The Road to Semmle’s Series B, and Beyond
Today, we’re announcing our Series B, led by Ping Li and Vas Natarajan of Accel Partners in Palo Alto, California. To mark the occasion, I want to share the highlights of our overall journey to this point, and where we’re headed. I’ll tell you about the low points some other day...
A sabbatical at Microsoft in the late ‘90s, where I needed to come to grips with a large unfamiliar codebase, first made me aware of the need for software engineering analytics. How do you answer deep questions about data flow in the code? How does the quality rank against similar projects? How did the codebase get to be in that state? Who did what, where and why? I didn’t know the answers, but it became an underlying thread in my research - the key would be to treat the source code itself as data.
Semmle was born on December 21, 2006. We incorporated, so that the ideas I wanted to develop for a talk at an academic conference (PEPM) on January 15, 2007, would be fully owned by the company. For myself, apart from the commercial opportunity, the main motivation for creating a company was to build something big with the incredible team. It was simply exhilarating to have such smart and creative colleagues - and I feel exactly like that about the team today. What followed was an intense Christmas vacation, frantically coding so the demo would be ready in time. I loved every bit of it - coding all night and going for a run in the morning to re-charge for more coding. What makes Semmle technology so much fun is that it builds on interesting maths to create truly useful results. Later that year, we presented more polished versions at SCAM in Paris, at GTTSE in Braga, and QCon in San Francisco. While it was still a research prototype, the early feedback, especially from the participants at GTTSE, convinced us we were onto something special. One participant became a customer 2 years later.
It’s a business!
A few years of struggle followed; great technology does not necessarily make a business, and certainly not instantaneously. Also, the technical challenges we had set ourselves were huge - there’s a reason why the great idea of “code is data,” suggested many times over in academic research, hadn’t yet made the prime time. Was this beautiful set of ideas commercially viable? Would we be able to go from a cool prototype to a stable product? We did some consultancy contracts to pay bills, but it was only in 2009 that NASA and Murex licensed an early version of the software. I’ll be forever grateful for the vision and trust of those early adopters, who have remained loyal partners ever since. In particular, both would set us on the path to security analysis, which became our killer use case.
Through my friend and former student Rick McPhee, I was introduced to a group of private seed investors who funded Semmle, in November 2011. This seed funding allowed Semmle to improve the core technology (named QL), and sign up a bunch of additional customers, especially in financial services. I had not fully committed yet, and continued to split my time between Semmle and the University of Oxford, where I had been a professor of Computer Science since 1994. If I had to do it again, I’d go all-in much earlier, much as I would not try to read a book while landing a plane.
By August 2014 it had become abundantly clear there was a real business to be built, and Semmle became a proper startup in the Silicon Valley sense. We took a Series A funding round, led by Kevin Comolli of Accel Partners in London. The discussions with the Accel team were incredibly inspiring - they are tremendously knowledgeable on the market, both for software productivity and business intelligence. Adrian Asher and Adrian Colyer hinted we should focus on security. They were right, but I needed three years to find that out for myself! The purpose of Series A was to make the product enterprise-ready, and also to identify a killer use case for our go-to-market strategy. The first goal was spectacularly achieved when one early customer installed the new product version (named LGTM), and went from analysing 50 codebases to 750+ in a few weeks. The second goal was achieved by working with customers such as Microsoft and Google; variant analysis (finding all logical variants of a known vulnerability) turned out to be a greenfield opportunity, and a perfect fit for our technology.
With these key ingredients for scaling in hand, we hit Sand Hill Road. First, however, we had a friendly first meeting with the team at Accel Palo Alto on University Avenue. I was immediately impressed by the searching questions and perceptive comments from Ping Li and Vas Natarajan, and their thoughtful approach to company growth. Two weeks later we agreed to accept their investment, and we’re announcing this new partnership today. The awesome team at VC firm Work-Bench, who have been extremely helpful establishing Semmle’s customer base on the U.S. East Coast, also participated in this round. The goal of the round is to build out the go-to-market machine, with both a top-down sales motion through a direct sales force, as well as a bottom-up community-oriented one via LGTM.com.
We’ll continue to secure the software that runs the world. The best security teams have chosen to work with Semmle, and there’s a community of security experts enhancing our platform with security queries of their own. That particular use case is huge! However, we have not forgotten the broad vision of software engineering analytics. Several of our current customers, such as Nasdaq, already use Semmle for improving team productivity, and our data science team has developed new technology for that use case, which is currently being integrated in the product. Other use cases we’re working on include portfolio simplification, and more general applications of natural language processing applied to elements of source code.
Want to be part of the next stage of the Semmle journey? We’re hiring for all roles, so get in touch!