The quietest company in your tech stack - and the one fielding trillions of requests for the open source parts you forgot you were using.
Somewhere right now, a developer types a single line into a build file and a stranger's code drops into their application. They didn't write it. They probably won't read it. They will ship it to production by Friday. Multiply that by every team, in every company, in every country - and you arrive at a number Sonatype actually measures: 9.8 trillion open source downloads in a single year.
Sonatype sits in the middle of that traffic. It maintains Maven Central, the registry the Java world reaches into millions of times a day, and it built Nexus Repository, the most widely used artifact manager on the planet. When the modern internet borrows code - which is to say, constantly - Sonatype is often the one handing it over and quietly checking the package for poison.
It is an unglamorous job with enormous stakes. Most software today is roughly 90% assembled from open source components. The company's pitch is disarmingly simple: you cannot secure what you cannot see, and almost nobody can see what is inside their own software. Sonatype's entire reason for being is to fix that blind spot.
Open source was supposed to be the great gift of software - take what you need, build faster, owe nothing. Which is lovely, right up until the moment a single compromised package ripples through tens of thousands of applications that all trusted it without looking.
Sonatype was first to say the awkward thing out loud: poor-quality open source isn't a coding problem, it's a supply chain problem. The same discipline factories use to vet every part from every vendor should apply to software. At the time, the phrase "software supply chain" sounded like a stretch. Years later, regulators, the White House, and procurement departments would all adopt the term as if it had always been obvious.
Most apps are ~90% borrowed components, often nested layers deep where no human ever checks.
Trillions of downloads a year means a bad package travels fast and far before anyone notices.
Sonatype's research clocked open source malware growing 75% year over year heading into 2026.
Above: three reasons the "just npm install it" era eventually grew up and got a security budget.
Sonatype didn't arrive as outsiders selling security to developers. It grew out of the people who wrote the tools developers already lived in. The company began with core contributors to Apache Maven - the build system that quietly orchestrates much of the Java world - including Jason van Zyl, the creator of Maven and Nexus, and Brian Fox, a Maven core contributor who remains the company's CTO.
The bet was that credibility with developers couldn't be bought; it had to be earned by maintaining the infrastructure they depended on. So Sonatype kept running Maven Central as open public good, then built commercial products on top of the trust that came with it. It is a strategy with a small touch of irony: give away the most important thing, then sell the ability to use it safely.
Sonatype's tools share a common engine - the IQ Server - and split the work of keeping open source honest. The idea is to meet developers where they already are, in their package managers and CI/CD pipelines, rather than bolting on security after the fact.
The world's most popular repository manager - stores, organizes, and serves build artifacts and open source components at enterprise scale.
Software composition analysis that enforces open source policy automatically and surfaces vulnerabilities across the whole development lifecycle.
Quarantines malicious or non-compliant packages - now including vulnerable Docker images - before they ever reach a developer's machine.
Generates and manages software bills of materials, turning "what's actually in our software?" from a panicked question into a report.
Sonatype's authority isn't a marketing claim - it's a measurement. Because it operates Maven Central, the company sees consumption patterns no vendor survey could fake. Its annual report has become a reference point for the entire industry, and the trend line it tracks only points one way: up and to the right, relentlessly.
Above: the growth curve of a habit nobody is planning to quit. Open source consumption, going only one direction.
Behind the charts are customers: thousands of enterprises and millions of developers across financial services, manufacturing, healthcare, and government - including a large share of the world's biggest companies. The platform now reaches them through partners too, with Nexus Repository and SBOM Manager available in AWS Marketplace and through Carahsoft for the public sector, plus deep GitHub integrations for CI/CD.
Estimated annual revenue, built on enterprise subscriptions.
Total raised before Vista's 2019 majority recap, from investors like NEA, Accel, and Goldman Sachs.
Fulton, McLean, London, and Sydney - plus a distributed workforce.
Most security tooling makes developers choose: move fast, or move carefully. Sonatype's stated mission is to refuse that trade - to "accelerate innovation through better software supply chain automation and security." In practice that means catching the bad component automatically, so the developer never has to slow down to find it.
It's a worldview shaped by the company's roots. Tools built by developers, for developers, that treat security as something you automate into the pipeline rather than something you nag people about afterward. The leadership change in 2025 - cybersecurity veteran Bhagwat Swaroop stepping in as CEO - signals an intent to scale that idea well beyond its Java origins.
The next twist is already here. AI assistants generate more code, faster, than any team could review by hand - and they happily reach for open source dependencies they were trained to trust. The volume problem Sonatype was built for just got an accelerant. More code, more components, more places for something malicious to hide in plain sight.
That is the case for tomorrow: as the amount of software explodes, the question of what is actually inside it stops being a niche developer concern and becomes a basic condition of doing business. Sonatype has been answering that question for two decades, mostly before anyone thought to ask it.
So return to that developer, typing one line into a build file on a Friday afternoon. A stranger's code drops in. They still won't read it. The difference is that now, somewhere upstream, Sonatype already did - scanned it, scored it, and quietly blocked the package that would have ruined the weekend. The code everyone ships is still borrowed. It's just no longer unguarded.
Watch & learn: Sonatype on YouTube (product demos & talks) • Nexus Repository demo videos