---
title: "What Cloudsmith’s Series B Means for Our Customers"
description: "Today we announced Cloudsmith is officially a Series B company. This $23M fundraising round was led by TCV, with participation from Insight Partners, as well as most of our existing investors. "
canonical_url: "https://cloudsmith.com/blog/what-cloudsmiths-series-b-means-for-our-customers"
last_updated: "2025-03-03T13:04:35.000Z"
---
# What Cloudsmith’s Series B Means for Our Customers

##### [We’ve raised $72m in Series C](https://cloudsmith.com/company/series-c) financing, led by [TCV](https://www.tcv.com/partnerships/cloudsmith) and [Insight Partners](https://www.insightpartners.com/portfolio/cloudsmith), with participation from our existing investors, to build the operating system for the modern software supply chain. The timing matters because AI is changing what it means to build software.

Cloudsmithers love creating software.

We’ve been doing it long enough to see the internet change how we distribute software. We’ve seen open source change how we reuse components. We’ve seen CI/CD change how we build and deploy. We’ve seen cloud change how we run infra. We’ve seen SaaS change how we architect applications.

With each evolution, we expand what developers can achieve and how quickly they can move. We evolve our way of working and the tools we use. AI may be the most consequential evolution yet because it touches every area I just listed.

Developers will always play a central role, even as bots update dependencies, CI/CD systems continuously consume artifacts, agents write code and push changes through systems at a scale that humans can’t manually review at the same pace. Developers know what to build and why, but there’s been a change in the laws of physics for software.

This change is exciting. It _should _be exciting!

We want developers to move faster. We want teams spending less time fighting infrastructure and more time building things that matter. Our tools must make building software safe, so we trust developers to run at maximum tilt.

```json
{
  "_key": "714af1cf0224",
  "_type": "quote",
  "content": [
    {
      "_key": "5b59b61ff455",
      "_type": "block",
      "children": [
        {
          "_key": "b32b0fd3e2f7",
          "_type": "span",
          "marks": [],
          "text": "Software is becoming easier to create than to trust."
        }
      ],
      "markDefs": [],
      "style": "normal"
    }
  ],
  "markDefs": null
}
```

Cloudsmith sits at a critical point in the trust chain. That is why this Series C matters: it gives us the fuel to deliver on that promise at a time when software is becoming easier to create than to trust.

### Artifact management was always the control point

When Cloudsmith began, artifact management was still seen as busywork and plumbing - necessary, but boring. You wrote code, pushed packages somewhere, pulled them into another system, and moved on. But Cloudsmith didn’t see it that way.

When you think about how we construct software, source code matters, but really, most software actually exists as “artifacts” - our word for packages, containers, dependencies, metadata, SBOMs, signatures, provenance, and builds.

Artifacts are the threads that connect modern software creation, consumption, governance, and delivery.

Artifact management was seen as repositories, storage, and developer convenience - a place to hold packages. But things have gotten… complicated. The explosion of open-source packages, evolving threats to the software supply chain, and the rise of agentic AI software development have shown that artifacts are, in fact, the critical control point.

Cloudsmithers are true believers. The market has now caught up with that belief.

```json
{
  "_key": "caf3e5033075",
  "_type": "quote",
  "author": "Lee Skillen",
  "authorRole": "Co-founder & CTO, Cloudsmith",
  "content": [
    {
      "_key": "105115cc259c",
      "_type": "block",
      "children": [
        {
          "_key": "fbccf638cb08",
          "_type": "span",
          "marks": [],
          "text": "There were easier ways to build Cloudsmith. But we had the conviction that artifact management is what ultimately mattered most. We chose to focus on the fundamentals: simple by design, secure by default, and genuinely cloud-native. We also chose to build a multi-tenant-only platform that would benefit everyone plugged into it. That was not always the cheapest approach, nor was it always the obvious one. But we believed it was the right one."
        }
      ],
      "markDefs": [],
      "style": "normal"
    }
  ],
  "markDefs": null
}
```

### Software and AI have entered the age of assembly

Software is assembled far more than it’s authored. We build software by combining ingredients - what developers call “dependencies” - into something useful. The flow of ingredients is what we call the software supply chain. The shift from “write code myself” to “assemble software from components” has been happening for decades; AI agents have accelerated this to a breathtaking scale.

Think of this as the AI software factory - a place where we build pipelines for AI to assemble software. Humans decide what to build and oversee the process. Agents write and change the code. CI/CD systems build and test the components they produce. Partner tools inspect them. Registries and package managers supply additional ingredients. Deployment systems ship the final product.

[GitHub showed at Octoverse 2025](https://github.blog/news-insights/octoverse/octoverse-a-new-developer-joins-github-every-second-as-ai-leads-typescript-to-1/) that over 1.1 million public repositories import LLM SDKs, with 518 million merged PRs, growing 29% annually. I’m certain that’s accelerated in the past 6 months.

Every dependency use is a trust decision, and every artifact has provenance: where it came from. Every artifact should also have a policy: how it should be used. And every artifact has ownership: who is responsible for it. Because every artifact has a blast radius: what happens if it is vulnerable, malicious, or misconfigured?

These decisions matter, whether you make them explicitly or you just let them happen. We’ve collectively let our guard down when it comes to software supply chain trust, and threat actors know it. Their attacks are increasing, they’re creative and ever-changing, and they’re effective enough that every serious organization has to care.

The [tj-actions/changed-files compromise](https://github.com/tj-actions/changed-files/security/advisories/GHSA-mw4p-6x4p-x5m5) in March 2025 affected more than 23,000 code repositories and exposed CI/CD secrets in workflow logs. Axios, one of the npm ecosystem’s most widely used HTTP clients, was [compromised](https://cloudsmith.com/blog/axios-npm-attack-response) (April 2026) through malicious npm releases that deployed a cross-platform Remote Access Trojan (RAT), at a scale of 100 million downloads per week. Those represent huge surface areas of potential impact.

