Cloudsmith Nabs $72M to Secure AI's Exploding Software Supply Chain

BELFAST, Northern Ireland – April 23, 2026 – Cloudsmith, a software supply chain management platform, has secured a $72 million Series C funding round to tackle what its backers call a new, critical front in cybersecurity: the vulnerabilities created by artificial intelligence. The round, led by TCV with significant participation from Insight Partners, comes just one year after the company's Series B, signaling intense investor confidence and the growing urgency for enterprises to control AI-generated code.

The investment positions the Belfast-based company to expand its platform, which is designed to act as a control tower for the torrent of software components, or "artifacts," being produced by AI coding agents. As businesses race to integrate AI into their development pipelines to accelerate innovation, they are simultaneously creating an unprecedented and largely unmonitored security risk.

"Cloudsmith is the only platform built for the way software is being developed today — by AI agents," said Glenn Weinstein, CEO of Cloudsmith, in a statement. "AI agents generate so much software, so fast, it's nearly impossible for humans to carefully review it all. Cloudsmith has the scale, and the broad view across the open-source ecosystem, to protect enterprises against the new kinds of threats that AI-driven development introduces."

The New Battlefront: Securing AI-Generated Code

The rapid adoption of AI coding assistants and autonomous agents represents a fundamental shift in software development, but it comes with a hidden cost. The "expanding threat surface" mentioned by Cloudsmith is not theoretical; it's a documented reality that cybersecurity experts are racing to address. Studies have shown that AI-generated code can contain security flaws in a significant portion of its output, often because the models are trained on vast public code repositories that are themselves rife with insecure patterns.

These vulnerabilities are diverse and insidious. The OWASP Top 10 for Large Language Model Applications, a key industry guide, highlights critical risks such as Prompt Injection, where attackers can trick an AI into executing unintended commands or leaking data. Another major risk is Insecure Output Handling, where applications blindly trust AI-generated code without proper validation, potentially opening the door to exploits like code execution on a server.

Furthermore, AI models can inadvertently introduce flaws by omitting necessary security controls, using outdated or vulnerable software libraries, or even leaking sensitive information like API keys that were present in their training data. The problem is compounded by the sheer velocity and volume of code production. A human developer might write hundreds of lines of code a day; an AI agent can generate thousands, making manual oversight and traditional security scans inadequate. This is the high-stakes environment where Cloudsmith aims to provide the necessary guardrails.

A Platform for the AI-Native Factory

At its core, Cloudsmith offers a universal artifact management platform. In a software development pipeline, every piece of code—from open-source libraries and internal packages to container images and AI models—is an artifact. Managing this sprawling inventory is a complex challenge. Cloudsmith provides a single, cloud-native source of truth, allowing organizations to store, scan, and distribute these artifacts securely.

The company positions itself as a modern alternative to incumbent players like JFrog and Sonatype, arguing that these legacy systems were designed for a slower, human-driven development era. Cloudsmith's fully managed, cloud-native architecture is built to handle the scale and speed of AI-driven development without requiring customers to manage the underlying infrastructure.

User feedback often highlights the platform's ease of use and robust support for over 30 package formats, which simplifies the consolidation of disparate repositories. However, the platform is not without its critics. Some users find its web interface less intuitive than its powerful command-line interface (CLI). More pointedly, as the company sharpens its focus on AI, some customers have noted gaps. One recent review on the peer review site G2 stated that "Support for security scanning of AI models is not yet publicly available," a feature that seems central to the company's new mission. This suggests that while the vision is clear, parts of the product roadmap are still under active development, which the new funding aims to accelerate.

Investor Confidence in a High-Stakes Market

The decision by TCV and Insight Partners to not only participate but, in TCV's case, to lead a second major round in as many years, is a powerful market signal. It reflects a conviction that securing the software supply chain is no longer a niche DevOps concern but a foundational pillar for the entire AI economy.

"Having led Cloudsmith’s Series B and now its Series C, TCV is proud to deepen our partnership with a company we see as defining artifact management for the AI era," commented Morgan Gerlak, a Partner at TCV. "As AI shapes the software supply chain, we believe Cloudsmith is uniquely positioned to become a platform enterprises rely on for compliance, control, and security at global scale."

This sentiment is echoed by Insight Partners, a global software investor with a deep focus on AI and cybersecurity. The firm sees a critical need for solutions that can manage the chaos introduced by autonomous agents and AI-driven development.

"In an era increasingly defined by AI-driven development, securing the software supply chain is critical," said Thomas Krane, Managing Director at Insight Partners. "As a cloud-native offering, Cloudsmith is well positioned to do this – providing the scale and reliability needed to help power enterprise and AI-driven builds and mitigate emerging risks."

The investment underscores a broader trend: as AI becomes embedded in business operations, the infrastructure to support and secure it is attracting significant capital. For enterprises, the message is clear. The race to innovate with AI cannot come at the expense of security and governance. Platforms that provide visibility and control over the software supply chain are transitioning from helpful tools to non-negotiable components of enterprise risk management, a reality that this $72 million investment firmly validates.