BREAKING
Isaac Evans raises $100M Series D for Semgrep - February 2025 Semgrep recognized in 2025 Gartner Magic Quadrant for Application Security Testing 20 million developers reached monthly through Semgrep integrations Fortune Cyber 60 honoree two consecutive years $193M total funding across four rounds 75+ million repository scans annually Inc. Best in Business 2025 - Best AI Implementation Isaac Evans raises $100M Series D for Semgrep - February 2025 Semgrep recognized in 2025 Gartner Magic Quadrant for Application Security Testing 20 million developers reached monthly through Semgrep integrations Fortune Cyber 60 honoree two consecutive years $193M total funding across four rounds 75+ million repository scans annually Inc. Best in Business 2025 - Best AI Implementation
Founder & CEO · Semgrep

Isaac
Evans

The Architect of Developer-First Security

MIT-trained, DoD-forged, VC-backed. Evans built the security tool that 20 million developers use every month - not because he made security scarier, but because he made it invisible.

Semgrep AppSec SAST Series D MIT Open Source AI Security
Isaac Evans, Founder and CEO of Semgrep
$193M Total Raised
75M+ Scans/Year
20M Devs/Month

"Most security tools don't put the developer first, and that's a problem we want to solve." - Isaac Evans, 2017. Eight years later, $193M says he was right.

Profile

The Security Tool Developers Actually Use

There is a rule in enterprise software that security teams know well and rarely admit: most security tools get ignored. Not because developers are reckless. Because the tools are built for auditors, not engineers. Isaac Evans saw this problem in 2017 from inside a Redpoint Ventures office and decided to fix it. What followed became Semgrep - a code analysis platform that now scans over 75 million repositories a year and lives inside the workflows of Figma, Dropbox, Slack, Snowflake, Netflix, Salesforce, and Stripe.

The February 2025 close of a $100 million Series D, led by Menlo Ventures, brought total funding to $193 million. Mark McLaughlin, former CEO of Palo Alto Networks, signed on as a board observer and angel investor. In the language of the security industry, that is not just a vote of confidence. That is a peer review.

$193M Total Funding
75M+ Annual Scans
40+ Languages
3,000+ Community Rules

MIT Roommates and an Army Android Project

Evans enrolled at MIT in 2009 to study Electrical Engineering and Computer Science. He graduated in 2013, then stayed for a Master's in computer engineering, completing it in 2015. In between, he participated in the DARPA Robotics Challenge with MIT's team and spent a semester as an undergraduate researcher at MIT CSAIL's Robotics, Vision, and Sensor Networks Group. He also received a DoD SMART Fellowship.

The origin story of Semgrep is embedded in Simmons Hall. Evans, Drew Dennison, and Luke O'Malley were MIT roommates, all in EECS. During MIT's Independent Activities Period in 2011, the three took on an Army Android security project. Evans ran the strategy, Dennison handled the technical architecture, O'Malley shaped the product. They would spend the next decade refining that exact arrangement.

Origin Story The roles Evans, Dennison, and O'Malley played at Semgrep - CEO, CTO, Chief Product Officer - were first rehearsed in a 2011 MIT class project about Android security. They didn't plan it. It just fit. When they founded the company six years later, nothing needed renegotiating.

Three Years Inside the DoD

After graduating in 2013, Evans spent three years as a Computer Scientist at the U.S. Department of Defense. The work was technical and classified: research into binary exploitation bypass techniques, including workarounds for control-flow integrity and hardware defenses on novel architectures like RISC-V. Concurrently, from 2014 to 2015, he consulted at MIT Lincoln Laboratory.

This is the background that most founders in developer tooling don't have. Understanding how attackers bypass defenses at the hardware level shapes how you design software guardrails in a way that enterprise security certifications don't. Evans arrived at his product conviction not from reading research papers but from writing them.

How security is implemented matters far more than when.

