BREAKING LEGIT SECURITY CEO RONI FUCHS ON ASPM CATEGORY LEADERSHIP $40M SERIES B CLOSED (2023) UNIT 8200 → MICROSOFT → CHECKMARX → LEGIT CUSTOMERS: GOOGLE / NYSE / KRAFT HEINZ / PALO ALTO NETWORKS NAMED "LEGIT" WITHOUT KNOWING THE MC HAMMER SONG BREAKING LEGIT SECURITY CEO RONI FUCHS ON ASPM CATEGORY LEADERSHIP $40M SERIES B CLOSED (2023) UNIT 8200 → MICROSOFT → CHECKMARX → LEGIT CUSTOMERS: GOOGLE / NYSE / KRAFT HEINZ / PALO ALTO NETWORKS NAMED "LEGIT" WITHOUT KNOWING THE MC HAMMER SONG
The Editorial · Profile · Vol. VII

Roni Fuchs

Co-founder and CEO of Legit Security. He grew up in Jaffa, served in Unit 8200, sold his first company to Microsoft, folded his second into Checkmarx, and named his third one after a word that turned out to be an MC Hammer lyric.
Portrait of Roni Fuchs, Co-Founder and CEO of Legit Security
Roni Fuchs, photographed for the company's About page. Half-smile, no tie, the confident stillness of someone who has already been through two acquisitions.
$80.5M
Total Raised
89
Employees
2
Prior Exits
3
Unit 8200 Co-Founders
The Feature

The software supply chain is a plumbing problem, and Roni Fuchs is the plumber.

Roni Fuchs runs an application security company called Legit Security, which is in the business of asking a question that, if you say it out loud, sounds obvious enough to be embarrassing: how, exactly, is your software being built? Not "is your code secure," which is what application security teams have historically been paid to worry about, but the more upstream and more anxious question of whether the developers writing it, the pipelines shipping it, the build servers assembling it, and the CI/CD systems deploying it are themselves worthy of trust. Fuchs's argument, which has attracted about $80.5 million in venture capital, is that most large enterprises have never actually answered this question. His company answers it for them.

The category he sits inside is called Application Security Posture Management, or ASPM, an acronym so recently coined that some of his customers only learned it after they signed the contract. Legit Security is one of the companies analysts point to when they explain what ASPM is. There are worse positions to be in as a young enterprise software CEO than "the example."

Legit Security was incorporated in September 2020 by three men who had known each other since the Israel Defense Forces' Unit 8200 - the signals intelligence outfit whose alumni network functions as a kind of informal Silicon Wadi seed fund. Fuchs is the CEO. Liav Caspi is the CTO. Lior Barak is the VP of R&D. They serve customers including Google, the New York Stock Exchange, Kraft Heinz, Takeda Pharmaceuticals, Procter & Gamble, AIG, Freddie Mac, and Palo Alto Networks. This is a customer list that would be improbable for a company at any stage, and slightly ridiculous for one incorporated during a pandemic.

Fuchs is the sales half of the founding trio in the sense that he can describe what the product does without accidentally reciting a Kubernetes manifest. "My co-founders are brilliant," he told Forbes. "My CTO knows how to build the right solution at scale. I was always the one who between the three of us who was able to dream or sell that dream." Founders often say this kind of thing about their partners; usually it is diplomatic. In Fuchs's case it happens to also be a functional description of the org chart.

The name of the company is a small comedy. Fuchs and his co-founders picked "Legit" because it conveyed authenticity and trust - the qualities you would want from a company auditing your build pipeline. What Fuchs did not know is that MC Hammer had a song containing the word, or that Americans of a certain age would immediately hear the syllables "too legit to quit" whenever the company name was spoken aloud. "I didn't know the famous song by MC Hammer when we named the company Legit," he later admitted. "And on one of our first sales calls we were shown the song on YouTube and it was awesome." The name stayed.

