Roni Fuchs runs an application security company called Legit Security, which is in the business of asking a question that, if you say it out loud, sounds obvious enough to be embarrassing: how, exactly, is your software being built? Not "is your code secure," which is what application security teams have historically been paid to worry about, but the more upstream and more anxious question of whether the developers writing it, the pipelines shipping it, the build servers assembling it, and the CI/CD systems deploying it are themselves worthy of trust. Fuchs's argument, which has attracted about $80.5 million in venture capital, is that most large enterprises have never actually answered this question. His company answers it for them.
The category he sits inside is called Application Security Posture Management, or ASPM, an acronym so recently coined that some of his customers only learned it after they signed the contract. Legit Security is one of the companies analysts point to when they explain what ASPM is. There are worse positions to be in as a young enterprise software CEO than "the example."
Legit Security was incorporated in September 2020 by three men who had known each other since the Israel Defense Forces' Unit 8200 - the signals intelligence outfit whose alumni network functions as a kind of informal Silicon Wadi seed fund. Fuchs is the CEO. Liav Caspi is the CTO. Lior Barak is the VP of R&D. They serve customers including Google, the New York Stock Exchange, Kraft Heinz, Takeda Pharmaceuticals, Procter & Gamble, AIG, Freddie Mac, and Palo Alto Networks. This is a customer list that would be improbable for a company at any stage, and slightly ridiculous for one incorporated during a pandemic.
Fuchs is the sales half of the founding trio in the sense that he can describe what the product does without accidentally reciting a Kubernetes manifest. "My co-founders are brilliant," he told Forbes. "My CTO knows how to build the right solution at scale. I was always the one who between the three of us who was able to dream or sell that dream." Founders often say this kind of thing about their partners; usually it is diplomatic. In Fuchs's case it happens to also be a functional description of the org chart.
The name of the company is a small comedy. Fuchs and his co-founders picked "Legit" because it conveyed authenticity and trust - the qualities you would want from a company auditing your build pipeline. What Fuchs did not know is that MC Hammer had a song containing the word, or that Americans of a certain age would immediately hear the syllables "too legit to quit" whenever the company name was spoken aloud. "I didn't know the famous song by MC Hammer when we named the company Legit," he later admitted. "And on one of our first sales calls we were shown the song on YouTube and it was awesome." The name stayed.
Fuchs grew up in Jaffa, the port neighborhood south of Tel Aviv. His father was a Romanian immigrant and an engineer, which is how Fuchs ended up in front of a computer earlier than most Israeli kids of his generation. "I grew up with an emphasis on working hard and excelling and trying to build something," he told Forbes. "That hard work really paid off eventually because that, I think, was one of the reasons I got into 8200." Unit 8200 is famously selective and famously formative; it is where Fuchs met Caspi and Barak in the late 2000s and where he spent seven years as, first, an R&D cyber software engineer and then, from 2012 to 2014, an R&D cyber team leader.
After 8200 he did what a lot of 8200 alumni do: he joined a cybersecurity startup. Aorato was a small Tel Aviv company that Microsoft acquired in 2014. Fuchs stayed on for four years, becoming a senior software engineer inside the Microsoft security organization, watching how a giant absorbs a small thing without immediately breaking it. In 2018 he left to start Lumobit, whose thesis was open-source security. Caspi and Barak joined him. Within a few months Lumobit was folded into Checkmarx, and Fuchs became a senior director and the head of the SCA business unit there. This is the founder equivalent of a shorter Aorato: he had done acquisition-side integration twice.
Which brings us to Legit. By the time Fuchs left Checkmarx in 2020 to start his third company, he had a specific set of complaints about how enterprise application security worked in practice. The complaints amounted to the observation that AppSec teams inspected code, and sometimes runtime, but rarely the middle: the pipelines, the build environments, the tooling. "Most organisations have an application security product security team that's tasked with securing applications," he explained. "But the fundamental question of how that software is being built, that's not something they're responsible for." Legit Security exists to be responsible for that question.