Despite these incidents, we’re going to keep building software using components, and if anything, we’re speeding up. “Don’t use dependencies” isn’t an option. The only viable path is forward - to control the flow of components (we’d say “artifacts” at Cloudsmith).

```json
{
  "_key": "6ad81b3826cb",
  "_type": "image",
  "alt": "Diagram of an AI software factory showing intent, developers and AI agents, build and test, and deploy and distribute stages, with Cloudsmith as the artifact control plane connected to upstream sources and partner signals.",
  "asset": {
    "_createdAt": "2026-04-23T08:40:58Z",
    "_id": "image-3cb818df1dd9f49a04840ae8275a2accbc1ef585-8148x4846-png",
    "_rev": "BVg7UCz3lkdoBQLwbEPitP",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-04-23T08:40:58Z",
    "assetId": "3cb818df1dd9f49a04840ae8275a2accbc1ef585",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MFRfhC_2?ZRnW=[AOsOYt6bH}%OrOXt6WV",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.6813867106892282,
        "height": 4846,
        "width": 8148
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACSklEQVR4nFWR2W4bORBF9f9/NAgyQR6CAeKxY0u2LMXa45ZkqVfuS5Mn6HaCIA8HuKxL3CqyJiEmrPdYH4h9Ig3ESK8MsRL0taBvFa5ssZeGWEv6qiNeW2ItCJXAXRpCo/C2Z2JdoGw66k7inCdaR+wUfn9C3i7Q999xyz3d7YLmZo593mEeVqj/n3HzLWq2ovxvhnjc4BrNxIVIJzVCGbzzBKnxdYvZHilv5jR3S8z3A823JfXtYtRiuqK6maOfd3SzNccvU+rZGtsoJn2fiX0/PrcfcIFoHK4WiMMZVVzxZYs+XdHFZdTmVI7e8AX2raLdFqhTiTOeSR/Bu4TRCWsS0Wf6mHEmIGuFaAxKemRrkLVGCYdsNF0pkYNuLeLSoTuD84mJM5nra2C3MBSb4XLCeyhFZnUMzA+Op71lvjc87d6ZbTSPG8XTzo7e8uB4LSPCwsSqTLHyzL8KVlNNe0lom9mX8HWd+Dx3/DvTIx8fFB/uBf/cdXy4l3ycaj49Wr4sI/MiUyuYBAftNXLaW66Fx8iM8/DWweKYmf3ome4jD/vAt63jbm24XZtRD/XZIfL0mtiVmc4wLAVizOM/Bj8shhFhMuc2cWzeOVwDL4VmcZAsf0i2Z0tR//FLmVBuCEyQ8kD+BQw1aTNvXeI0hvZszobHTcP9S8nDS8XyIHgtw+gPjavfgXGYKP1NSKBcplLvna8iUVSO7UmxOUq2R8nhojm3cfQHWpPQflhKABf/xkYwAZQH6QYywiaE7d8xPXI8518+Y9gw4U/DJI/H2ZurXQAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0b408d",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#09377a",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#bfd7fa",
          "foreground": "#000",
          "population": 8.4,
          "title": "#000"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a6b3d1",
          "foreground": "#000",
          "population": 2.35,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#bfd7fa",
          "foreground": "#000",
          "population": 8.4,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7082a5",
          "foreground": "#fff",
          "population": 1.09,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#126bec",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      },
      "thumbHash": "uwcCFIT/g6WDl2eNl4KZbX/3xQ=="
    },
    "mimeType": "image/png",
    "originalFilename": "The AI Software Factory_V3.png",
    "path": "images/rafvlnhi/production/3cb818df1dd9f49a04840ae8275a2accbc1ef585-8148x4846.png",
    "sha1hash": "3cb818df1dd9f49a04840ae8275a2accbc1ef585",
    "size": 769390,
    "uploadId": "L38Dbda79hQmw0XXOH9Q2RSqdOunaeo2",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/3cb818df1dd9f49a04840ae8275a2accbc1ef585-8148x4846.png"
  },
  "caption": "Cloudsmith underpins the AI software factory as the artifact control plane, helping teams and agents record, govern, and deliver software components as they move from upstreams to production.",
  "link": {
    "_type": "link",
    "href": "https://cdn.sanity.io/images/rafvlnhi/production/3cb818df1dd9f49a04840ae8275a2accbc1ef585-8148x4846.png?q=100&fit=clip&auto=format",
    "linkType": "href",
    "openInNewTab": true
  },
  "markDefs": null
}
```

### Automating the control point for the new age

Humans have traditionally been the control surface for the software supply chain. Developers are trained to pull packages from public registries. For example, every Python 101 course teaches “pip install” on the first day, accepting that the default target is PyPI. It’s not until advanced courses (if ever) that developers start asking, “Where exactly do those packages come from, anyway?”

As you assemble teams to build software, you typically add some rigor to dependency management, with manual reviews, metrics, logs, and dashboards. You might already have reactive security scanning that blocks unwanted packages when PRs are merged, at the end of the development process. But that approach no longer scales. To keep up with modern software velocity, teams need automation, along with, by default, machine-enforceable, context-rich guardrails that are fast enough to prevent bottlenecks.

Cloudsmithers are optimistic by nature. We’re not into fear, uncertainty, and doubt. We’re more about clarity, control, and confidence. Clarity means knowing which packages are being used. Control means governing how they move and how they are distributed. Confidence means developers and agents can move fast without breaking trust.

Visibility here matters - we need SBOMs, SCA, and inventory tools to see and understand the software supply chain. But we actually need more than to see the problem space; we need to control it. That’s what makes artifact management so critical to governing the software supply chain.

We say at Cloudsmith that you need visibility to get control, and you need control to get security. Security is ultimately a by-product of strong controls and visibility.

Cloudsmith isn’t an application security tool; we’re infrastructure, and our role in the modern software factory is to serve as the artifact control plane. We sit where software components cross boundaries: from upstreams into the enterprise, from developers into builds, from builds into environments, and beyond. Cloudsmith is where you manage software artifacts, attach metadata, prove provenance, enforce policy, and govern distribution.

Stronger security is a by-product of a stronger underlying control point.

### Cloudsmith 2.0: the operating system for the modern software supply chain

Cloudsmith 2.0 is our vision for the operating system of the modern software supply chain. It’s our underlying architecture, and it’s what makes Cloudsmith more than just a registry service for artifacts.

We use the operating system metaphor deliberately because operating systems are foundational. They provide shared primitives and guarantees that make it easier, faster, and safer to build complex systems. The modern software supply chain needs the same thing: artifact identity, metadata, provenance, policy, audit, routing, caching, and delivery, all working together across a global graph of producers, consumers, partners, and ecosystems.

