Stackhawk application list cards

One of their customers, Adrián Moreno Peña, Tech Lead at VanMoof, said it best, “Using StackHawk we can make our security improvement process transparent, actionable and easy to understand for each developer in the team.”

The company launched into General Availability in September and are already seeing strong product validation. Early access customers have been converting to paid customers and the company is seeing new sign-ups every day. 

We’re especially excited because we get to partner with StackHawk founders, Joni Klippert (CEO), Ryan Severns (COO) – who we previously worked with at VictorOps which was acquired by Splunk in 2018 – and Scott Gerlach (CSO) – all who have strong backgrounds in DevOps and security which makes me confident they are the team to tackle integrating application security into the development lifecycle. 

Today, StackHawk announced their $10 million Series A round of funding. Costanoa was an early stage investor in StackHawk, investing in the seed round at the founding of the company, and we are excited to double down and join Sapphire Ventures and the rest of the returning backers in the Series A.

We wish the team the best of luck as they embark on this next phase of growth as they continue product development and invest in their go-to-market team!



Written by


Founder & Managing Partner

Greg Sands