Breaking
$28M raised to date — Series A led by Maverick Ventures & Ten Eleven 300% year-over-year revenue growth in 2025 more Fortune 500 customers in a single year New: AI Agent Governance for Copilot, Cursor & autonomous agents Founders from CloudKnox & Symantec 75% of SDLC risk is invisible to existing tools $28M raised to date — Series A led by Maverick Ventures & Ten Eleven 300% year-over-year revenue growth in 2025 more Fortune 500 customers in a single year New: AI Agent Governance for Copilot, Cursor & autonomous agents Founders from CloudKnox & Symantec 75% of SDLC risk is invisible to existing tools
BlueFlag Security logo
Company Dossier · Cybersecurity · Sunnyvale, CA

BlueFlag
Security

The company that decided the smartest place to defend your software isn't the code - it's the identities, and now the AI agents, standing behind it.

A blue flag, in racing, means a faster car is coming through. In security, everyone else watches for red. These founders named their company after the color that says: pay attention, something is moving.

2024Founded
$28MRaised
~36Employees
300%YoY Growth

Here is a fact about software security that took the industry an embarrassingly long time to admit out loud: most breaches do not begin with a genius exploit. They begin with a key. Somebody - or, increasingly, something - had a credential it should not have had, or used a credential in a way nobody was watching, and by the time anyone noticed, the incident was already an incident. The 2025 Verizon breach report pegs the share of breaches involving compromised credentials at 68%. That is not a rounding error. That is the plot.

BlueFlag Security, founded in 2024 and based in Sunnyvale, is a company built almost entirely around taking that fact seriously. Its pitch, delivered by co-founder and CEO Raj Mallempati, is refreshingly blunt: "Attackers are not going after code - they are going after the identities and tools behind it." This is the kind of sentence that sounds obvious right up until you notice that an enormous amount of the security industry is organized around the opposite assumption. We scan code. We hunt for vulnerabilities in code. We ship reports about code. And meanwhile the actual soft spot - who has access to what, and whether they are behaving strangely with it - goes comparatively unwatched.

"Attackers are not going after code - they are going after the identities and tools behind it."

BlueFlag calls its approach "identity-centric SDLC security," where SDLC is the software development lifecycle - the whole assembly line from a developer's laptop through the CI/CD pipeline out to production. The company's framing is that this lifecycle is not just a place where code gets made. It is a security control surface. Every developer, every service account, every bot, and now every AI coding agent is an identity that can be governed, watched, and, when it starts doing something it shouldn't, stopped.

The founders are not tourists here. Mallempati previously helped build CloudKnox Security, the cloud-permissions company Microsoft acquired in 2021 and folded into what is now Entra Permissions Management; he later ran the CIEM business inside Microsoft, with earlier stops at MobileIron and VMware. His co-founder and CTO, Ken Schneider, was CTO of Symantec Enterprise and, before that, CTO of the anti-spam pioneer Brightmail. The rest of the early team pulls from the same well - CloudKnox alumni, plus veterans of Orca and Laminar Security. If you were assembling a company specifically to argue that identity is the center of gravity in security, this is roughly the roster you would draft.

The thesisWatch the who, not just the what

The mechanics are where the story gets interesting. BlueFlag's platform ingests activity from across a customer's development stack - it advertises 21-plus integrations, GitHub and GitLab and Jenkins and Okta and Slack and Splunk among them - and builds what it calls an Activity Intelligence Graph. The graph correlates three things that are usually kept in separate boxes: identity (who or what is acting), behavior (what they are doing, and whether it is normal for them), and code context (what part of the system they are touching).

Out of that correlation comes the company's most quietly clever idea, which it calls "toxic interactions." The concept is that a lot of real-world risk is not one obviously bad action. It is a chain of individually reasonable-looking actions that only become dangerous in combination. A developer clones a repository - fine. A developer clones a lot of repositories - okay, maybe they're doing spring cleaning. A developer clones a lot of repositories at three in the morning, from an unusual location, shortly after a privilege escalation - now you have a sentence that ends badly. BlueFlag's Developer Behavioral Risk Analysis, launched in March 2026, is designed to catch exactly that kind of pattern, the story that only appears when you read the individual events together.

Most risk isn't one obvious bad move. It's a chain of small, reasonable-looking ones.

The company's other big theme is the one everybody in software is currently nervous about: the AI agents are writing the code now. Copilot suggests, Cursor completes, and a growing class of autonomous agents will happily write, test, and deploy software with minimal human oversight. This is wonderful for velocity and slightly terrifying for governance, because an AI agent is, from a security standpoint, a new kind of identity - one that acts fast, acts constantly, and belongs to no single accountable human unless somebody makes it so.

BlueFlag's answer, its AI Agent Governance product, does three things worth naming. It discovers the AI assistants and agents operating in your pipeline, including the "shadow AI" nobody officially approved. It traces AI-generated code back to a responsible human owner, which is the sort of accountability that becomes very important the first time an agent ships something regrettable. And it can require human approval before a high-risk action reaches production - a brake pedal for the robots. The company describes AI agents as "the fastest-growing and least-governed identity in the SDLC," which is both a marketing line and, unfortunately, probably true.

The businessMoney, growth, and a claimed blind spot

In March 2026 BlueFlag announced it had raised $28 million to date, including a $16.5 million Series A led by Maverick Ventures and Ten Eleven Ventures, with Pier 88 also in the mix. Ten Eleven, a firm that specializes in cybersecurity and likes to invest at moments of technological paradigm shift, wrote up its reasoning plainly: DevOps, cloud-native architecture, and open-source adoption have turned the software supply chain into a sprawling attack surface, and regulators in the US and EU are increasingly putting the responsibility for secure software on the people who produce it. The names they cite as cautionary tales - SolarWinds, Log4j, Okta - are the ghost stories the whole category is built on.

