How Sonatype plans to expand following its $80M funding round

Following last week’s close of an $80 million funding round, Sonatype is looking to cement itself as a Maryland-based company that’s known around the world, said Bill Karpovich, the company’s SVP of strategy and corporate development.
It was already on its way before the funding round, and was among the companies we picked when considering the Columbia area’s top tech companies as part of the Technical.ly’s realLIST 2018. The 10-year-old company has grown to about 220 employees, with about one-third each at HQ, international offices and distributed around the U.S.
“We will continue to expand in each of those areas,” said Karpovich, who joined Sonatype last year from IBM.
Sonatype provides tools for software developers using open source code to build applications. It maintains a repository of open source libraries and uses data tools to automate processes to reliably use the building blocks within those libraries, Karpovich said. A big focus is on detecting potential security vulnerabilities within that code, and providing info about how to avoid it.
Karpovich said Sonatype initially worked with big banks and credit card issuers, as well as government clients. Now the company is expanding into other areas. While exact figures weren’t released, the company said it grew sales 80 percent year-over-year in the first half of 2018.
“Every company is running their company on software and every company is driven to be innovative,” Karpovich said. He used the example of car companies, which are increasingly focused on connectivity and the technology inside of the car along with mechanical parts. In turn, pieces of code obtained through open source libraries make up the supply chain for this form of assembly.
With software available for anyone to use, “you have to make sure that you know where it’s coming from,” Karpovich said.

Among the factors driving the company’s growth is a better understanding in the market of the potential for the vulnerabilities to lead to severe attacks, Karpovich said. As Wired reported, last year’s Equifax breach happened because a known issue with an open source software package wasn’t fixed.

“Equifax did not recognize that they had been exploited for about 100 days after there was a public disclosure that a library they were using had a vulnerability,” Karpovich said.
With the size of Sonatype’s funding round led by San Francisco–based private equity firm TPG (who took a minority stake), the company made the latest splash from a cybersecurity company in the Columbia area.
Tenable went public in July after raising a record-setting funding round. And Sourcefire, where Sonatype CEO Wayne Jackson was previously in the top job, was acquired by Cisco in 2014 after going public.
“We think we’re following in that same tradition,” Karpovich said. “The Maryland area is a phenomenal place to build a tech company.”
So is an IPO or exit in the future plans?
“With continued success, we will have all those opportunities available to us,” Karpovich said.