The Cloudsmith 2.0 operating system is built around three core layers:

- A record layer that gives you a durable source of truth for artifacts, identity, metadata, and provenance.
- A control layer that lets you make fast, enforceable, and auditable decisions.
- A delivery layer that distributes software efficiently to your developers, pipelines, and external customers.

Partners can plug data, signals, workflows, and expertise into those layers, while customers build their own software supply chain workflows on top. Together, those layers turn artifact management into a shared data and control plane, where components are governed and delivered at web scale.

Cloudsmith is built for this because we are global, cloud-native, and multi-tenant by design. Our DNA is different from legacy, per-installation, single-tenant registry architecture that dominated the artifact management space before we came along. The Cloudsmith 2.0 operating system means package health intelligence, actionable feedback, data pre-computation, and fast policy decisions compound across the ecosystem.

A big benefit of Cloudsmith 2.0 is that more work can be done in advance. Artifacts are ingested, canonicalized, enriched, stored, and linked before they are requested. Actionable policy decisions happen quickly because the system already has the data. Software delivery is more predictable with a platform built on global routing, caching, and connectivity.

That’s pretty technical, but the outcomes are clear: safer, faster software, at any scale. One signal protects many customers. Each trusted record reduces duplicated work. A unified control plane helps cross-functional, distributed teams make better trust decisions and consume software with the right evidence and controls.

```json
{
  "_key": "1ff3c1cff31f",
  "_type": "image",
  "alt": "Diagram showing Cloudsmith 2.0 as an operating system for the software supply chain, with producers feeding into record, control, and delivery layers, consumers receiving governed artifacts, and an open ecosystem plugging into the platform.",
  "asset": {
    "_createdAt": "2026-04-22T18:47:34Z",
    "_id": "image-39e5adebec677ca80fe93e605b23e1ed578b13e2-8148x4846-png",
    "_rev": "wYOrN0S6F2J0jKs3sP782G",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-04-22T18:47:34Z",
    "assetId": "39e5adebec677ca80fe93e605b23e1ed578b13e2",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MRRD7ubK~7t7E5g5WBxVa|NI-oawIuayxV",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.6813867106892282,
        "height": 4846,
        "width": 8148
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACGUlEQVR4nG2S3U4bMRCF8/6vUhC090DvCKRcAUGqiMImhLA/ySbrXf/bX2UvKhXqxScfz3iOxvZMrI9I7eilYVAW4wIugHbQGxAKug+STrGU8xHCF4yDidSBslWsqp5NI9kLhzSRqoP5JnK39MwWNpN0iqWc9RDjJ8nQjoaR6mBZN4bNzrIXgcHASxO5mnu+zwyn04GTqeR8Zriah5xL3fzX0HnQNjKYyKAjxqY9vNRwOfeczyynU8npjcr68jHknHGRGD8JMY6GIUDC+5HgyaajYeBsZjm5lny7llmn2GgYiMERg81rCB7rIhPvQMtIf3SI1iFFQMnR8Oop8uPOcXarObtVWafYSx3QWmJlgxTv6L7C6SPWOiYu/eTesy0G1gvBbmsQXWRZxdzN+S/HyVTlN0wdXjwGlpVD9i2iWVCuH9i9PaG7DcYoJs5CfwjUG8V2NdDWlqGPbPaR24Xj59xwca+4uJdcPmhuni2bvUPLI31b0Gx/c6ie0aLEGM0kvZvRESUDcvBoFTEm0vaOdaNZ1Zqi0hSlYllKiiqNlsnFVvco2WGUwBmFseHLL5s0MpFOeupW8lZ3bHc920Zk/VodWZcHyv1AN7jxvA6kWVYmogxM0jz1OnKQiZDXprO81QOrUvyleO8oth1F2fFa99RH+1EzIlREJkNpyYMs9CddMh58vnbiMDj2wtKKtLc5ls78W5M8egV/AM1GkvUJRGFoAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#073f91",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#06367e",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#acccfb",
          "foreground": "#000",
          "population": 5.32,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a5b9d7",
          "foreground": "#000",
          "population": 0.15,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#acccfb",
          "foreground": "#000",
          "population": 5.32,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#718ab4",
          "foreground": "#fff",
          "population": 1.81,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0b69f3",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      },
      "thumbHash": "u/cFFIL3R6h3eYZ7dYj2dXpflw=="
    },
    "mimeType": "image/png",
    "originalFilename": "Cloudsmith 2.0_V2.png",
    "path": "images/rafvlnhi/production/39e5adebec677ca80fe93e605b23e1ed578b13e2-8148x4846.png",
    "sha1hash": "39e5adebec677ca80fe93e605b23e1ed578b13e2",
    "size": 662403,
    "uploadId": "5KxBm3ewxN8metEX7v52KDnLlxO6rLhO",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/39e5adebec677ca80fe93e605b23e1ed578b13e2-8148x4846.png"
  },
  "caption": "Cloudsmith 2.0 combines record, control, and delivery into a global software supply chain operating system, open by design so partners and customers can plug in data, signals, and workflows.",
  "link": {
    "_type": "link",
    "href": "https://cdn.sanity.io/images/rafvlnhi/production/39e5adebec677ca80fe93e605b23e1ed578b13e2-8148x4846.png?q=100&fit=clip&auto=format",
    "linkType": "href",
    "openInNewTab": true
  },
  "markDefs": null
}
```

### Accelerating Cloudsmith’s vision with partners, investors, and customers

Our Series C financing is fuel for the mission we’ve been on since we started.

We will accelerate Cloudsmith 2.0, with AI-native workflows, stronger software supply chain controls, a deeper automated policy engine, richer provenance and insights, package-aware delivery and connectivity, and more pluggability with partner tools.

Cloudsmith believes in partnerships. Surprisingly, this is still a fairly radical notion in the artifact management market. But we just don’t think any one vendor will supply the definitive scanner, CI/CD pipelines, security data source, and workflow tooling an enterprise needs. The better approach is an open control plane where partners combine their signals, workflows, and expertise into a central software component control point.

