Cloudsmith raises EUR 72m to scale artifact security

Category and buyer

Developer and platform engineering teams pay Cloudsmith to store, govern and distribute software artifacts (packages, containers and other build outputs) across the software delivery workflow. The pain it targets is practical and costly: keeping internal and third-party components controlled, traceable and policy-compliant as release velocity increases and AI-generated code and dependencies add more supply-chain risk.

The deal

Cloudsmith, a GB-based technology company, has raised EUR 72 million in a funding round backed by TCV and Insight Partners. The funding was recently announced.

No further deal terms were disclosed in the provided materials.

Why this matters: supply-chain control is becoming a core platform decision

Artifact management used to be a background DevOps utility. It is increasingly a board-level hygiene factor because it sits directly on the path from source code to production.

For buyers, the decision is not only about where packages are hosted. It is about:

• Policy enforcement at the point of distribution: controlling what can be downloaded, promoted, or deployed.
• Traceability: mapping what went into a build and where it ended up.
• Operational consistency: a single workflow across teams, languages, and deployment environments.

These needs intensify as enterprises adopt AI-assisted development. AI can accelerate output, but it also increases the number of components, versions, and potential vulnerabilities that must be governed. That shifts spend toward systems that can embed controls into the release process rather than relying on after-the-fact scanning.

Commercial dynamics: sticky workflows, but standards are moving

Platforms in this category tend to benefit from strong retention characteristics when they are deeply integrated:

• High switching costs: artifact repositories become intertwined with CI/CD, developer tooling, promotion rules, access controls, and audit requirements.
• Expansion hooks: once a team standardises on a repository, rollouts to additional business units, regions, and product lines are common.
• Pricing power tied to criticality: when the repository is positioned as part of a security and compliance workflow, it can move from “developer tool” budget to platform and risk budgets.

At the same time, competition is shaped by two realities:

1. Incumbent gravity: many organisations already use repository capabilities bundled with broader DevOps, cloud, or developer platforms. Winning displacements typically requires a clear operational or governance edge, not incremental features.
2. Evolving standards: software supply-chain practices, attestations, and policy frameworks are still changing. Vendors must keep pace without creating complexity that slows development teams.

What the funding is likely to support

Cloudsmith did not disclose a detailed use of proceeds in the deal facts provided. Based on how companies in artifact management and software supply-chain security typically deploy growth capital, likely focus areas (inference) include:

• Go-to-market capacity: scaling enterprise sales and solutions engineering to shorten evaluation cycles and support complex rollouts.
• Product depth in governance and security: more granular policy controls, auditability, and integrations across build systems and cloud environments.
• Geographic expansion: building coverage across major European and North American enterprise markets, where compliance and procurement requirements demand local presence.

Market signal

A EUR 72 million round led by growth-oriented investors signals that buyers are consolidating spend around fewer, more central platforms in the developer toolchain. Artifact management is moving from a “nice-to-have” infrastructure component to a control point for security, compliance, and release reliability.

For mid-market and enterprise software teams, the practical takeaway is that repository decisions increasingly need input from security and governance stakeholders, not only engineering, because the repository is where policy meets distribution.

What this enables

• Faster scaling of a governed artifact repository across more teams and environments
• Deeper integrations into CI/CD and platform engineering workflows
• Stronger positioning of artifact management as a security control point, not just storage

What to watch

• Whether Cloudsmith can win standardisation deals against bundled incumbents
• Sales cycle length and implementation depth in larger regulated organisations
• How the product roadmap tracks evolving supply-chain standards and audit expectations
• Evidence of expansion motion: land with a team, roll out across the organisation