Clover Security Raises $36M From Wiz Founders to Sell Security That Works Before Developers Write Code

By
Tomorrow Capital
1 min read

The $36 Million Question: Why Smart Money Is Betting Against Security Scanners

The Death of Reactive Security

When Alon Kollmann declares that a decade of application security tools are merely "smarter fire alarms" for a "straw house," he's not posturing. The Clover Security co-founder, who emerged from stealth November 25 with $36 million from Notable Capital and Team8, is articulating what industry data already screams: reactive scanning cannot survive the AI era.

The mathematics are brutal. AI agents now generate code 10 times faster than human developers, while security capacity remains fixed. The gap compounds daily. More damning, 80 percent of 2025 breaches stem from design flaws—insecure integrations, flawed data flows—that no post-implementation scanner can prevent. SAST, DAST, and even "AI-powered AppSec" tools detect symptoms after developers have moved on, leaving security teams to fight yesterday's fires with tomorrow's codebase already burning.

Clover's thesis is simple: security must embed where products begin—in Confluence documents, Jira tickets, Slack conversations—not where they break. The company's AI agents ingest organizational context, learn system architectures, and guide design decisions before a single line of code exists. Financial services firms, enterprise software builders, and companies like Udemy and Lemonade are already paying "multi-million-dollar revenue" for what Kollmann calls "3-4 virtual security engineers" per customer.

Clover's Bet: Security Before Code Exists

The timing isn't coincidental. Three forces converge in 2025: autonomous AI agents are making architectural decisions at machine speed; new threat modeling frameworks specifically for AI systems are proliferating; and traditional ASPM tools remain stubbornly post-implementation. When marketing teams can spin up applications in hours using no-code platforms, the old security model—scanning artifacts after deployment—becomes structurally obsolete.

Clover positions itself between threat modeling tools (often workshop-based templates) and ASPM platforms (still scanner-centric). The company parses natural language architecture documents and messy diagrams, building organization-specific knowledge graphs that detect drift between design intent and implementation reality. It's not preventing SQL injection; it's preventing the architectural decisions that make SQL injection possible.

The market validates the approach. Application security is forecast to reach $25-30 billion by 2030, with AI-in-cybersecurity segments growing above 20 percent annually. Forrester calls 2025 a "turning point" where traditional scanning becomes obsolete as AI models reduce known vulnerabilities but introduce novel design flaws in RAG pipelines and agentic workflows.

The VC Calculus: Priced for Perfection

Yet the investment thesis reveals uncomfortable truths. A "$36 million seed" with Wiz founders Assaf Rappaport and Yinon Costica plus Check Point co-founder Shlomo Kramer isn't really a seed—it's a Series A in Israeli cyber clothing, likely carrying a valuation that assumes Wiz-scale outcomes.

The internal VC memo is bracingly honest: "High-signal, high-expectation bet that 'secure design' will become its own platform layer." Translation: investors are underwriting category creation, not just a good product. With ~40 employees planning to double and "low- to mid-single-digit million ARR," Clover faces compressed runway pressure to hit $20-30 million ARR before down-round risk materializes.

The bullish case depends on three assumptions: that design-time security becomes a standalone budget line rather than an ASPM feature; that Clover's organization-specific knowledge graphs create real moat against LLM commoditization; and that regulatory tailwinds (EU AI Act enforcement ramping 2026) mandate documented threat modeling. If all three hold, a $2-5 billion outcome is plausible.

The Real Risk No One's Discussing

But the VC memo identifies the existential threat: "category absorption risk." ASPM incumbents, cloud platforms like Wiz and Palo Alto, and hyperscaler security copilots may ship sufficient design guidance that Clover becomes a nice-to-have add-on, not a system of record. The exit then looks like a $300-700 million tuck-in, not an independent platform.

More fundamentally, secure design is process and culture, not just tooling. Tools that arrive too late or generate too much noise get bypassed regardless of technical merit. If security teams cannot socialize Clover into standard workflows, usage plateaus even with strong early sales.

The ultimate irony: Clover's success depends on changing how organizations build software—precisely the cultural shift that has defeated security tools for decades. The difference this time is that AI agents, not humans, are the obstacle. Whether that makes the problem easier or impossibly harder will determine if reactive security truly dies, or merely rebrands.

NOT INVESTMENT ADVICE

You May Also Like

This article is submitted by our user under the News Submission Rules and Guidelines. The cover photo is computer generated art for illustrative purposes only; not indicative of factual content. If you believe this article infringes upon copyright rights, please do not hesitate to report it by sending an email to us. Your vigilance and cooperation are invaluable in helping us maintain a respectful and legally compliant community.

Subscribe to our Newsletter

Get the latest in enterprise business and tech with exclusive peeks at our new offerings

We use cookies on our website to enable certain functions, to provide more relevant information to you and to optimize your experience on our website. Further information can be found in our Privacy Policy and our Terms of Service . Mandatory information can be found in the legal notice