The most damaging security breaches of recent years – from SolarWinds to the Shai-Hulud attack – all share a common thread. They didn’t start with attackers breaking through the front door. They began in the “upstream” layers of a company’s codebase, hiding in the open-source libraries, tools, and automated pipelines that engineering teams trust and pull from the internet every day.
We are incredibly excited to announce our partnership with Lupin & Holmes, the upstream security platform for enterprise teams to reclaim control over their software supply chain.
Depi was born from a unique vantage point. Founder Roni Carta built the company after years on the front lines as a senior security engineer and professional bug bounty hunter. By the age of 23, Roni had already earned nearly $800,000 in rewards for responsibly disclosing vulnerabilities to Fortune 500 and FAANG giants like Google, Amazon, Netflix, and PayPal.
Twice named “Most Valuable Hacker” at Google’s Live Hacking Events, Roni has spent years spotting what others miss. This work gave him an unusually direct view of how large organizations are compromised. He realized that existing tools were failing; they either missed critical upstream context or drowned security teams in a “noise” of alerts that lacked any real information on whether a vulnerability was actually exploitable.
We invested in Depi because Roni and his team have built a system that thinks like a hacker. Depi maps and stress-tests the true attack paths across dependencies, showing security leaders exactly how a criminal would attack their system before it happens. The result is supply chain security that turns alert fatigue into high priority, actionable intelligence.Carlos Espinal ~ Seedcamp
Depi goes beyond simply listing known vulnerabilities. It reveals exactly how an attacker would backdoor a supply chain by mapping real attack paths. This gives enterprise teams the precision to prioritize and act on risks that actually matter, rather than chasing ghosts in their code.
The platform’s impact is already being felt by industry leaders. When Depi detected a critical vulnerability in Rollup—a JavaScript build tool with over 60 million weekly installations – it alerted customers, including digital asset security leader Ledger, days before the information became public. Because of Depi, Ledger’s team was able to identify every affected project, measure the “blast radius,” and contain the risk before a single compromised version reached production.
We couldn’t be more excited to be co-leading this round with our friends at 20vc with participation from Purple, Kima Ventures and the founders of Wiz, Hugging Face, and GitGuardian.