Companies that use Semgrep

Source: Analysis of job postings that mention Semgrep (using the Bloomberry Jobs API)

My analysis shows that Semgrep purchases are primarily driven by information security leadership, with 9% of roles being Director-level security positions responsible for buying decisions. These leaders are hiring for strategic priorities including secure SDLC implementation, DevSecOps pipeline integration, and vulnerability management at scale. The remaining leadership roles span VP of Customer Experience, Head of Technical Security, and Director of Engineering positions, all focused on embedding security into software delivery without slowing development velocity.

The day-to-day users are predominantly application security engineers (43%) and DevOps/SRE professionals (16%) who integrate Semgrep into CI/CD pipelines, conduct code reviews, and triage findings. These practitioners use Semgrep for SAST scanning alongside other tools like Snyk, Veracode, and CodeQL. They're responsible for writing custom rules, reducing false positives, and partnering with development teams on remediation. Several postings emphasize hands-on work with GitHub Actions, GitLab, Jenkins, and container security.

The core pain points center on scaling security without friction. Companies want to "shift security left by embedding SAST, DAST, and SCA tools directly into modern CI/CD pipelines, eliminating security bottlenecks." They're seeking to "make it safe to build fast, not to slow things down" and deliver "security that learns as they build." Multiple postings emphasize the need to "reduce false positives" and provide "actionable, high-fidelity results" that developers can actually use, revealing frustration with legacy security tools that interrupt workflows rather than enabling them.

Source: Analysis of Linkedin bios of 256 companies that use Semgrep

I noticed that Semgrep users are predominantly technology companies building software platforms and digital infrastructure. They're not just "tech companies" in a vague sense. They're financial services firms processing billions in transactions (Chime, Airwallex, Klarna), digital banks reimagining core banking systems (10x Banking), cryptocurrency exchanges and blockchain platforms (Crypto.com, Fireblocks, Gemini), and SaaS companies delivering everything from project management to healthcare AI. Many are building what they call "platforms" rather than simple products, like Dremio's "Agentic Lakehouse" or Cribl's "AI Platform for Telemetry."

These are primarily growth-stage and mature companies. I see Series C through Series E funding rounds (ClickUp raised $400M Series C, Grafana Labs $270M Series D), public companies listed on NASDAQ and NYSE, and established players with thousands of employees. Many mention serving millions of users or processing billions in transactions. Even the smaller companies by headcount often describe handling massive scale, like Abridge's "300M funding" despite being 200-500 employees.

Source: Analysis of tech stacks from 256 companies that use Semgrep

I noticed that Semgrep users are predominantly high-growth tech companies with strong engineering cultures and serious security postures. The presence of HackerOne at 2319x the baseline rate tells me these companies run bug bounty programs and treat security as a competitive advantage, not just compliance. The combination with tools like Golinks (internal productivity) and Cursor (AI-powered coding) suggests engineering teams that optimize aggressively for developer velocity while maintaining tight security controls.

The pairing with Statsig is particularly revealing. Companies running feature flags and experimentation platforms alongside Semgrep are shipping code constantly and need automated security checks to keep pace with their release velocity. They can't afford manual security reviews for every deployment. Similarly, Cursor appearing 452x more often shows these teams embrace AI-assisted development, which introduces new code quality risks that static analysis tools like Semgrep help manage. The ZipHQ correlation suggests these are companies focused on automating operations and reducing friction across the board.

These companies are clearly product-led, high-velocity organizations. Slack Enterprise Grid appearing 1131x more often indicates they're past the startup phase with distributed teams requiring enterprise-grade collaboration. They're likely Series B and beyond, scaling fast enough that security and code quality need automation to avoid becoming bottlenecks. The overall stack screams modern engineering practices: ship fast, automate everything, measure constantly, and secure by default.