And our partners are in agreement:

- _“Docker has always been where developers build and ship software, and security has to be the default, not an afterthought. Docker Hardened Images and Docker Hardened System Packages set a new standard for trusted containers. With Cloudsmith, enterprises can manage those hardened components at scale and deliver secure software without friction."_ — Don Johnson, CEO, Docker
- _“Cloudsmith has become one of the most important pieces of infrastructure in the modern SDLC - the cloud-native artifact registry that replaces legacy tools and actually scales with how enterprises ship software. Our joint customers integrate it with Endor Labs for malicious package firewalling, function-level reachability, and automated remediation. That combination is powerful for securing the AI coding era.”_ – Varun Badhwar, Founder and CEO, Endor Labs
- _“Cloudsmith has been a great partner with Aikido. We're both re-inventing what it means to secure the software supply chain. We're seeing Cloudsmith a lot more in our customer base, and they're great to work with.”_ — Roeland Delrue, Co-founder and COO, Aikido

Software supply chain attacks, regulatory pressure, and enterprise platform consolidation make artifact management a board-level concern.

Enterprises see artifact management platforms as the crucial enabler of engineering speed, security control, compliance evidence, and software trust.

Our lead investors, TCV and Insight Partners, understand that shift. They invested in our Series B last year, and we’re grateful for their growing belief and conviction:

- _“Having led Cloudsmith’s Series B and now its Series C, TCV is proud to deepen our partnership with a company we see as defining artifact management for the AI era. As AI shapes the software supply chain, we believe Cloudsmith is uniquely positioned to become a platform enterprises rely on for compliance, control, and security at global scale.”_ — Morgan Gerlak, Partner, TCV
- _“In an era increasingly defined by AI-driven development, securing the software supply chain is critical. As a cloud-native offering, Cloudsmith is well-positioned to do this – providing the scale and reliability needed to power enterprise and AI-driven builds and mitigate emerging risks. We believe in Cloudsmith’s vision to secure the software supply chain by serving as a curated, AI-ready solution for enterprises of all sizes.”_ — Thomas Krane, Managing Director, Insight Partners

Customers, of course, are the [real proof](https://cloudsmith.com/customers). We’re serving a rapidly growing range of technology and software companies, AI startups, mid-market companies, and mainstream enterprises. They all want a software supply chain that’s fast enough for developers, safe enough for security teams, clear enough for audit and compliance, scalable enough to keep up with their ambitions, and simple enough that it just works.

```json
{
  "_key": "a0fa569db5ef",
  "_type": "quote",
  "author": "Michael Boldischar",
  "authorRole": "Software Engineering Manager, Thrivent",
  "content": [
    {
      "_key": "e35a42120ac6",
      "_type": "block",
      "children": [
        {
          "_key": "9fc7c8005cfd",
          "_type": "span",
          "marks": [],
          "text": "Cloudsmith just works - whether it’s failover, automation, or support. It’s the first platform we’ve used that feels like a true partner in how we build and operate software."
        }
      ],
      "markDefs": [],
      "style": "normal"
    }
  ],
  "markDefs": null
}
```

### We built Cloudsmith for this moment

We’d like to think that the best infrastructure companies are ahead of their time, and that the foundations Cloudsmith laid down years ago are paying off today.

In the compiler era, we converted human intent into reliable software. In the cloud era, we operated software at a global scale for the first time. In the AI era, we need to figure out how to use and trust software that’s created, assembled, and changed faster than humans can manually inspect or even fully understand.

Cloudsmith is here to help answer that question.

```json
{
  "_key": "ea1beb155693",
  "_type": "quote",
  "author": "Alan Carson",
  "authorRole": "Co-founder & Chief Strategy Officer, Cloudsmith",
  "content": [
    {
      "_key": "7a95f59657e6",
      "_type": "block",
      "children": [
        {
          "_key": "841f5a67e94e",
          "_type": "span",
          "marks": [],
          "text": "When we started, artifact management was not a sexy part of developer infrastructure. It was seen as low value. Open source was ‘free’. But we could see the risks emerging as more and more software teams increasingly relied on packages, registries, and automation. That dependency is now massive, and so is our responsibility."
        }
      ],
      "markDefs": [],
      "style": "normal"
    }
  ],
  "markDefs": null
}
```

A heartfelt thank you to our customers. You’ve trusted Cloudsmith, sometimes before it was obvious why our software category was so important. You’ve consistently pushed us to build better because you rely on us for critical infrastructure, engineering, security, and platform workflows. We take that responsibility seriously.

Every Cloudsmither can take pride in our passion for our craft and in the hard work that has made Cloudsmith the company it is today - a special place. The market is pulling toward the problems we set out to solve from the beginning. This is our moment, and it’s time to earn it.

We’re by developers, for developers, and we always have been. We feel a kinship with the builders, platform teams, security professionals, and enterprise leaders who want to build safely in the age of AI. Because software is becoming easier to create than to trust.

That’s enough pontificating for now.

We’ve got Cloudsmith 2.0 and the future of the software supply chain to build.

Harder. Better. Faster. Stronger.

That’s what I want for Northern Ireland’s software sector. And we are doing it together.

Northern Ireland is a great place to live. Culturally, we are a country of innovators and builders, and it is already a great place to build software. Whether you are starting something new or want to contribute to systems and tools used all over the world, the software industry in NI is well-established.

Yes, we have our challenges as a country, just like anywhere else. But we have an exciting and emerging startup ecosystem, circling venture capital, and we are the software development headquarters for big companies like Aflac, Allstate, and Liberty Mutual. And we finally have an official LEGO store.

I left Northern Ireland two days after graduating from Queen’s University Belfast in 2002, and lived in the United States and then England for a few years. But soon the love of grey skies pulled me back home and into a job at a newly minted startup, albeit one that struggled to find its feet. 

After moving on from my first NI-based startup. I then watched Danny Moore sell Wombat Financial Technologies to the mighty New York Stock Exchange in 2008. This was a signpost of what is possible with great leadership and execution. So when Lee and I founded Cloudsmith, our goal was, and still is, to build a world-class product company headquartered in Belfast.

There are many challenges with building a business, especially in a small country with just under 2 million people. We have great universities in Ulster University and Queen’s (and not forgetting our friends at the Open University), producing a steady stream of graduates; there is a growing talent pool and lots of opportunity for innovation.

Those who have tasted success can inspire, guide, and expand the limits of what is possible.

It's pretty unusual to be more than two degrees of (Kevin Bacon) separation away from anyone from Northern Ireland here. We witnessed firsthand the power of diaspora: Northern Ireland looks out for its own, and we made connections all over the world with folks who left to seek their fortune in faraway lands. Some have been absolutely key to Cloudsmith’s success to date, and it’s always a pleasure to hear the unmistakable accent come back at you over Zoom.