The traction numbers BlueFlag reported alongside the round are the kind investors like: 300% year-over-year revenue growth in 2025 and a fivefold increase in Fortune 500 customers. On a modest revenue base - independent estimates put annual revenue around $3.4 million - triple-digit growth is easier to achieve than it would be at scale, but the direction and the enterprise logos are the point. The company says it will use the money to accelerate the platform and expand across the US and EMEA, aimed squarely at regulated industries adopting AI-driven development.

The most provocative number in BlueFlag's marketing is the claim that more than 75% of SDLC risk is invisible to existing tools. Take it, as one should take any vendor's framing of the size of its own opportunity, with appropriate salt. But the underlying observation is hard to dismiss: if your security tooling is built to inspect code, and the actual risk lives in identity and behavior, then a large chunk of your exposure is by definition off-camera. BlueFlag is selling the camera.

It helps that the regulatory wind is at the company's back. New rules in the US and the EU are steadily shifting the burden of secure software onto the organizations that produce it, which turns "we govern who touches your code" from a nice-to-have into something closer to a compliance requirement. The category BlueFlag lives in - variously called application security posture management, software supply chain security, and non-human identity - is crowded, with names like Apiiro, Cycode, Endor Labs, and Astrix all circling adjacent problems. BlueFlag's wager is that framing the whole thing around identity, rather than around code scanning or a single asset type, is the durable way to think about it. Partnerships with firms like Obsidian Systems, Catworkx, and Knowmad Mood are meant to get that framing in front of buyers faster than a direct sales team could alone.

What you can do with itLeast privilege, minus the friction

Practically, a security or platform team using BlueFlag can do a few concrete things. They can get a unified view of who and what holds which permissions across developers, service accounts, bots, and agents, and then trim the over-privileged ones down using just-in-time access rather than standing grants. They can watch for the behavioral anomalies and toxic interactions described above and get alerts with enough context to actually investigate. They can bring their AI coding tools under governance instead of pretending they aren't there. And they can keep an eye on the toolchain itself - the CI/CD misconfigurations and policy drift that quietly widen the attack surface.

The recurring promise, and the hardest one to keep, is that all of this happens without turning developers into hostages of the security team. The industry has a long, unhappy history of security tools that work beautifully in a demo and get ripped out six weeks later because they slowed everyone down. BlueFlag positions itself on the productive side of that line - visibility and control that ride alongside the pipeline rather than blocking it. Whether it stays there is the question every security company eventually has to answer in production, not in a pitch deck.

The industry keeps building brakes. BlueFlag is trying to build brakes that developers won't tear out.

For now, the company is doing the thing early-stage security startups are supposed to do: growing fast, shipping in the direction the market is visibly moving - toward AI in the pipeline - and telling a story simple enough to repeat. That story is that the perimeter has quietly relocated. It is no longer the network edge, or even the code repository. It is the pull request, the access grant, the agent with commit rights. BlueFlag Security's bet is that whoever watches that layer carefully will matter a great deal, and that not many people are watching it yet. It is a good bet. The next few years will say how good.

The PlatformWhat BlueFlag actually ships

Manage Developer Entitlements

Unified visibility into permissions across developers, service accounts, bots, and AI agents. Trims over-privileged identities with just-in-time access and automated credential reviews.

Least Privilege

Detect Risky Behavior

Surfaces behavioral anomalies, unusual access, off-hours mass repo cloning, privilege escalation, and "toxic interactions" - benign actions that are dangerous in combination.

Behavioral Analysis

Govern AI Agents

Discovers Copilot, Cursor, and autonomous agents, ties AI-generated code to a human owner, flags shadow AI, and requires human approval before high-risk actions hit production.

AI Governance

Secure Your Toolchain

Continuously monitors dev tools and CI/CD pipelines for misconfigurations, policy violations, and compliance gaps, with guided remediation.

CI/CD Posture

The Story So FarA short, fast history

2024

BlueFlag Security is founded

Raj Mallempati and Ken Schneider launch in Sunnyvale to secure developer and machine identities across the software lifecycle.

2024

Seed funding & platform launch

Early backing from Ten Eleven Ventures, Maverick Ventures, and Pier 88 funds the identity-centric SDLC platform.

2025

A breakout commercial year

300% year-over-year revenue growth and a fivefold jump in Fortune 500 customers.

2026

$28M Series A & AI Agent Governance

Announces $28M raised to date and launches AI Agent Governance plus Developer Behavioral Risk Analysis, eyeing US and EMEA expansion.

"Breaches start with identity. BlueFlag was built to close that gap - and the traction we're seeing tells us the market is ready."
Raj Mallempati · Co-Founder & CEO

MarginaliaSix things worth knowing

QuestionsThe FAQ

What does BlueFlag Security do?

It provides an identity-centric security and governance platform for the software development lifecycle - monitoring developers, service accounts, bots, and AI agents to detect risky behavior, enforce least privilege, and govern AI-generated code.

Who founded it and when?

Founded in 2024 by Raj Mallempati (CEO, ex-CloudKnox and Microsoft) and Ken Schneider (CTO, ex-CTO of Symantec Enterprise).

How much has it raised?

As of March 2026, $28 million total, including a $16.5 million Series A led by Maverick Ventures and Ten Eleven Ventures.

How is it different from traditional AppSec tools?

Instead of scanning code for vulnerabilities, BlueFlag focuses on the identities and tools behind the code - governing who and what has access, and how they behave across the pipeline.

What is AI Agent Governance?

It discovers AI coding assistants and autonomous agents, traces their code to human owners, detects shadow AI, and requires human approval before high-risk actions reach production.

◊ ◊ ◊

Share this dossier