"Having a strong artifact management layer creates the byproduct of a secure software supply chain," Glenn Weinstein told ISMG.
Cloudsmith's $72 million Series C and company trajectory
Belfast, Northern Ireland-based Cloudsmith announced a TCV-led Series C financing of $72 million to bolster its artifact management platform and expand software supply-chain security capabilities. The company, founded in 2016, employs 148 people and has raised $126 million to date. Its prior financing was a $23 million Series B round also led by TCV in May 2025. Cloudsmith has been led since August 2023 by CEO Glenn Weinstein, who spent nearly four years leading customer support, professional services, solutions engineering and developer network teams at Twilio.
Artifact management reframed as a security layer
Cloudsmith positions its artifact management service as an intermediary between developers and public repositories, turning artifact management into "a security layer without requiring developers to change how they work," Weinstein said. The funding is intended to help the company enforce policies, audit usage and reduce exposure to malicious or compromised packages — problems thrust into preeminence by recent package compromises and stolen maintainer credentials.
Private registries for vetting, approval and auditability
Cloudsmith emphasizes private registries as a practical control: they let organizations vet and approve packages before developers can use them, creating consistency and auditability across development environments. Weinstein described the platform’s aim to go beyond simple vulnerability flags, instead providing developers and AI agents with insights into package popularity, maturity, known risks and suitability for specific use cases. As he put it, "There's nothing wrong with those public registries. They're great. They provide an incredible service to the community," but "you do want to put a layer of policy and control in between your developers and those public registries."
AI agents, developers and policy compliance
Cloudsmith argues policy enforcement will operate differently as AI agents enter software development workflows. "Agents will do what they're told," Weinstein said, noting that agents are often far more compliant with enforced policies than human developers. That compliance creates an opportunity to embed security controls more deeply into development without sacrificing speed. At the same time, he warned agents require high-quality context to make good decisions — increasing the importance of enriched metadata on artifacts.
Enriching artifacts with external security data and continuous monitoring
To support nuanced policy decisions, Cloudsmith plans to integrate data from external security tools such as vulnerability scanners and risk analysis platforms. Weinstein described synthesizing multiple sources through the Cloudsmith control plane to form "a really rich picture of each individual artifact," allowing organizations to evaluate exploitability, reachability and business context rather than relying on binary vulnerability tags. The company is shifting toward continuous monitoring that maps new vulnerability disclosures against existing artifacts to reveal exposure in near real time and speed response — an approach Weinstein summarized as, "The future is you don't scan anything."
What this means for CISOs, developers, and DevOps/platform engineering teams
- CISOs and cybersecurity teams: Security leadership is now "top of agenda" for governing how software is built, Weinstein said; private registries and enriched artifact data give CISOs tools to set and audit policy across development pipelines.
- Developers and AI agents: Developers continue to work with public registries while an artifact layer enforces policy; AI agents may follow curated repository rules more strictly than humans, placing a premium on high-quality metadata and context for automated decision-making.
- DevOps and platform engineering teams: Teams focused on build speed and reliability will need to integrate caching, pre-processing and infrastructure optimization to keep builds fast as components — including containers and machine-learning models — grow in size and complexity.
Cloudsmith’s funding and technical direction make a narrow but consequential claim: that artifact management can serve as a practical control point for software supply-chain risk without forcing developers to abandon existing workflows. The company is betting the next phase of securing software will hinge on richer metadata, continuous monitoring tied to external security signals, and policies that agents will reliably follow. The record leaves one clear operational question: can continuous, synthesized visibility scale quickly enough to keep pace with rapid, AI-driven development and the expanding universe of artifacts?