We need more success stories. We need to show the workforce that share options are worth something. We need more exits. We need to create more wealth.

I’ve seen the power of being in a well-funded startup with great, founder-friendly early-stage backers (thank you, Techstart, Frontline, and MMC) that can elevate you to take on the competition.

How do we get more money into Northern Ireland companies? How do we get the light from Sauron’s Eye shining on our little country? OK, that sounds ominous, but I mean it in a good way. How can we position ourselves as a hotbed of innovation and talent, to rival Silicon Valley or Tel Aviv?

That is something we are tackling at Software NI, but we need all the help we can get. [**Software NI**](https://softwareni.co.uk/) is dedicated to making Northern Ireland a global leader in technology and software innovation through community, education, advocacy, and support. Everything from championing software literacy in schools to affecting governmental policies to ensure software is part of our future.

We welcome you to engage with the community at the new [**Sales & Scale conference**](https://salesandscale.com/), organized by Software NI. The inaugural event will take place on Thursday, 26th March, in The Mac. It promises to be an excellent opportunity to listen to industry leaders, including Danny Moore, discuss how they scaled their businesses and created value. I’ll be there too :)

Remember, Northern Ireland is amazing, Cloudsmith is building something great, and Software NI is striving to create an ecosystem where people and software companies of all shapes and sizes can thrive.

Our mission at Cloudsmith is to provide development, DevOps, and platform engineering teams with an incredibly powerful, easy-to-use tool for controlling and securing software artifacts globally. We build features with the enterprise in mind–features that provide centralized management and policy enforcement across hundreds of teams and thousands of developers.

We have an ambitious vision to run the world’s software supply chain more efficiently, more securely, and more intelligently than is possible with the traditional set of tools available in our market.