Fuchs grew up in Jaffa, the port neighborhood south of Tel Aviv. His father was a Romanian immigrant and an engineer, which is how Fuchs ended up in front of a computer earlier than most Israeli kids of his generation. "I grew up with an emphasis on working hard and excelling and trying to build something," he told Forbes. "That hard work really paid off eventually because that, I think, was one of the reasons I got into 8200." Unit 8200 is famously selective and famously formative; it is where Fuchs met Caspi and Barak in the late 2000s and where he spent seven years as, first, an R&D cyber software engineer and then, from 2012 to 2014, an R&D cyber team leader.

After 8200 he did what a lot of 8200 alumni do: he joined a cybersecurity startup. Aorato was a small Tel Aviv company that Microsoft acquired in 2014. Fuchs stayed on for four years, becoming a senior software engineer inside the Microsoft security organization, watching how a giant absorbs a small thing without immediately breaking it. In 2018 he left to start Lumobit, whose thesis was open-source security. Caspi and Barak joined him. Within a few months Lumobit was folded into Checkmarx, and Fuchs became a senior director and the head of the SCA business unit there. This is the founder equivalent of a shorter Aorato: he had done acquisition-side integration twice.

Which brings us to Legit. By the time Fuchs left Checkmarx in 2020 to start his third company, he had a specific set of complaints about how enterprise application security worked in practice. The complaints amounted to the observation that AppSec teams inspected code, and sometimes runtime, but rarely the middle: the pipelines, the build environments, the tooling. "Most organisations have an application security product security team that's tasked with securing applications," he explained. "But the fundamental question of how that software is being built, that's not something they're responsible for." Legit Security exists to be responsible for that question.

The company's core claim, which shows up in Fuchs's investor pitches and product demos, is that Legit discovers the pipelines automatically. You do not tell Legit which repositories to look at; Legit finds them, along with the CI/CD systems, the secret stores, the deployment targets and, uncomfortably often, the shadow build system nobody remembers approving. "We're the only company that looks at it from an automatic discovery point of view," Fuchs said. Discovery is a word that shows up a lot when he talks; he treats it as the first-order problem, on the reasonable theory that you cannot secure what you cannot see.

Legit raised a $26.5 million Series A led by CRV in 2022 and, in September 2023, closed a $40 million Series B, bringing the total to roughly $80.5 million. The company is dual-headquartered in Boston and Tel Aviv, a common structure for Israeli enterprise startups but one that requires a CEO to be functionally continent-agnostic. Fuchs travels. He appears at NYSE for Floor Talk segments in a blazer, sits down with theCUBE for cybersecurity summits, and occasionally does the RSA circuit. On camera he is measured. He does not oversell. He speaks in complete sentences.

There is a certain type of founder who arrives at their third company having already learned which mistakes cost you the most. Fuchs, without saying so directly, seems to be one of them. He hired his best former co-workers. He picked a category the market had not yet named. He chose a name he liked before checking if it appeared in a Hammer discography. He raised enough money to build the product but not so much that the story is now about the money. He has, in short, been running a founder's playbook that reads a lot like patience.

The thing Fuchs seems most animated by, in interviews, is the idea that ASPM is not a bolt-on. It is not a scanner. It is the substrate. "An open ASPM platform that reveals how software is being built in the software supply chain is the future of how software will be built securely," he said. That is a strong sentence to say out loud, in that it either turns out to be right or turns out to be embarrassing. Fuchs seems willing to find out which.


"I didn't know the famous song by MC Hammer when we named the company Legit. And on one of our first sales calls we were shown the song on YouTube and it was awesome." — Roni Fuchs, in Forbes
Signals

Four things that explain him.

Jaffa, then 8200.

Fuchs grew up in Jaffa, exposed early to computers by a Romanian-immigrant engineer father. Selection into Israel's Unit 8200 was the pivot - and where he met his future co-founders Liav Caspi and Lior Barak.

Two exits, then one build.

