BlueFlag Security has raised a Series A funding round, bringing total funding to USD $28 million after a period of rapid revenue growth and increased adoption among large customers.
The San Francisco-based cybersecurity company recorded 300% year-on-year revenue growth in 2025 and increased its number of Fortune 500 customers fivefold. Founded in 2024, it focuses on identity-related risks across the software development lifecycle, including those tied to developers, service accounts and AI agents.
The Series A round was led by Maverick Ventures and Ten Eleven Ventures. BlueFlag plans to use the funds to further develop its platform and expand its presence in the US and EMEA, with a focus on regulated sectors and technology companies using AI in software development.
It also announced two additions to its platform: AI agent governance and developer behavioural risk analysis. The new products are aimed at organisations seeking greater visibility into how human and non-human identities behave across development tools and pipelines.
Identity focus
BlueFlag's approach is based on the view that many software supply chain incidents begin not with flaws in code itself, but with the misuse or compromise of identities that already have legitimate access to development environments. Those identities include employees, contractors, service accounts and, increasingly, AI systems that can write, test or deploy code.
The company pointed to broader industry concern in this area, citing the 2025 Verizon Data Breach Investigations Report, which found that 68% of breaches involved compromised credentials. It also noted that software supply chain failures ranked third in the OWASP Top 10 2025 list.
Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security at IDC, said the growing presence of AI systems in development teams is creating visibility challenges for security teams.
"AI agents are becoming a significant presence in development environments, from coding assistants that operate alongside developers to autonomous agents that write, test, and deploy code with no human in the loop," Norton said. "Alongside service accounts and other non-human identities, these agents are widening the visibility gap around who and what is operating across the software development lifecycle. BlueFlag's identity-centric approach addresses this shift by extending governance and behavioural analysis to a category of risk that many software supply chain security tools do not cover."
New tools
The developer behavioural risk analysis feature is designed to detect patterns that may indicate compromised credentials, insider threats or the early stages of a supply chain attack. These include large-scale repository cloning outside normal working hours, access to repositories outside a developer's usual scope and attempts to gain additional privileges.
The AI agent governance function is intended to cover both coding assistants used by developers and autonomous agents that can carry out software tasks with little or no human oversight. According to BlueFlag, the system applies governance controls such as behavioural baselines, anomaly detection, over-privilege scoring and audit trails. It also identifies unauthorised AI use and enforces approval workflows.
BlueFlag argues that existing application security tools often focus on scanning code for vulnerabilities and can miss activity across the wider development environment. Its analysis found that more than 75% of software development lifecycle risk is not visible to current application security products.
This reflects a broader shift in cybersecurity spending towards identity and access management as more organisations adopt automation in engineering teams. The rise of AI-based development tools has increased pressure on security teams to understand not only what code is being written, but also which systems are producing it and what permissions those systems hold.
BlueFlag has also entered strategic partnerships with Obsidian Systems, catworkx and knowmad mood, which it presented as a sign of customer demand for software development security tools that account for AI-related workflows and non-human identities.
Raj Mallempati, Founder and CEO of BlueFlag Security, said the company's growth reflects changing customer priorities.
"Attackers are not going after code - they are going after the identities and tools behind it. BlueFlag was built to close that gap, and the traction we are seeing tells us the market is ready. The question is no longer whether AI agents are in your development environment. They already are. The question is whether you are governing them," Mallempati said. "Our mission is to secure every phase of the software development lifecycle by delivering identity intelligence that creates a trusted environment for innovation."