Our Maple Lawn client Sonatype was featured in a recent Baltimore Business Journal story:

Baltimore Business Jounral  |  Robert J. Terry

Sonatype has raised a whopping $80 million — more than doubling its total venture capital haul to date — as the Maryland software company eyes an initial public offering in the next couple of years.

The funding is a minority investment led by TPG, a San Francisco private equity firm with $84 billion under management, with additional participation by existing investors Accel, Goldman Sachs Group and Hummer Winblad. The money will be used to accelerate sales, marketing, and research and development investments, the company said.

Fulton-based Sonatype’s products help companies source, manage, automate and secure the open-source components they use to build software systems. The company is led by CEO Wayne Jackson, a well-known Greater Washington tech executive who has sold one startup — Riverbed Technologies, for $1 billion — and took another, Sourcefire Inc., public. Sourcefire was later acquired by Cisco in a $2.7 billion deal.

As this funding round attests, Sonatype is well positioned at a time when IT departments are under immense pressure to quickly develop innovative software systems. Open-source ecosystems help developers do just that — but they need to be careful not to inadvertently expose their organization’s platforms to cyber scofflaws and the increasingly sophisticated approaches to digital thievery seen today.

A good example of that is last year’s Equifax breach, when 145.5 million U.S. adults had their Social Security numbers stolen. The root path to the exploit was in the Apache Struts web-application software the credit reporting giant had downloaded. A patch was available for two months prior to the breach but Equifax didn’t install the update.

Some 10,000 organizations have downloaded known vulnerable versions of Struts since March 2017, the date of the Equifax breach. More than half of the Fortune 100 are on this list.

“The use of open source is just massive and it’s great for innovation,” Jackson said in an interview. “The problem is that it’s used in such numbers and produced in such numbers that human beings could never curate what’s being consumed. So if you don’t mind risking using a piece of open source that’s susceptible to a security attack then fine, it doesn’t matter if you curate or not. But if you do care about that then you need some mechanism for assuring the hygiene of the things that are brought into an organization.”

Sonatype hosts a cloud warehouse of sorts called Maven Central where software authors push their code and developers retrieve it for projects. The company had 87 billion download requests in 2017, up from 52 billion the year before.

Sonatype had sales of about $50 million last year and has been growing at an annual 50 percent clip, Jackson said. Most tech companies going public these days have recurring revenue of $100 million, he added, so a possible IPO could take place next year or more likely in 2020. Sonatype has raised about $60 million in funding across three rounds.

The company is not yet profitable “but intentionally so” as it scales up, Jackson said. That will include accelerating hiring: Sonatype employs about 230 people today but Jackson expects payroll to exceed 300 by the end of 2019. The company is scheduled to become cash-flow positive next year but might push that out a bit further.

The company makes money by selling subscriptions to its products and has had success selling to large enterprises: 50 customers currently subscribe at $300,000 or more per year, he said. About 10 percent of its sales are to the federal government and 40 percent of its revenue comes from international customers.

Sonatype’s competitors include legacy software security companies as well as Mountain View, California-based Synopsys Inc. (NASDAQ: SNPS), a direct competitor that last November acquired Massachusetts-based security startup Black Duck Software Inc. for about $565 million.

“We got either lucky or good but guessed right about how the market was going to evolve. Then all of a sudden Equifax happens that proves that it can be a risk to even the C-level executive,” Jackson added. “Part of the rationale for the raise is, hey, the market’s here. Finally. Let’s scale into it.”