His first startup (Aorato) went to Microsoft in 2014. His second (Lumobit) was absorbed into Checkmarx around 2018-19. Legit is his third company and the first one he intends to hold.

Dreamer, not builder.

Fuchs is clear about the founding-team division of labor: he sells the dream, his CTO builds it at scale. Founders who mistake themselves for the other role - he seems to be saying - break their companies.

Category, not feature.

Application Security Posture Management barely existed as an analyst term when Legit incorporated. Fuchs picked the category and let the market catch up. Analysts now cite Legit as an ASPM example.

Automatic discovery.

Legit's core wedge is finding the pipelines you didn't know you had - the shadow build systems, forgotten CI/CD jobs, orphaned repos. Fuchs treats discovery as the first-order problem.

Two headquarters.

Tel Aviv for engineering. Boston for enterprise sales. It's a common structure for Israeli cyber companies and a demanding one for the CEO who has to be present in both.

A career, dated.

  • 2007
    Joins Unit 8200 as an R&D cyber software engineer.
  • 2012
    Promoted to R&D cyber team leader inside Unit 8200.
  • 2014
    Aorato acquired by Microsoft. Fuchs stays on as a senior software engineer.
  • 2018
    Founds Lumobit. Caspi and Barak join as first employees. Company merges into Checkmarx.
  • 2018–20
    Head of SCA and senior director at Checkmarx.
  • 2020
    Co-founds Legit Security in September with Caspi (CTO) and Barak (VP R&D).
  • 2022
    Closes $26.5M Series A led by CRV.
  • 2023
    Closes $40M Series B in September. Total raised ~$80.5M.
  • 2024
    NYSE Floor Talk, Forbes profile, theCUBE cybersecurity summits.

The money, in one chart.

Seed
~$14M
Series A (2022)
$26.5M
Series B (2023)
$40M
Total
$80.5M

Series A led by CRV. Sources: Crunchbase, TechCrunch, Calcalist.

The Rolodex

Customers who signed early.

The names Fuchs and Legit cite publicly. A three-year-old company with a customer list that reads like the S&P 500.

Google NYSE Kraft Heinz Takeda Procter & Gamble AIG Freddie Mac Palo Alto Networks
"My CTO knows how to build the right solution at scale. I was always the one who between the three of us who was able to dream or sell that dream." — Roni Fuchs
Marginalia

Details that stick.

The MC Hammer sales call.

On an early sales call, a customer opened YouTube and cued up "U Can't Touch This." Fuchs learned the reference and kept the name.

Two computer science degrees.

BSc from Tel Aviv University, MSc from Reichman University (IDC Herzliya). He is a founder who reads his own log files.

Traveler, eater.

Legit's About page says he "enjoys traveling with his family and exploring different local cuisines." Corporate bio, faithfully reported.

Three, then three.

Three co-founders. Three companies over his career. The pattern feels deliberate.

NYSE floor.

Featured on NYSE's Floor Talk series in 2024, discussing software supply chain security with a broker-adjacent audience.

Dual continents.

Boston for enterprise sales, Tel Aviv for engineering. Fuchs's carry-on is presumably an extension of his laptop.

Q & A

What people ask.

Who is Roni Fuchs?
Co-founder and CEO of Legit Security, an application security posture management company he started in 2020 with two fellow Unit 8200 alumni.
What is Legit Security?
An ASPM company that automatically discovers and secures software supply chains - the pipelines, infrastructure, code, and people behind how applications get built and shipped.
Where did he work before Legit?
Unit 8200 (2007-2014), then Aorato (acquired by Microsoft in 2014), then his own startup Lumobit (folded into Checkmarx), where he ran the Software Composition Analysis business unit.
How much has Legit raised?
About $80.5 million total. Most recently a $40M Series B in September 2023.
Where is Legit based?
Boston, Massachusetts and Tel Aviv, Israel.
Watch

On camera.

The Rolodex, Continued

Where to find him.

Share the story.