Updated:
Veracode
Veracode scans 315 trillion lines of code for 2,400 organizations, led by CEO Brian Roche and L0pht co-founder Chris Wysopal.
Veracode
Veracode was founded in 2006 by Chris Wysopal and Christien Rioux, two members of the L0pht hacker collective that had publicly demonstrated foundational software vulnerabilities to the US Congress in 1998. The company emerged from the consultancy @stake, which Wysopal helped build before its acquisition by Symantec. Its founding thesis was that application security required automated, repeatable assessment at scale rather than intermittent human review. The firm operates a multi-tenant SaaS platform that performs static, dynamic, and software-composition analysis across hundreds of programming languages. Its service covers the full software development lifecycle — from code creation through production — including AI-generated code and open-source supply-chain dependencies. Veracode reaches customers globally from its Burlington, Massachusetts headquarters and an EMEA office in London. Named references include HDI Global SE, Azalea Health, and multi-cloud environments integrating Veracode Fix for automated remediation. With roughly 700 employees, Veracode serves 2,400 customer organizations and has reported fixing more than 113 million software flaws drawn from its proprietary vulnerability database. In June 2025 the board appointed Simon Adell as Chief Financial Officer to lead financial operations for the next growth phase (per the firm, June 2025). The company runs from a LEED Gold-certified building and maintains a public commitment to governance and sustainability. Veracode retains a structural link to its hacker origins through Chris Wysopal's ongoing role as Chief Security Evangelist — a public-facing function that combines threat research with policy advocacy reminiscent of the L0pht era while the commercial entity is led by a professional CEO. This dual architecture allows the brand to maintain technical credibility with security practitioners even as it sells enterprise-wide risk software to C-level executives.
General information
Firm type
Asset Manager
Year founded
2006
AUM
Undisclosed
Location
Region
North America
Country
United States
City
Burlington
Corporate office
65 Blue Sky Drive, Burlington, MA 01803, United States
Additional offices
London, United Kingdom
Principals
Brian Roche
Chief Executive Officer
Chris Wysopal
Founder and Chief Security Evangelist
Christien Rioux
Co-Founder
Simon Adell
Chief Financial Officer
Anthony Barkley
Chief Strategy Officer
Karen Buffo
Chief Marketing Officer
Diana Bushard
General Counsel
Sector focus
Frequently asked questions
Who runs investment decisions at Veracode?
Veracode is not an investment firm; it is a privately held application-security platform company. Strategic and financial decisions are made by CEO Brian Roche and the executive leadership team, with oversight from its private-equity backers.
How is Veracode different from standard SAST or DAST scanning tools?
Veracode operates a platform rather than a point tool, combining static, dynamic, and software-composition analysis with AI-driven remediation guidance across the full development lifecycle. It also maintains a proprietary vulnerability database built from two decades of scanning data, which it uses to train its detection and fix-recommendation engines.
What is the significance of the L0pht connection to the company's current strategy?
Co-founder Chris Wysopal was a member of L0pht, a hacker collective that testified before Congress in 1998 about software security weaknesses. He continues as Chief Security Evangelist, a role that connects Veracode's commercial platform to the public policy and practitioner community that emerged from that era.
Does Veracode provide security coverage for AI-generated code?
Yes. The firm markets specific capabilities to scan and remediate vulnerabilities in code produced by AI coding assistants, a segment it calls the 'AI-coding era.' This functionality is integrated into the broader application-risk management platform.
Who owns Veracode now, and how has the ownership structure evolved?
Veracode was originally independent, acquired by CA Technologies in 2017 for $614 million, and then spun out as a standalone business backed by Thoma Bravo in 2018. It is currently held by private-equity investors, with Thoma Bravo having sold a majority stake to TA Associates in 2022 (per historical M&A records; not verified in provided firm materials).
What industries or customer segments does Veracode primarily serve?
The firm serves over 2,400 organizations globally, with case studies highlighting insurance (HDI Global SE), healthcare technology (Azalea Health), and cloud services (multi-cloud environments using Veracode Fix). It sells to both security teams and development organizations, with executive governance features targeting C-level buyers.
How does Veracode source threat intelligence, and is it shared with the community?
Veracode derives threat intelligence from its proprietary database, which is built from scanning trillions of lines of customer code. The firm publishes an annual State of Software Security report and periodic research such as its GenAI Code Security Update, which shares aggregated findings with the broader industry.
Profile maintained by Altss using OSINT (open-source intelligence), regulatory filings, licensed data partners, and verified direct submissions. Read the methodology. Last updated: . Continuous refresh with full update cycles at least every 30 days.
Need institutional-grade insight on family offices?
Altss delivers:
Prefer a guided tour?
We’ll walk you through: