Sequoia backs Coana to help companies prioritise vulnerabilities using 'code aware' software analysi

Paul Sawers
·4 min read

Silicon Valley venture capital (VC) juggernaut Sequoia is backing a fledgling Danish startup to build a next-gen software composition analysis (SCA) tool, one that promises to help companies filter through the noise and identify vulnerabilities that are a genuine threat.

For context, most software contains at least some open source components, many of which are out-of-date and irregularly -- if at all -- maintained. This has led to all manner of security flaws, such as Log4Shell which impacted the open source Java logging framework Log4j and led to breaches impacting high-profile organisations such as a U.S. Federal agency which failed to patch the bug. In turn, this is leading to an array of fresh regulation, designed to strong-arm businesses into running a tighter software supply chain.

The problem is, with millions of components permeating the software supply chain, it's not always easy to know whether a given application is using a particular component. There are, of course, many software composition analysis (SCA) tools out there, from Snyk to Synopsis, which alert companies about known vulnerabilities in their technology stack -- but this can create a lot of noise, particularly if an application isn't actively using that component, thus making it difficult for security teams to prioritize the vulnerabilities that really matter.

And this is where Danish cybersecurity startup Coana is setting out to make a difference, using "code aware" SCA to help its users separate out irrelevant alerts and focus only on those that matter.

Coana: Example alerts
Coana: Example alerts

Coana: Example alerts

Founded out of Denmark in 2021, Coana is the handiwork of a computer science professor (Anders Møller) and two PhDs (Martin Torp and Benjamin Barslev Nielsen) who say they hit upon a "technical breakthrough" while part of a research group at Denmark's Aarhus University, discovering a new technique for analyzing and understanding large, JavaScript-based applications. CEO Anders Søndergaard joined the trio as co-founder in 2022, having exited a previous biometrics tech startup called Resilio the previous year.

To help fund their company through its early-access stage to full commercialization, Coana today announced it has raised $1.6 million in a pre-seed round of funding led by Sequoia Capital, with participation from Essence VC and a slew of angels including current and former executives from Google, Red Hat, and GitHub.

Third-party

A typical application can consist of as much as 90% third-party libraries, the majority of which are open source and maintained (or not) by any number of volunteer developers.

So a company building software might build their own application layer that draws on these myriad libraries, creating a long chain of dependencies that are connected by functions. Traditionally, a SCA tool would look at the version number of a particular dependency, and map it against a database of known vulnerabilities and then report back to the developers if it finds a match. However, in many cases, an application might only use one or two functions from a library of maybe 50 -- so if a vulnerability exists in a part of the library that the app never calls, it shouldn't really impact that application.

Companies can use Coana to build what t calls a "call graph" of the entire application, spanning application code and dependencies, to understand the data flow paths, and then use that to eliminate false positives.

"The amount of packages being used and the lines of code can be extremely high volume, so it requires some really sophisticated static analysis," Søndergaard told TechCrunch. "The call graph enables us to do a huge analysis on all the possible paths between different dependencies. So, imagine an application consisting of hundreds or thousands of dependencies, we can identify all the paths between those dependencies to understand which ones are truly vulnerable -- and which ones are not."

It is still very early days, of course, with Coana introducing the first iteration of its product in October for its first paying customers -- a mix of Series B and Series C-stage startups and scaleups. However, the company is working to expand its support beyond JavaScript and into Java and Python this year, which will help it target a broader customer base.

"As our product matures, and our company matures, we're moving up market, eventually targeting large enterprises, but that will take a while before we have the sophistication on the language support to get to get to that level," Søndergaard said.

Companies looking to check out Coana today can apply for early access now.

Recommended Stories

  • Open source vector database startup Qdrant raises $28M

    Qdrant, the company behind the eponymous open source vector database, has raised $28 million in a Series A round of funding led by Spark Capital. Founded in 2021, Berlin-based Qdrant is seeking to capitalize on the burgeoning AI revolution, targeting developers with an open source vector search engine and database -- an integral part of generative AI, which requires relationships be drawn between unstructured data (e.g. As per Gartner data, unstructured data makes up around 90% of all new enterprise data, and is growing three times faster than its structured counterpart.

  • Germany's Instagrid, which uses software to supercharge portable batteries, raises $95M

    Energy supply is one of the bigger issues impacting how technology will evolve over time -- a challenge that might be feel closer to home when you consider the batteries of objects like mobile phones or electric vehicles but is definitely not constrained just to consumer tech. A startup called Instagrid is using software to scale that mountain when it comes to enterprise-grade portable chargers. It's been getting a lot of attention, selling 30,000 units of its flagship "One" product to date and growing at 100% annually, and today it's announcing a Series C of $95 million to power up its growth strategy.

  • Roland's Bridge Cast X lets streamers control video as well as audio mixes

    Roland has unveiled a follow-up to the Bridge Cast called Bridge Cast X that adds video support on top of all its predecessor's audio-focused features.

  • Netflix earnings preview: Subscribers expected to surge amid ad tier momentum

    Netflix is set to report fourth quarter earnings after the bell on Tuesday. Here's what to expect.

  • AC Ventures closes its new $210M Indonesia-focused fund

    In the middle of a long funding winter, AC Ventures’ latest news will give Southeast Asian startups hope. The Jakarta, Indonesia–based venture firm announced today it has raised $210 million, finishing the final close on its fifth fund, called ACV Fund V. Limited partners include the World’s Bank’s IFC and investors from the United States, the Middle East and North Asia. AC Ventures has already started investing from Fund V in startups like Indonesian electric vehicle maker MAKA Motors and sustainable farming startup Koltiva.

  • Business travel management platform TravelPerk raises $104M

    TravelPerk, a business travel management platform targeted at SMEs, has raised $104 million in a fresh equity-based round of financing led by SoftBank's Vision Fund 2. The funding gives TravelPerk a valuation of $1.4 billion, just a fraction over the $1.3 billion valuation the company revealed two years ago when it kicked of its Series D round -- and that marginal increase is a post-money valuation, meaning it has remained flat. "In today’s climate, where startup funding is down by half and valuations are down across the board, this is a healthy and sober valuation," Meir told TechCrunch.

  • Plural, the VC led by founders, pulls together a new $432M fund to back European startups

    European VC Plural has carved out a reputation for itself as being one of the few VCs in the region started and led by entrepreneurs who grew their own startups. Its founders include Taavet Hinrikus from TransferWise/Wise; Sten Tamkivi; and Ian Hogarth, the founder of Songkick who more recently has also added a role with the U.K. government in AI safety strategy. Now Plural itself is scaling up, with a fresh €400 million fund to back what Hogarth refers to as "transformational" startups in the region, bringing more operational know-how to get them running as businesses.

  • Apple will pay artists more to have a spatial audio version on Apple Music

    Apple will pay additional royalties starting this month to artists if they have a spatial audio version on Apple Music, according to multiple reports. The company will pay up to 10% additional royalty if an artist has all their songs in spatial audio, per a report by 9to5Mac. The extra money doesn't depend on users playing the spatial audio version, though.

  • Riot Games is laying off 11 percent of its workforce globally

    Riot Games announced that it is eliminating 530 roles globally, which make up about 11 percent of its workforce.

  • X says a bug caused numerous posts to be labeled as 'sensitive media'

    A bug on X, formerly Twitter, was causing numerous posts over the weekend to be flagged as "Sensitive Media," thwarting the company's own attempts to make its platform more approachable to advertisers. Today, a bug in our system caused X to incorrectly label numerous posts as Sensitive Media. "Sensitive media" is a label X uses to denote content that others may not wish to see, like violence or nudity.

  • Alphabet is cutting dozens of jobs at its X moonshot lab

    Alphabet has laid off dozens of workers from its X moonshot lab in its latest round of downsizing.

  • NVIDIA’s RTX Remix tool is finally available as a free open beta

    NVIDIA’s long-awaited RTX Remix tool is now available as an open beta. This software lets modders add ray-tracing and AI-upscaled textures to older games, like the unofficial remaster of Half Life 2.

  • 20-year-old amateur Nick Dunlap withdraws from Farmers Insurance Open after historic win

    Nick Dunlap became the first amateur to win on the PGA Tour since 1991 on Sunday when he won the American Express.

  • These 11 genius products will help you organize your closet like a pro — and they're all on sale

    There's even a holder specifically made for your (very large) leggings collection.

  • Minnesota drivers experience the least road rage in America

    A recent study found that drivers in some states have a much less stressful time on the road, with Minnesota taking the top spot.

  • No impact without revenue? That's ArcTern's climate tech thesis

    Much of the intriguing climate tech that crosses our desks is theoretical or only just coming to market — think, tech that sucks carbon out of the sky, emerging lithium-ion battery alternatives and bioplastics that've yet to seriously scale. The Toronto-based venture firm just announced the close of a $335 million fund (USD) — its third and largest to date. "If you're not making money, you're not having impact," McCaig told TechCrunch.

  • Voice cloning startup ElevenLabs lands $80M, achieves unicorn status

    Case in point: ElevenLabs, a startup developing AI-powered tools to create and edit synthetic voices, today announced that it closed an $80 million Series B round co-led by prominent investors, including Andreessen Horowitz, former GitHub CEO Nat Friedman and entrepreneur Daniel Gross. The round, which also had participation from Sequoia Capital, Smash Capital, SV Angel, BroadLight Capital and Credo Ventures, brings ElevenLabs' total raised to $101 million and values the company at over $1 billion (up from ~$100 million last June). CEO Mati Staniszewski says the new cash will be put toward product development, expanding ElevenLabs' infrastructure and team, AI research and "enhancing safety measures to ensure responsible and ethical development of AI technology."

  • 2024 NBA Mock Draft 4.0: Colorado's Cody Williams takes over top spot, plus full first-round predictions

    The general feel from NBA scouts and executives is that the 2024 NBA Draft is wide open and will continue to be leading up to the June draft.

  • Apparel supplier for North Face, Vans admits its cyberattack led to a data breach of 35 million customers

    If you've purchased from its major brands like Vans, North Face, Timberland, Dickies and more, you may have been impacted — but VF Corp still insists that the incident won't impact its financial performance.

  • Carnegie Mellon reveals it was hit by a cyberattack over the summer

    The Pittsburgh-based university known for its top tech and computer science programs said on Friday that the attack impacted up to 7,300 students, employees, contractors and other affiliates.