The company's core claim, which shows up in Fuchs's investor pitches and product demos, is that Legit discovers the pipelines automatically. You do not tell Legit which repositories to look at; Legit finds them, along with the CI/CD systems, the secret stores, the deployment targets and, uncomfortably often, the shadow build system nobody remembers approving. "We're the only company that looks at it from an automatic discovery point of view," Fuchs said. Discovery is a word that shows up a lot when he talks; he treats it as the first-order problem, on the reasonable theory that you cannot secure what you cannot see.
Legit raised a $26.5 million Series A led by CRV in 2022 and, in September 2023, closed a $40 million Series B, bringing the total to roughly $80.5 million. The company is dual-headquartered in Boston and Tel Aviv, a common structure for Israeli enterprise startups but one that requires a CEO to be functionally continent-agnostic. Fuchs travels. He appears at NYSE for Floor Talk segments in a blazer, sits down with theCUBE for cybersecurity summits, and occasionally does the RSA circuit. On camera he is measured. He does not oversell. He speaks in complete sentences.
There is a certain type of founder who arrives at their third company having already learned which mistakes cost you the most. Fuchs, without saying so directly, seems to be one of them. He hired his best former co-workers. He picked a category the market had not yet named. He chose a name he liked before checking if it appeared in a Hammer discography. He raised enough money to build the product but not so much that the story is now about the money. He has, in short, been running a founder's playbook that reads a lot like patience.
The thing Fuchs seems most animated by, in interviews, is the idea that ASPM is not a bolt-on. It is not a scanner. It is the substrate. "An open ASPM platform that reveals how software is being built in the software supply chain is the future of how software will be built securely," he said. That is a strong sentence to say out loud, in that it either turns out to be right or turns out to be embarrassing. Fuchs seems willing to find out which.
"I didn't know the famous song by MC Hammer when we named the company Legit. And on one of our first sales calls we were shown the song on YouTube and it was awesome." — Roni Fuchs, in Forbes
Fuchs grew up in Jaffa, exposed early to computers by a Romanian-immigrant engineer father. Selection into Israel's Unit 8200 was the pivot - and where he met his future co-founders Liav Caspi and Lior Barak.
His first startup (Aorato) went to Microsoft in 2014. His second (Lumobit) was absorbed into Checkmarx around 2018-19. Legit is his third company and the first one he intends to hold.
Fuchs is clear about the founding-team division of labor: he sells the dream, his CTO builds it at scale. Founders who mistake themselves for the other role - he seems to be saying - break their companies.
Application Security Posture Management barely existed as an analyst term when Legit incorporated. Fuchs picked the category and let the market catch up. Analysts now cite Legit as an ASPM example.
Legit's core wedge is finding the pipelines you didn't know you had - the shadow build systems, forgotten CI/CD jobs, orphaned repos. Fuchs treats discovery as the first-order problem.
Tel Aviv for engineering. Boston for enterprise sales. It's a common structure for Israeli cyber companies and a demanding one for the CEO who has to be present in both.
Series A led by CRV. Sources: Crunchbase, TechCrunch, Calcalist.
The names Fuchs and Legit cite publicly. A three-year-old company with a customer list that reads like the S&P 500.
"My CTO knows how to build the right solution at scale. I was always the one who between the three of us who was able to dream or sell that dream." — Roni Fuchs
On an early sales call, a customer opened YouTube and cued up "U Can't Touch This." Fuchs learned the reference and kept the name.
BSc from Tel Aviv University, MSc from Reichman University (IDC Herzliya). He is a founder who reads his own log files.
Legit's About page says he "enjoys traveling with his family and exploring different local cuisines." Corporate bio, faithfully reported.
Three co-founders. Three companies over his career. The pattern feels deliberate.
Featured on NYSE's Floor Talk series in 2024, discussing software supply chain security with a broker-adjacent audience.
Boston for enterprise sales, Tel Aviv for engineering. Fuchs's carry-on is presumably an extension of his laptop.