Isaac Evans

The Redpoint Residency and the Big Gap

In 2016, Evans left the DoD and joined Redpoint Ventures as an Entrepreneur in Residence. The timing was deliberate. He and Dennison had a hypothesis: companies with serious security budgets were still falling far behind Google, Facebook, and Netflix on code security. Not because they lacked money, but because they lacked the right tools.

Tech giants had built internal platforms that let security engineers codify rules once and enforce them automatically across millions of lines of code. Everyone else was running ad-hoc scans, drowning in false positives, and telling developers to "shift left" without giving them anything useful to shift toward. Evans decided to build the external version of what the hyperscalers had internally.

In May 2017, r2c was founded. The name was informal shorthand - "return to code" or "return to center" depending on who you ask - and the founding thesis was simple: security rules should live in the codebase, not in a separate tool that only the security team can configure.

The Pivot That Defined Everything

The early years of r2c were not a straight line. The product worked, but something was off. Security teams were interested. Developers were not. Evans recognized that interest from the buyer and adoption from the user are different problems, and in developer tooling, adoption is the only number that matters.

In 2019, he recruited Yoann Padioleau, a former Facebook engineer who had written sgrep as part of Facebook's pfff program analysis library. Padioleau was the original author of the underlying engine. Evans brought him in to rebuild it for the modern polyglot codebase - multiple languages, real developer workflows, and the kind of precision that eliminates the false positive noise that makes security tools useless.

The Technical Insight

"Semgrep" means semantic grep. Where traditional grep matches text patterns, Semgrep matches patterns in a program's abstract syntax tree. The difference: it understands that foo.bar() and foo . bar () are the same code. It catches vulnerabilities that text-pattern tools miss entirely. Cross-file and inter-file analysis extends this to entire codebases.

In late 2020, r2c rebranded to Semgrep and open-sourced the core tool. The open-source move was the unlock. Developers could try it locally, customize it, write their own rules, and share them. A community of 3,000+ contributed rules followed. The product became a distribution channel. By the time Semgrep started charging for enterprise features, millions of developers already had muscle memory for the tool.

Guardrails, Not Gates

Evans's clearest intellectual contribution to the application security category is a distinction he articulated publicly in 2024: the difference between security guardrails and security gates. A gate stops you. A guardrail guides you. The security industry, he argues, built gates and called them "shift left" - and then wondered why developers worked around them.

Semgrep's product philosophy is that security rules should be visible to developers, modifiable by them, and overridable when necessary. Not because security doesn't matter, but because security that developers understand is security that actually works. A guardrail you understand is one you follow. A gate you don't understand is one you climb.

The impact is quantifiable. Semgrep's AI-hybrid engine, which combines traditional static analysis with large language models, achieves a 96% agreement rate with security researchers on true positives and filters out 60% of false positives. In an industry where false positive fatigue is the primary reason developers ignore security alerts, that number is not a feature. It is the entire thesis.

The era of AI for security is here, and Semgrep is uniquely positioned to help organizations secure their code without sacrificing development velocity.

Isaac Evans - Series D Announcement, February 2025

The LLM Turn

In January 2025, Evans made a bold public claim: traditional SAST tools combined with LLMs will obsolete the existing generation of security tooling. "What changed in 2024," he said, "was realizing that LLMs could change the game in the context of the findings engine itself."

This is not a pivot for Semgrep. It is an extension of the founding thesis. Where the original insight was "make security rules that developers write and understand," the new insight is "make an engine that reasons about code the way a security engineer would - and then automates their entire workflow." Semgrep's vision for Semgrep 2.0 combines rule-based determinism with contextual LLM judgment: catching the same patterns, but explaining them in human language, suggesting fixes, and committing them automatically.

Semgrep now integrates with Anthropic, OpenAI, and Cursor - embedding security checks inside the AI coding tools that developers are adopting by default. If the code editor is the new IDE and LLMs write the first draft, security has to live at that layer or it doesn't live at all.

