23-04-2025
Socket Acquires Coana To Build Out Its SCA Capabilities
Socket CEO and founder Feross Aboukhadijeh
Open-source software is changing the world, enabling developers to incorporate code already written by others into their own applications. But while this is a far more efficient and productive way to build new software, it also comes with risk – when developers pick up open-source code for their own use, they also pick up any vulnerabilities it may incorporate, potentially leaving their applications vulnerable to breaches and attacks.
Socket, which is today announcing the acquisition of the Danish cybersecurity start-up Coana, holds itself up as the solution to this problem. It's an expert in software composition analysis (SCA), the process of analysing the code underlying applications to find potential problems. Socket's tools enable software developers to scan all the code in an application, including open-source code, to identify security vulnerabilities so that these can be mitigated before any damage is done.
Forbes first profiled Socket last October, revealing that the company had raised $40 million of Series B funding from investors including Abstract Ventures and a16z. Today's announcement marks the next phase in the company's development, with Feross Aboukhadijeh, CEO and founder of Socket, arguing that the deal with Coana – for an undisclosed sum – will help it solve a pressing problem.
'Our tools are great at identifying the vulnerabilities that open-source code incorporates, but cybersecurity teams are struggling to get through the work this creates,' he explains. 'One of the biggest issues in cybersecurity today is alert fatigue – security professionals just can't cope with the number of issues they're now being alerted to.'
The downside to good SCA solutions such as Socket, Aboukhadijeh explains, is they can present cybersecurity teams with a huge list of vulnerabilities to mitigate. It's not always obvious which problems are most serious and, therefore, where teams should prioritise mitigation work. Really dangerous vulnerabilities may be left in place while much less pressing issues are dealt with. Overworked teams may even end up ignoring some alerts altogether.
Coana's 'reachability engine' is therefore a potentially valuable adjunct to Socket's SCA platform. It analyses vulnerabilities that have been picked up in order to identify the most concerning and to create a to-do list for the cybersecurity function. Less worrying issues and false positives – problems that are already mitigated elsewhere in the software – can then be left for a later date or even ignored altogether.
'We founded Coana to give developers a tool that finds 100 critical issues not 10,000 trivial ones,' explains Martin Torp, chief product officer at Coana. 'Together we'll deliver reachability analysis at a scale and impact that we could only dream of as a standalone product.'
It's certainly a growing market. Since its launch three years ago, Socket has build a client list spanning more than 8,500 customers. High-profile clients include Anthropic, Figma, OpenAI and Vercel, but the company also works with many small enterprises and start-up businesses. Aboukhadijeh says the company's revenues are on target to increase by 300% this year; its analysis suggests it is preventing more than 1,000 cyber attacks each week.
Last October's fundraising was an important step forward, enabling the business to consider strategic moves such as the Coana deal. Zane Lackey, general partner at a16z, argues that the acquisition will give Socket huge competitive advantage. 'Socket's approach to open source security is simply better – it's proactive, precise, and built for how modern teams work,' he says. 'The combination of Socket and Coana is the nail in the coffin for legacy SCA.'
