Mondoo, an under-the-radar infrastructure security platform aimed at developer operations (DevOps) teams, has raised $12 million in a series A round of funding led by European VC Atomico and revealed a previously undisclosed $3 million seed round of funding that closed back in April.

The company, which has offices in San Francisco and Berlin, launched its platform out of stealth just three weeks ago. It constitutes part of a growing trend in the cybersecurity sphere, which has seen security teams increasingly share responsibilities for safeguarding company infrastructure with developers.

“Our goal is to bring DevOps and security teams closer together and help them secure their environments,” Mondoo CEO and cofounder Soo Choi-Andrews told VentureBeat.

Mondoo was founded in 2020 by former Googlers Choi-Andrews and Dominik Richter, along with Christoph Hartmann, who had worked alongside his fellow cofounders several years before at DevOps software company Chef Software.

Bottom up

The “bottom-up” cybersecurity approach is perhaps best exemplified by Snyk, which targets its open source security scanning smarts at developers rather than security teams — this helps catch issues in real time as the developer codes, rather than later, after they’re pushing into the live codebase. For context, Snyk raised $375 million in fresh capital just last month and is now valued at $8.6 billion.

Mondoo, for its part, is a cloud-native security platform that gives infrastructure developers automated risk assessment and insights into all their business-critical infrastructure, including public and private cloud environments like AWS, Azure, Google Cloud, and VMWare; Kubernetes clusters such as Amazon EKS and Google Kubernetes Engine; servers and endpoints running Windows, Linux, and MacOS; and software supply chain services like GitHub, Jenkins, and GitLab.

This highlights a major selling point for Mondoo. Although it touts itself as a “cloud-native” security and vulnerability risk management platform, it is in fact suited to businesses that run a hybrid infrastructure, giving DevOps engineers the tools to automate security assessments and discover hidden risks everywhere.

For example, users can connect Mondoo while running on an AWS environment to test their company’s cloud security posture and the workloads that run on it and instantly find vulnerabilities across their operating systems and virtual machines — while pushing higher-priority issues to the top of the list to investigate. Mondoo can also identify compliance and policy violations, while users can extract key data about their infrastructure and write custom policies.

In terms of the competitive landscape, Mondoo encroaches on a space that counts well-established names such as Rapid7, Qualys, and Tenable’s Nessus, though it also jibes with newer upstarts such as Orca, Wiz, and Lacework — each of which has raised sizable sums of cash this year.

But Mondoo said it’s carving out a niche by not only aiming its platform at developers, but also targeting a broad gamut of use cases instead of a single element, such as cloud security posture management.

“Mondoo focuses on the DevOps audience and helps them to identify and act on issues in their fleet and raise the security baseline across all technologies,” Choi-Andrews said. “Unlike competitors, we support vulnerability, compliance, security, and best practices across on-prem, servers, cloud, VMs, containers, Kubernetes, SaaS services, and APIs.”

For now, Mondoo is offered under a software-as-a-service (SaaS) subscription, which includes a basic free plan with limited cloud accounts and assets, though the company noted that it intends to offer a self-hosted option in the near future.

Aside from Atomico, Mondoo has ushered in a slew of other institutional and angel investors across its recent seed and series A rounds, including Firstminute Capital, System.One, MongoDB chair Tom Killalea, Intuit CTO Marianna Tessel, Google product VP Bradley Horowitz, and Puppet cofounder Andrew Clay Shafer.