The Funding Arc

The capital story reflects the thesis. Redpoint Ventures (Evans's former EIR home) and Sequoia Capital joined the $13M Series A in October 2020. Felicis led the 2021 Series B at $27M - the round that coincided with GitLab making Semgrep its default SAST analyzer for JavaScript, Python, and TypeScript. Lightspeed led the 2023 Series C at $53M. Menlo Ventures led the February 2025 Series D at $100M, noting that Semgrep was "putting code security on autopilot."

The investor base is not just a capital stack. Redpoint was the place Evans conceptualized the company. Sequoia validates the top-tier enterprise trajectory. Lightspeed and Menlo signal conviction in the AI security thesis. Each round brought in the investor whose portfolio logic matched Semgrep's next chapter.

Career Timeline

2009
Enrolled at MIT to study Electrical Engineering & Computer Science
2011
Army Android security project at MIT's IAP - worked with future Semgrep co-founders Dennison and O'Malley
2012
Founded Silhouette Technologies (undergraduate venture); joined MIT CSAIL robotics research group
2013
BS in EECS from MIT; joined U.S. Department of Defense as Computer Scientist
2014
Enrolled in MIT Master's program; consulted at MIT Lincoln Laboratory
2015
Completed MS in Computer Science (Computer Engineering) at MIT
2016
Joined Redpoint Ventures as Entrepreneur in Residence
2017
Co-founded r2c (later Semgrep) with Dennison and O'Malley in San Francisco
2019
Recruited Yoann Padioleau, original sgrep author from Facebook, to rebuild the analysis engine
2020
Rebranded to Semgrep; open-sourced the core tool; closed $13M Series A with Redpoint and Sequoia
2021
$27M Series B; Semgrep became GitLab's default SAST analyzer for JS, Python, TypeScript
2023
$53M Series C led by Lightspeed Venture Partners
2024
Fortune Cyber 60 second consecutive year; launched AI-hybrid engine strategy with LLM integration
2025
$100M Series D led by Menlo Ventures; first Gartner Magic Quadrant inclusion; total funding $193M
Recognition & Impact

Built Different

🏆

Forbes Cybersecurity Awards 2020 - "Disruptive Innovator" for reimagining developer-first static analysis

📈

Fortune Cyber 60 honoree two consecutive years in the early-growth-stage category

📄

First-ever inclusion in 2025 Gartner Magic Quadrant for Application Security Testing

🥇

Inc. Best in Business 2025 - Best AI Implementation for Semgrep's hybrid LLM + static analysis engine

🔗

GitLab's default SAST analyzer for JavaScript, Python, and TypeScript since GitLab 14 (2021)

👥

20 million developers reached monthly - Figma, Dropbox, Slack, Snowflake, Netflix, Salesforce, Stripe

🧠

96% security researcher agreement rate on true positives with Semgrep's AI-hybrid findings engine

🛠

Open-sourced Semgrep and built a 3,000+ rule community - one of the largest AppSec rule libraries

💬

Security integrations with Anthropic, OpenAI, and Cursor - embedded at the AI coding layer

Context & Color

Five Things Worth Knowing

01

Evans and his two co-founders were MIT roommates who rehearsed their future company dynamic in a 2011 class project - six years before founding Semgrep.

02

Semgrep is built on an engine originally written at Facebook. Evans recruited that engine's author, Yoann Padioleau, to rebuild it for the open market.

03

Evans researched binary exploitation techniques for the U.S. DoD - the same class of vulnerabilities his current tools help developers avoid creating.

04

"Semgrep" is short for semantic grep. It matches patterns in code's abstract syntax tree, not raw text - catching bugs that regex-based tools miss entirely.

05

Evans joined Redpoint Ventures as an EIR in 2016 and later raised his Series A from that same firm - effectively pitching the people who watched him invent the company.

Share this profile

Sources
semgrep.dev/about Series D Announcement - Feb 2025 LinkedIn / isaacevans GitHub / ievans Menlo Ventures - Series D Thesis Software Engineering Daily Interview Contrary Research - Semgrep Breakdown MIT News - Open Source Security Tool Crunchbase - Isaac Evans Gartner Magic Quadrant 2025 AI Code Security Interview Semgrep - Guardrails Not Gates