To that end, we made fantastic progress in 2025 in extending the reach of Cloudsmith to organizations new to enterprise-grade artifact management platforms, as well as organizations upgrading from legacy vendors to meet their internal scalability and security requirements. Let’s review some key milestones we achieved in 2025 with our customers and partners.

```json
{
  "_key": "0c908ae1453d",
  "_type": "image",
  "asset": {
    "_createdAt": "2025-12-19T16:01:19Z",
    "_id": "image-0a82e4993eb763619ebb7e488f850de6d3e8dc62-2400x5110-png",
    "_rev": "0yqNTZaj30x9njDOtgT7Lv",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-12-19T16:01:19Z",
    "assetId": "0a82e4993eb763619ebb7e488f850de6d3e8dc62",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "c35r=N$,5E.Rn4Ie$ztVNaMdTJxwI6S,-l",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.46966731898238745,
        "height": 5110,
        "width": 2400
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAArCAYAAAB4pah1AAAACXBIWXMAAAsTAAALEwEAmpwYAAAJe0lEQVR4nG2W2W8b1xXG+RhR4r6L1C7LshPJNjkzXIY7xW24czhctFGLN1nxHlmyY6dJ3bpoFgOFm6J1CjRo0ZcCfeg/0D7l7/oVM3LcIOjDh3PvnTvf3c75zjHZYtexxs+ht22xQ6zSJlPhOparZSzX/j+m9G8/+W69VjGsKVD+itna18w3vmGh+Zr5+jf4C89xxncIJLss5Pssl0aGnctpLG0MuVAasVwcsVgYGP1L1W1WK9vMZFRMM/VvWer8kVXtLZe0t1xQ/0Sw+jWezD3m8ltcVnYIdw5Zq4+NHz+qj7nWPiTcuc6V1j7rjT2E7g3C7UNjAZM7c4Ivf0pg48yAv3CKO/MYZ+I67ngPX7zNdLJLQO7gi7fwJc770ynVOIEv0cYvd/An2rikOiZnVGMmu8NicZ/FjT1m87v45CHuaBd/rINP6uAVO3ilNi6xiTvWZjrdI5Tt44m3sQoNbFEVe1TDEqlj8kRbXFJ2iWq3iQ+OuNI6IJjp4o01WE4PWM2MuZges5QaMS13mc8PCXdvIGq3WCqOcCc0QpUHzFQfYY+qmNzRFhdKW+8n6XfkTbRwCg0u58ZkavcNfJTfJ5BQDUJBvUGsf5uLlS18qRHzzecsND/DEevrR24yXxhwubbLh40xK5Utg9AXbbHRucnTByc8f/yEqnabYEIjkFS5WDl/nOXiEF9qSEh5woxyhj2mYXLHW6y3D0hufUxq62Pj2PpRVvIqjx/c4N9vj/nPn485eXyL5XzfIPywvmtczcXKJv70kOnyA6bLj7BFdcJYi8v1MVL/NlHtFoJ6nfn8gIuFNk9Pd/nh+31++Ms+z872WdlQCaZ7XGkfEOle55KyTSA9wF84wl84xiapmBxiA3+yQzCjEsr0CKa7uKINfLEa1WGPVy92ePV8B2XYx59o4pDO5+su44k3sUstXMkdXMkxVrGNySbUcUQbuGLN97CJdawRhUCqyZo6YH1rm2B7E1t1iKUywFLpG9ZaGWCrjrA3xtiqO0ymO5isUg2vvsNsj2BWI5TV8KU62MQa5liNifaIyeM72E4eYH/yEPuTBzhPH+E5+wTf2YkBvW35+JgPuiOdUMGf7jCX11goDFjYGBjHNwjFKhOlLhO7+0zduY3lzhHWO0fYj+/gunuM++5dPPfu4b5/D8v1G3zQ7GOaFCrYpAZuWSOQHuJPqjjEGlapgSM5wC73mEw0mJDrWLIabuXIgDXXx5Yf4W0+wt/9BHtpC3O8hmkiUsaaGOItPiZUuoc32WcqXMEW7xGo3MefP8QSVphYL+JK7rI6+j0rgzc45V2cqUMubH7Phe2/4s7fxBwpYzILFRyZbfzKKf78HexSm0ld36QO/sIt/NkxloiC+WoJd3aX1a3XrPS/xiFv40odcGH4luXhW5yZA/TNmcyRCpZYE0dSwx5rMxmuYL5axCoo+FI9vEkVS6RqENpiTYIbe0znx1gkXRTahIo3CRVvYYt1mIhUME1GqlgEBatQwyrWmIooBnTX8SQ6uA1FqTEVPh/zJjp4Em2sYh2b2MCb6OKTu8Y7TAoKJpeoMiPvsJg+YCl9yEL6gFl5TDC6Syi2y5y8x3xyj5n42OgvJA9Yzl5nVt4zsJQ5ZCF1wHRsG6fQxRSK7SBUTsirX1DUXpJt/4JI8ZRL8kMuJx+SUD4l3/0CqfyU9ewnyPXnlPq/IlZ9hlg+o9D7JXL9BZfT95iObmOaj+8bk+qjr6iPviTXeolYeMZa8gnr6SfIygvynZdIlRdcyZ0iK88pqi+Jlp8hlM7IqV+QqOmE9wlFdzHNxHa4VnxMqvGZsZJUesqV7AmX5YesyvdZkY9ZTh6xlDpmUb7NqnyLtdRtlhM3WZBvslK4w4X0EXOxA/zCCJNH1JiX91lO32Q5fYOl1A0W5OvMxQ+Yie3hl7bwiAPcYt9AQNAICn28goZL1PBEB3ikAW5BwxnpYrILTQJJjdnMiFB6SDA9OLepAdOpPqF0H2+8izVy/tKWcA1ruGY4u96fuqbbGpZIw4BJf/pgRs+9W0Ysz+Q05vJ9Zt4JxcLGyLB6OOoOb75axnytypTQwhrt44iPsMeH2KI9LEILk86qy/hicYfZnC7xelps44m3cMc7hLKb56RpFYd0TmoRO7iydwk2XnFx+IYV7SsCxfs4EpuYpiINXIkBc4VtZnN9/Mn2eZKS6tiklrHYwoa++yHeRBtLuIpV6uEpnjHf+wPrB39nbfwdIeUpzuRYJ6xji3bwJnt45A4OXWClOhahhkVs4Ih3jfDzJruGEBuRJDSxJXZw547xl+7j3zjGmRpjjfYwTYkKjngLT7JjELr1CiDRMsYsYh1zRGHyHcx6TL+H3q9hFn60NWOOySLVCOR6LFQ2DcyXRsxtDAjlNPxyE0+silOqYBMqWCJlpiJl7OEKrnAFR7iMLaxXXyUmw2V0oTFNSgr2soa7u42nuYmnPMCdUwlk24TrXfKailRvs1poEErVCESrfCTWSUZbhKUGF4QaoXAVZ7jClE5olqqYyyrmzogJpYc53zbU2ZWskeioaAebFId9wkqbxWyd2bhCPN6mJffIxjusiQ0WIgruHwmnJAVPXsVXHuDMdrAm6piFKjaxylKhS6Q5ZE3pM5dp4ZKqBpblNuvpHityh2mxhtMoOMtM6oT2aJ3F0oi1xp5RWOouYwnr91Ux8q/u5KGMariR7oM2UTH6us/qLmYTzsXXrDu9TmiLnRPqpcUlZccg0cn0S7brq0fr2EU9vCrGTzphMK0SyqpGore8U3PztdJ5TtFf2ZfqMpvXw66PR24bCm4O66Q/Q6SKVVTwJFpGLnfGdELl3bdzmByi7hoqgfiA6cSQ6cQmwfgWwfg2ofgugegWLrGLTWhgFeoG7GLdKEnsYgObnjoiujjowqFgCsQGrOZuIVYfk6h9Srr2OYXGbyg3X1NR3pApfMN6+oSLmdtGmvDHe8zl+kaFNl8YsrgxIphSseuL6YSziR3i9VOaW1/S3/2W0fZ3bG3+jZ3hP9hV/8Wg9k82Sm/I1l8RU56xlNs1ivbk5jGSdovY4IgPa2P0Ks4gnI4NWS8ek2w9Jdf5nELr1+RrvyVffk2p9C35wu+4mjnjUvaY5cwhgXc7XClvs1zcZKm4yUxGw6kfXyd0CE28kkog1mc6NiIY3yQY3TLyw0x0j1B0B7eg4og0sEfOj6XDFqm9x49jxh3qvjV1rWJg8p09R/V/7as/Gf9p+2eYvFrmv4T3xMivaKG4AAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#324052",
          "foreground": "#fff",
          "population": 1.06,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#042a41",
          "foreground": "#fff",
          "population": 9.91,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#042a41",
          "foreground": "#fff",
          "population": 9.91,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b0bccc",
          "foreground": "#000",
          "population": 2.42,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#eac97a",
          "foreground": "#000",
          "population": 0.57,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6c8498",
          "foreground": "#fff",
          "population": 1.4,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#049c74",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "2025_YearReview_v3.png",
    "path": "images/rafvlnhi/production/0a82e4993eb763619ebb7e488f850de6d3e8dc62-2400x5110.png",
    "sha1hash": "0a82e4993eb763619ebb7e488f850de6d3e8dc62",
    "size": 1437547,
    "uploadId": "4AkNBWdlf6TcJxXMEFWy7xUWe9GbzPu6",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/0a82e4993eb763619ebb7e488f850de6d3e8dc62-2400x5110.png"
  },
  "caption": "Cloudsmith 2025: By the Numbers",
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```

## Company Updates

A peek behind the curtain into the goings-on at Cloudsmith HQ.

### Serious Series B

We closed a [$23M Series B funding round](https://cloudsmith.com/blog/what-cloudsmiths-series-b-means-for-our-customers), led by [TCV](https://www.tcv.com/) with participation from [Insight Partners](https://www.insightpartners.com/) and many of our existing investors. This investment reflects the confidence our customers place in Cloudsmith to control their mission-critical software build workloads, as well as the hard work from every Cloudsmither. We’re using the funding to build an even better Cloudsmith that can cover more use cases, handle near-infinite scale, and be the fastest and most reliable solution on the market.

### Headcount Boost

We added quite a few Cloudsmithers, increasing our total headcount by 92% in 2025. We’re using all that effort and brainpower to stay on top of the software supply chain security space, so we can help our customers protect their own build pipelines against emerging threats.

### “I’d like to thank…”

A couple of notable honors made their way to Cloudsmith HQ this year:

- **Northern Ireland Tech Awards 2025**: Tech Visionary of the Year – Cloudsmith CTO Lee Skillen.
- **Sifted 100 – UK & Ireland** Leaderboard 2025: Cloudsmith ranked number 59.

## Platform Updates

Ships are nothing new in Belfast, our home city which has a proud shipbuilding history. That said, at Cloudsmith, we prefer to ship code. Here are a few highlights from the new features and capabilities we launched in 2025:



