Cloudsmith Raises $72M Series C to Secure AI-Era Software Supply Chains (April 2026)
Belfast-headquartered Cloudsmith closed a $72 million Series C led by TCV with Insight Partners, betting that AI-generated code will overwhelm enterprise package registries. Total funding now exceeds $110M.
Belfast-headquartered Cloudsmith on closed a $72 million Series C led by TCV with participation from Insight Partners and existing investors, betting that the explosion of AI-generated code is about to overwhelm the average enterprise software supply chain.
What Happened
The round closes one year after Cloudsmith’s Series B, also led by TCV, and brings total outside capital above $110 million. According to the official BusinessWire announcement, Cloudsmith will use the new capital to accelerate product development and expand its go-to-market team in the United States, where its largest enterprise accounts are concentrated.
Cloudsmith sells a managed artifact-management platform — a unified registry that handles every major package format (npm, PyPI, Maven, Docker/OCI, NuGet, Cargo, Helm, Terraform, Debian, RPM and roughly two dozen more) behind one access-controlled CDN. In a market where developers traditionally bolt together JFrog Artifactory, Sonatype Nexus and a half-dozen format-specific proxies, Cloudsmith’s pitch is “one registry, every format, with policy and supply-chain controls baked in.” SiliconANGLE reports the company has been growing triple-digits year over year in enterprise ARR.
Key Details
- Round size: $72 million Series C, closed and announced on .
- Lead investor: TCV (returning lead; also led the Series B in 2025).
- Participation: Insight Partners and existing backers including Tiger Global and MMC Ventures.
- Total funding to date: More than $110 million across seed, A, B and C, per TheNextWeb.
- Headquarters: Belfast, Northern Ireland, with U.S. operations in New York and Boston.
- Use of funds: Product development — specifically AI-aware policy engines and SBOM tooling — plus expanded enterprise sales.
What Developers Are Saying
The funding lands less than 48 hours after a major Shai-Hulud worm backdoored the official Bitwarden CLI on npm, and the developer reaction on Hacker News and Reddit’s r/devops has been unusually self-aware. The recurring sentiment is that “public registries are a load-bearing piece of infrastructure that nobody actually owns,” and that AI coding agents — which now author a meaningful share of new dependencies — are about to make this worse, not better.
Critics on Hacker News pushed back on Cloudsmith’s pricing for smaller teams (paid plans start around $89/month) and noted that JFrog and GitHub’s own Packages product remain dominant in the Fortune 500. The most upvoted reply summed it up: “The opportunity is enormous, but the moat against GitHub Packages is the question.”
What This Means for Developers
For enterprises, the practical implication is that supply-chain security is now a funded category rather than a checkbox feature. Tooling that previously lived as a Snyk plug-in or a Dependabot rule is moving up the stack into the registry itself: signed provenance, license enforcement, vulnerability gating and AI-generated-package detection happen before the artifact ever reaches a developer’s laptop. Engineering leaders evaluating registries this year should expect Cloudsmith, JFrog, Sonatype and the cloud hyperscalers to converge on policy-as-code controls and SLSA attestations.
What's Next
Cloudsmith says the next 18 months will focus on three product bets: real-time SBOM generation across every supported format, native attestation under the SLSA Build Level 3 standard, and an AI-powered policy engine that flags packages whose maintainership graph or release cadence looks anomalous. The company also confirmed that it will hire roughly 80 employees over the next year, primarily in engineering and U.S. enterprise sales, per the Insight Partners memo.
Sources
- BusinessWire press release — primary source from Cloudsmith and TCV.
- Insight Partners investment memo — participant’s thesis and growth metrics.
- Tech.eu — European tech context and Belfast HQ details.
- SiliconANGLE — market positioning vs. JFrog and Sonatype.
- TheNextWeb — total-funding figures and round history.
- BankInfoSecurity — security-buyer angle on the round.
Stay up to date with Doolpa
Subscribe to Newsletter →