- Socket has raised $60M in a Series C led by Thrive Capital, reaching a $1B valuation and unicorn status.
- The startup scans open-source packages in real time for malicious behaviour: backdoors, typosquatting and obfuscated code, before they reach production.
- The raise reflects growing enterprise anxiety over AI-accelerated software development and the flood of unvetted open-source dependencies it brings.
The startup that spotted a malicious Axios dependency in six minutes has just crossed unicorn territory and its timing could hardly be better.
Socket has raised $60 million in a Series C round led by Thrive Capital, pushing the San Francisco-based company to a $1 billion valuation. Andreessen Horowitz and Abstract Ventures, both existing backers, participated alongside new investor Capital One Ventures, bringing Socket’s total funding to $125 million.
The raise reflects a growing anxiety inside enterprise security teams. As AI coding assistants accelerate software development, the volume of open-source dependencies entering production systems is growing faster than anyone can manually review. More than 90% of modern applications rely on open-source code and attackers have noticed.
Socket, founded in 2020 by Feross Aboukhadijeh, is betting that the answer lies in behaviour, not databases. Where traditional Software Composition Analysis tools cross-reference known vulnerability lists, Socket scans packages in real time for malicious activity: backdoors, hidden install scripts, typosquatting, obfuscated code. The distinction matters because novel attacks, by definition, do not appear in any database until after the damage is done.
“AI is changing how software gets built at every level,” Aboukhadijeh said. “Teams are moving faster, more code is being generated, and more of what ends up in production now comes from outside the company.”
The company’s customer list includes Anthropic, xAI, Replit, Cursor, Figma, Vercel, Gusto, Mercado Libre and Cribl, alongside unnamed Fortune 100 firms in finance and media, reads like a who’s who of organisations for whom a supply chain breach would be catastrophic.
Socket strengthened its technical position last year through the acquisition of Danish startup Coana, whose reachability analysis technology tackles one of the perennial frustrations of security tooling: false positives. By identifying whether a vulnerability is actually exploitable within a given codebase, rather than merely present, Socket can help teams focus on what genuinely matters.
The Axios incident illustrated the stakes. When a widely used open-source package was compromised, Socket said it detected the malicious dependency within six minutes — a response that drove more than 2,000 organisations to sign up within 24 hours.
Thrive Capital partner Philip Clark framed the investment in stark terms. “Legacy tools were designed to react to known vulnerabilities and assumed there was sufficient time to prevent a breach. Today, AI models can identify vulnerabilities so well and so quickly that this is no longer an option.”
Socket competes with well-capitalised rivals, including Snyk, Checkmarx, Sonatype and GitHub, all of which have developer security ambitions. But the company is arguing that real-time behavioural analysis represents a generational shift in approach, not merely an incremental improvement and that the window to establish that position is now, while enterprises are still figuring out how to govern AI-generated code at scale.
The new funding will go towards global expansion, product development and growing enterprise sales.
