Cloudsmith Raises $72M To Secure AI Software Supply Chains

Cloudsmith raised $72 million in a Series C round led by TCV with participation from Insight Partners and existing investors. The financing follows a $23 million Series B less than thirteen months earlier and will fund product R and D, go-to-market expansion, and scaling of its cloud-native artifact management platform. "Cloudsmith is the only platform built for the way software is being developed today, by AI agents. We're never going back to hand-crafted software," said Glenn Weinstein, CEO.

Cloudsmith operates a universal, cloud-native private registry for software artifacts: packages, binaries, containers, dependencies, and internal build outputs. Its product set focuses on visibility, governance, and enforcement across the software supply chain to compensate for the velocity and volume introduced by AI coding agents. Key capabilities include:

• •Private package hosting and distribution across formats
• •Mirroring and caching of public registries such as PyPI, Docker Hub, Maven, and npm inside enterprise boundaries
• •Automated security scanning and vulnerability detection integrated into CI/CD pipelines
• •Policy enforcement and access controls to prevent unsafe artifacts entering production
• •An emerging ML Model Registry capability to manage models as first-class artifacts

Cloudsmith positions these features as distinct from legacy artifact managers like JFrog Artifactory and Sonatype Nexus, arguing the incumbents were built for slower, human-led development cycles and require rethinking for agent-driven code production.

The round is notable for investor behavior as much as product positioning. TCV and Insight Partners both backed Cloudsmith's Series B and doubled down quickly, signaling conviction that artifact management becomes a strategic infrastructure tier as enterprises adopt AI-coding agents. The thesis is straightforward: AI agents multiply the number of artifacts and the speed at which they are produced, expanding the attack surface exposed via open-source dependencies, third-party packages, and generated code patterns that may introduce novel vulnerabilities. Regulatory and board-level scrutiny around software supply chain security and "secure by design" requirements is also elevating demand for platforms that provide auditability and enforceable policies.

For practitioners, Cloudsmith's push matters because securing the software supply chain increasingly requires controls at the artifact layer rather than only at source code or runtime layers. Managing provenance, immutability, signing, and policy enforcement at the registry level reduces the window in which compromised or malicious artifacts can propagate through CI/CD. The ML Model Registry mention signals vendor recognition that models themselves will become managed artifacts with provenance, licensing, and security requirements similar to binaries.

Adoption metrics among Fortune 500 and Global 2000 customers, integration breadth with major CI/CD systems and SCA tools, and velocity of the new model registry feature. Competitor responses from incumbents and open-source registry projects will indicate whether this becomes a centralized enterprise practice or a fragmented set of point solutions.

The funding validates artifact management as strategic infrastructure for the AI era. Cloudsmith now has capital to accelerate productization of registry-level controls and model artifact governance, but enterprise traction will hinge on deep CI/CD integrations, developer ergonomics, and demonstrable security outcomes.