- **ML Model Registry**: Cloudsmith extends artifact management and governance to [ML models](https://cloudsmith.com/blog/Securing-the-intersection-of-AI-models-and-software-supply-chains) and datasets, allowing you to control and manage AI artifacts alongside the rest of your software supply chain. ML models flow through the same access controls, policies, scanning, and audit trails as packages and containers, so adopting AI doesn’t introduce new blind spots or require parallel tooling.
- **[Enterprise Policy Manager](https://cloudsmith.com/blog/enterprise-policy-management-with-cloudsmith) (EPM):** Enables you to define policies as code that match how your pipelines and security rules actually work. Policies can incorporate context such as package metadata, vulnerability severity, and licenses, and enforce those criteria before promoting or using artifacts.
- [**Continuous Security**](https://cloudsmith.com/changelog/detect-and-prioritize-new-vulnerabilities-faster-with-continuous-security): Automatically checks artifacts for vulnerabilities, malware, and malicious packages on a rolling basis, generating reports hourly. When a new vulnerability is reported against a previously allowed package, EPM triggers a re-evaluation of artifacts against your standing policies and automatically takes actions, such as blocking or quarantining.
- **Malware scanning and malicious package detection:** Adds malware and malicious package detection to traditional vulnerability scanning, preventing malicious packages from entering repositories or being distributed. This helps teams avoid pulling in unsafe dependencies from upstream sources and reduces the risk of compromised software spreading through CI/CD pipelines or to customers.
- [**Private Broadcasts**](https://docs.cloudsmith.com/software-distribution/broadcasts/private-broadcasts): Enable teams to distribute software to customers or partners in a developer-native way, using the same delivery platform and governance they rely on internally, while presenting it through a branded, customer-facing experience. Customers can restrict, audit, and revoke access without setting up parallel systems or losing visibility–so external delivery doesn’t become a security or operational exception.
- **Format improvements**: We added new upstreams for four supported formats this year ([Dart](https://docs.cloudsmith.com/formats/dart-repository), [Rust](https://docs.cloudsmith.com/formats/cargo-registry), [Go](https://docs.cloudsmith.com/formats/go-registry), [Conda](https://docs.cloudsmith.com/formats/conda-repository)), and increased our support for native signing to include [Docker, NuGet, and Swift](https://cloudsmith.com/blog/native-signing-support-in-cloudsmith-extended-to-docker-nuget-and-swift).
- **Dark mode**: When you want to give your eyes a rest, dark mode is at the ready!

## Usage Growth

We know our customers derive business value from Cloudsmith, because they’re building more software with Cloudsmith.



- Total package delivery increased 352% YoY.
- The most popular artifact types were Python, npm, NuGet, rpm, Debian, and Maven, which together made up 90% of all artifact requests.
- The most consumed formats by size (accounting for 90% of total gigabytes delivered) were Docker, Python, raw, npm, and NuGet.
- Docker **container image** downloads increased by >250%.
   - 💡Interesting fact: In total bytes, Docker image deliveries in the first _10 days_ of December 2025 was nearly the same as that for the entire month of January 2025.
- npm and Python package delivery requests increased by 400% YoY.

## Plays Well With Others: Community, Events, and Integrations

The Cloudsmith platform does a lot of heavy lifting, and it does even more together with our partners. We trotted (a good portion of) the globe and scoured the corners of the internet to deliver a better artifact management experience to developers and organizations alike.

### Community and Events

We were active in the developer community in 2025. We sponsored or attended 18 events across North America and Europe, connecting with developers and platform teams in 10 cities at KubeCon + CloudNativeCon, GitHub Universe, PlatformCon, SRECon, and Container Days.



We’re in it for the bright lights and big stages, but some of our favorite moments came from smaller, high-impact community meetups like Kubernetes Community Days in New York and Edinburgh, Cloud Native Dublin, and BSides in our hometown of Belfast.



At every stop, big or small, our goals were to learn from the community, share what we’re building, and help teams ship software with confidence.

**Cloudsmith Events by the Numbers**

- 18 events
- 16 talks delivered
- 10 cities
- 2 continents

It’s worth noting that Cloudsmithers from all over the world also gathered three times this year in our home city of Belfast for all-hands offsites to learn, share, and grow together.

### Integrations and DevEx

We’re developers building for developers. For us, it’s important to improve the developer experience. We built integrations for developer tools this year to make it easier for users to manage and secure their development pipelines. Here are a few highlights from 2025.



- **MLFlow plugin**: Allows users to manage experiments run on ML models and collaborate in a centralized location for machine learning test cases.
- **Datadog**: We improved our [Datadog](https://cloudsmith.com/product/integrations/datadog) integration for better observability and monitoring of how artifacts flow through your software supply chain.
- **Chainguard:** You can integrate your Chainguard [images](https://cloudsmith.com/product/integrations/chainguard-images) and [libraries](https://cloudsmith.com/product/integrations/chainguard-libraries), both public and private Chainguard registries, natively with Cloudsmith.
- **VS Code extension**: Explore and inspect your artifacts from within your [VS Code ](https://cloudsmith.com/product/integrations/vscode)development environment.
- **AWS SageMaker**: Bringing secure artifact management to machine learning development.
- **Renovate**: Keep dependencies up to date with [Renovate](https://help.cloudsmith.io/docs/renovate) and Cloudsmith.

## Customer Support and Success

From initial conversations, to migrations, to ongoing support, Cloudsmithers provide users with the service and attention they need to make artifact management “just work.” Our customer support satisfaction rose to **99.2%** in 2025 (up from 96.8% last year!).



Here’s some of our favorite feedback from customers:



"It's rare these days to see this level of support and engagement when dealing with SaaS support."



"I must say that the support we have received from Cloudsmith has been outstanding."



"I feel it’s important to recognise the Cloudsmith team who have been wonderful throughout the whole process...[they] were patient, fun to talk with (just real-human), knowledgeable, flexible, and truly listened to our needs."



We also published new case studies that demonstrate Cloudsmith’s value, showing how the Cloudsmith experience unfolds from the customer’s point of view.

- [BHS Corrugated](https://cloudsmith.com/customers/cloudsmith-and-bhs-corrugated) shifted focus from infrastructure to managing artifacts securely with Cloudsmith.
- [The New England Center for Children](https://cloudsmith.com/customers/cloudsmith-and-the-new-england-center-for-children) migrated to Cloudsmith and eliminated outages entirely.
