A CEO’s Reflections: 6 Months In

Feb 23 2024/ceo/3 min read
A CEO's Reflections: 6 Months In
Sharing what I've learned as Cloudsmith's CEO, and how our customers use cloud-native artifact management to build with confidence.

This week marks six months since I joined Cloudsmith as CEO.  In that time, I’ve learned a lot from our customers that I’d like to share.

The world needs a SaaS artifact management platform.  Large software development teams want and need Cloudsmith.  We’re the only enterprise-scale multi-tenant SaaS alternative to the two main products that have dominated market share over the past decade - JFrog Artifactory and Sonatype Nexus.  Many of our customers and prospects tell us they’re anxious to switch to a cloud-native SaaS backbone that's inherently multi-tenant, where the vendor (that's us) manages one massive-scale instance that serves all customers.

There’s a real market for well-built, developer-friendly artifact management tooling.  Our competitors are building horizontally.  They’re adding native tools for things like CI/CD and security scanning.  We fundamentally believe differently.  We think developers want to use best-of-breed DevOps tools from vendors like Harness, CircleCI, Snyk, and Chainguard, rather than be pushed into accepting versions of these tools from their artifact management vendor.  So we focus on integrating with, rather than competing against, the most innovative companies in the DevOps ecosystem.  And we can do this better, because we’re SaaS.

Better artifact management is at the core of software supply chain security.  So we’re laser-focused on building a truly great artifact management platform.  One that developers and DevOps teams love.  That’s built to work at web scale, without the infrastructure hassles.  And we’re finding that developers agree!

Artifact management is now a must-have.  The early appeal of Artifactory and Nexus was to provide a local copy of artifacts, just in case the original source was temporarily unavailable.  That was a “nice to have,” but artifact management has morphed into a “must-have.”  I’m seeing four key trends driving the elevation of this requirement -

  • The explosion in use of open-source software (OSS) as ingredients in the software supply chain.  Where developers 10+ years ago might have used a few OSS packages here and there, today OSS makes up as much as 90% of all deployed code in production.
  • The rapidly growing threat environment in popular OSS registries like npm (Javascript), pypi (Python), Maven Central (Java), NuGet (.NET), and Docker Hub.  Malware and other vulnerabilities are lurking all across these indexes, and the bad guys are getting smarter and more aggressive.
  • The rise of containerization, along with the ubiquitous use of publicly-sourced containers as building blocks.
  • The recognition of the need to methodically structure and control the software supply chain, leading to standards like Supply-chain Levels for Software Artifacts (SLSA) and Secure Supply Chain Consumption Framework (S2C2F). 

Developer-native software distribution is a game-changer.  Many of our largest customers rely on Cloudsmith to deliver free and paid versions of their own SDKs and packages, relying on a combination of Cloudsmith repos, our global package delivery network, and our entitlement tokens to gate and monitor downloads.  Our capabilities here go well beyond what’s available from traditional artifact management vendors, and it’s a natural extension of our platform since we’re already cloud-native SaaS.

“Me-too” artifact managers are nice, but you quickly outgrow them.  We’ve seen the hyperscalers and source code platforms release their own artifact managers in recent years.  But we’re finding their ambition and feature breadth to be more suited to small teams, rather than the enterprise-scale development teams Cloudsmith is built for.  Using a hyperscaler-native tool like AWS CodeArtifact may be a good way to get started, but limited format support, analytics options, vulnerability scanning, and customizability seems to quickly push dev teams to look for more dedicated artifact management tools like Cloudsmith.

We’re committed to doing one thing - being the world’s software supply chain - and doing it incredibly well.  Give Cloudsmith a test drive at, or give me your feedback directly at

Get our next blog straight to your inbox