Sacra Logo
View PDF
View Model
Boston, MA
Peter McKay
Home  >  Companies  >  Snyk
Snyk makes tools for developers to check and fix vulnerabilities in their applications.







Growth Rate (y/y)








Snyk generated $147M in revenue in 2022, up 153% from $58M in 2021, driven by their growing customer base and upsell from expansion.

Snyk finished 2022 with a net retention rate of 130%, a gross retention rate of 90%, and headcount of 1,135 full-time employees for average revenue per employee of $129,515.

Roughly 60% of Snyk's revenue comes from software and tech companies and 10% from fintechs. North America contributes to 70% of its revenue, followed by Europe at 17%.



Note: Size of the bubble indicates valuation.

Snyk has raised $1B from Tiger Global, Boldstart Ventures, Sands Capital Ventures, and Qatar Investment Authority. It raised $196.5M in Series G funding in Dec 2022, at a valuation of $7.4B.

Business Model

Developers buy Snyk’s tools for the same reason you buy antivirus software like Mcafee - to be alerted about any vulnerabilities in their code that someone can exploit to break the software, steal information, or do some other nasty act.

While most application security companies make tools for security teams and sell them in a top-down sales motion to CIOs/CISOs, Snyk was the first one to make security tools for developers and sell them in a bottom-up PLG motion. Snyk makes it easy for developers to take its tools for a spin by offering a free, no credit card signup and connects to their GitHub, Docker, or BitBucker repositories. Developers can scan their repositories to surface vulnerabilities and recommendations on fixing them, getting instant value rather than waiting to talk to a sales rep in the case of other application security companies. 


While Snyk’s seat-based pricing model is expensive for individual developers to put their cards, the PLG motion makes it easier for Snyk to close contracts with CIOs/CISOs when developers on their teams already know about Snyk. 70% of Snyk's customers have developers on their team who used it before the CIOs wrote a check to them. Among the developer-focused companies, Snyk has one of the largest sales teams and is investing in growing beyond the developer community into the security community through partnerships with security vendors such as Trend Micro, Akamai, and Rapid7.


Snyk makes dev tools for developers to check and fix vulnerabilities, misconfigurations, or license issues in their code. Snyk plugs into the development workflow by integrating with code repositories like GitHub and GitLab and CI/CD pipeline tools like Jenkins, scans the code against a repository of known vulnerabilities, lists them with severity scores, and suggests ways for developers to fix them. Developers use Snyk to scan new code when building an application and to continuously monitor the existing code for any new vulnerabilities by linking it to their code repositories. 

Before Snyk, code was tested at later development stages by security teams with specialized software, causing deadlines to be pushed out to fix them. This created tensions between developers who wanted to ship the application at the earliest and security teams who wanted to ensure the application was secure. 

Snyk found an initial product-market fit by providing developers tools to scan third-party, open-source libraries, not rigorously tested by anyone, and add security testing to their workflows rather than waiting for downstream security reviews. It started with Node.js and grew horizontally by covering more languages and platforms. 

Snyk’s key products include:

  • Snyk Open Source: Snyk’s first product that scans vulnerabilities and license compliance issues in open-source libraries.
  • Snyk Container: Scans container images and Kubernetes environments to identify security flaws.
    • Snyk Infrastructure as Code: Scans platforms like Terraform, AWS, Azure, and Google Cloud for misconfigurations.
    • Snyk Code: Similar to Snyk Open Source but for developer’s proprietary codebases.
  • Snyk Cloud: Detects security flaws in code post deployment in the cloud servers.
    • Snyk vulnerability database: A Stackoverflow-like searchable database of vulnerabilities in open-source libraries and ways to fix them.


    Snyk faces competition from other cybersecurity companies, which like Snyk, offer a full suite of application security tools like Synopsys (51.5B), Checkmarx ($1B), and Veracode ($2.5B). Unlike Snyk’s self-serve sales motion, these companies sell to the CIOs/CISOs in a top-down sales motion.

    Snyk also competes against companies offering a point solution alternative to one of its products, like FOSSA ($100M) for open source vulnerabilities, Aqua ($1B) for cloud security, and (raised $58M) for container security.

    Popular DevOps platforms like GitHub and GitLab have code scanning tools similar to Snyk’s Code and Open Source products, making them a viable alternative. With their existing relationships with millions of developers and developer-friendly tools, these can become key competitors to Snyk in the future.

    TAM Expansion

    Over 90% of applications today use open-source libraries, of which 80% have security flaws, prompting developers to use security tools. The global developer pool of 26.2M is expected to grow to 43.2M by 2025. Snyk currently has 2.2M developers, or 8% of the market, providing a large untapped market to sell to. In parallel, the decision-making for application security tools is shifting to developers, with 37% of organizations giving them the budget, compared to 27% last year, which works well for Snyk’s developer-led PLG sales motion.

    New verticals

    Snyk recently launched Snyk Cloud for cloud security, the fastest-growing cybersecurity segment, expected to be worth $77B by 2026. API security is another large segment, expected to cross $10B by 2032 at a CAGR of 28%. By taking verticals that are still top-down and making them developer-first through developer-friendly tooling and documentation, Snyk can meaningfully expand its market.

    New geographies

    With 70% of Snyk’s revenue coming from North America, it can diversify to other countries. For instance, Asia Pacific and Japan contribute 10% to its revenue, and Snyk is doubling down on its presence there. It recently added more channel partners in Asia Pacific and Japan, growing its network 3x in 2022. 

    Price increase


    Snyk increases its bundle's price by adding new tools to it. For instance, in 2020, when it sold Snyk Open Source and Snyk Container, it priced the Team subscription at $1319 (25 seats) and the Business subscription at $3298 (50 seats). When it added Snyk Code and Snyk IaC to the bundle, it doubled the subscription price, with the Team subscription costing $2675 and the Business subscription $6916. As it adds more verticals like cloud and API security, it can further increase prices to expand revenue.


    New sales motion

    While Snyk sells through a mix of self-serve and top-down sales motion, in the newer cybersecurity markets like cloud security, sales are traditionally top-down. Hence, its new products may take longer to earn meaningful revenue.

    Headwinds against bundles

    Snyk’s tools are already considered expensive and it may find it difficult to sell its full suite of products to enterprises in the current economic environment. With the economic slowdown, companies are scrutinizing their software spends, especially software bundles to rationalize cost. Nearly one third of the enterprises are estimated to have cut their software spends, compared to last year. 

    Peter McKay
    Guy Podjarny
    Founder and President
    Ken Macaskill
    Adi Sharabani
    Jeff Yoshimura
    Manoj Nair
    Steve Kinman
    Adriana Bokel Herde
    Chief People Officer


    This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.

    This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.

    Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.

    Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.

    All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.