Socket, the software supply-chain security startup, just raised a $60 million Series C led by Thrive Capital — with Andreessen Horowitz, Abstract Ventures, and Capital One Ventures along for the ride — at a $1 billion valuation. Total raised to date: $125 million.
The number worth staring at isn't the valuation. It's the one in Socket's own pitch: AI now writes more than 90% of the code at top engineering organizations — and almost nobody is reading the dependencies that come with it.
What Socket actually does
Socket inspects the open-source packages your code pulls in and flags malicious behavior before it lands — AI-assisted analysis with humans in the loop. Its newer product, Socket Firewall, blocks compromised packages at install time, before they ever reach a laptop or a CI pipeline. It's free.
The traction is real, not vanity: 27,000+ organizations (up from 7,500 at the Series B eighteen months ago), 1.5 million repositories protected, 11.6 million commits secured a month, 10,000+ attacks blocked a week. When the Axios package was compromised, Socket says it flagged it in six minutes and onboarded 2,000+ organizations within a day.
Look at the customer list and the thesis tells itself: Anthropic, xAI, Replit, Cursor, Figma, Vercel. The companies buying supply-chain defense are the same ones building the AI that's flooding the supply chain.
Why the money is moving here
This is the picks-and-shovels trade of the AI coding boom.
Every model that makes a developer ten times faster also makes them pull in ten times more third-party code they didn't write and won't review. Generation got cheap; review didn't. As Socket puts it, the volume of third-party code entering production keeps going up, the time anyone spends reading it keeps going down, and last-generation security tools can't keep up. Anthropic's Nick Marwell, quoted in the announcement, makes the sharper version of the point: as agents get more autonomous, they're making software decisions at speeds that require a new paradigm for review.
That's the imbalance Thrive is pricing. When one side of a system gets radically cheaper, value pools on the side that didn't. AI made writing code nearly free. It made trusting code much harder. Socket is selling trust.
My read
The thesis is right. The open question is whether supply-chain security is a durable, standalone billion-dollar category — or a feature the platforms eventually swallow.
npm and GitHub (read: Microsoft) sit on the registry and the CI runner. If install-time blocking and package provenance become table stakes, the natural home for them is the registry itself, not a third party bolted on. Socket's counter is speed and neutrality: it ships faster than a platform committee can, and it sells to everyone, including GitHub's rivals. That's a defensible position right up until the platform decides the feature is strategic.
And "AI to catch AI" carries its own tax. A false positive that blocks a build is its own kind of outage, and the "human verification in the loop" line is the quiet admission that the automation isn't all the way there yet. Trust tooling that cries wolf gets turned off.
None of that breaks the trade. It just means the moat is execution, not category.
The funding isn't a bet on a scanner. It's a bet that AI-generated code is now the dominant input to software, and that someone has to stand at the door checking what it dragged in. That door is going to be valuable. The fight is over who gets to own it.
Reporting from Socket's Series C announcement, SecurityWeek, and Tech Startups.