- A leading [consumer and industrial electronics organization](https://cloudsmith.com/customers/securing-the-software-supply-chain-at-a-leading-consumer-and-industrial-electronics-organization) leveraged Cloudsmith’s Enterprise Policy Manager for better package visibility and governance.

## What’s Next in 2026

We’re proud of what we helped customers achieve in 2025. And we’re doubling down on our R&D investments in 2026 to deliver an artifact management platform that exceeds anything on the market today.

We want Cloudsmith to be a platform that:

- Takes full advantage of our massive-scale, multi-tenant architecture to deliver previously unthinkable performance and scalability to CI/CD pipelines and IDEs no matter where they’re located.
- Provides practical solutions for securing the enterprise software supply chain from open source vulnerabilities and malicious packages without hindering productivity.
- Works in conjunction with your DevOps stack to deliver a single source of truth for software artifacts, informed by huge public data sets and AI-powered insights.

And we’ll do it all with our ultimate customer–the software developer–foremost in our minds.

Please reach out to me at ceo@cloudsmith.com with your thoughts and suggestions as we seek to build the artifact management platform that the world truly needs. 

Across your organization, teams are rapidly adopting AI and machine learning. They’re pulling ML models and datasets from public sources like Hugging Face and wiring them into workflows that are now reaching production. For platform and security leaders, this creates a familiar challenge: artifacts are entering the software supply chain outside established governance and controls.

Unmanaged AI artifacts carry real risks. They can’t be traced back to their source, they don’t follow compliance processes, and they often bypass the review gates you rely on for code and containers. Left unchecked, they become blind spots and liabilities in your supply chain. Without action, AI artifacts become the weakest link in your supply chain security.

The answer is to manage ML models and datasets with the same level of control and oversight as every other artifact in your supply chain. By managing them through a unified platform—with shared repositories, consistent policy enforcement, and full observability—you ensure that ML workflows are governed by the same standards as the rest of your software supply chain.

## **The risks of unmanaged ML artifacts**

The growing adoption of ML models and datasets introduces both opportunity and risk. On one hand, models accelerate delivery by enabling new capabilities at unprecedented speed. On the other hand, they introduce opaque dependencies, security blind spots, and compliance risks into the supply chain—areas where governance practices are still catching up.

Some risks begin earlier in the lifecycle, like poisoned training data or tampered weights during model creation, which can compromise a model before it ever reaches a registry. But the most immediate challenge for platform and security leaders is governance once these artifacts enter the supply chain. Teams often pull models directly from public sources like Hugging Face, bypassing review and scanning. Without versioning and provenance tracking, it’s nearly impossible to prove which model is in use, where it came from, or what depends on it. And without consistent policies, organizations struggle to demonstrate compliance when auditors or regulators come calling.

These risks can’t be left unmanaged. The question is how to bring ML artifacts under control.



## **Supply Chain Controls For ML Models**

ML models and datasets are artifacts, and like any artifact, they need to be versioned, audited, and controlled with the same enterprise-grade policies you’ve put in place for packages like code libraries and container images. As organizations deliver production applications powered by AI, the priority for platform and security leaders is clear: maintain visibility, integrity, and trust in the components that make up these builds.

This is where [**Cloudsmith’s new ML Model registry support**](https://cloudsmith.com/product/ml-model-registry) comes in.

## **A Single Source of Truth for ML Models in DevOps**

Cloudsmith extends artifact management to ML models and datasets, promoting them to first-class artifacts in your supply chain. This means you can control, secure, and distribute models alongside your language libraries, containers, and other binaries, all governed by the same policies and observability already in place.

With Cloudsmith, you can:

- **Enforce policy before production**: Require approvals, license checks, and compliance gates before a model or dataset is deployed.
- **Guarantee integrity**: Every artifact is versioned, hashed, and immutable, so tampering can be detected and blocked.
- **Trace provenance**: Capture where a model or dataset came from, how it has changed, and what depends on it.
- **Unify formats**: Manage ML models (PyTorch, TensorFlow, ONNX, and more) alongside other binary artifacts in the same repositories.
- **Integrate with Hugging Face**: Proxy and cache models and datasets directly from the Hugging Face Hub, while continuing to use the Hugging Face SDK for training and deployment — ensuring developers keep their workflows while you enforce governance.

## **ML Models + Governance = DevOps Win**

DevOps has always been about balancing efficiency, stability, and security. The rise of ML workflows doesn’t change that balance - it heightens the need for it. By incorporating ML models and datasets into Cloudsmith, you extend the same supply chain controls that protect your code and containers to the AI artifacts now driving production systems.

The result: faster innovation without unmanaged risk, and a single platform to govern every component that ships to production.



[Learn more about Cloudsmith's ML Model Registry here.](https://cloudsmith.com/product/ml-model-registry)

### Webinar on-demand:

[**How to securely source your LLM models from Hugging Face**](https://cloudsmith.com/events/webinars/how-to-securely-source-your-llm-models-from-hugging-face)

The enterprise artifact management market - which has belonged for a while to JFrog and Sonatype - is now _truly_ up for grabs.

Cloudsmith was built on the core principle that [cloud-native architecture matters](/blog/scaling-for-extreme-performance). So does simplicity in design and workflow. Partnerships matter, too. We’ve built a comprehensive platform that controls and secures every artifact as it’s built, scanned, signed, stored, and shipped across the software supply chain. We’ve tailored our product to the specific needs of large organizations, which support hundreds of software development teams, rely on a huge range of languages and formats, operate at massive scale, and need to ensure the provenance and integrity of artifacts entering their supply chain.

Our work is paying off. Today our product helps Fortune 500 and Global 2000 corporations, as well as independent software companies, build and distribute their software more securely and efficiently. Many of these customers migrated to Cloudsmith from the two primary legacy solutions on the market - JFrog’s Artifactory, and Sonatype’s Nexus. These customers came to us because they ran into challenges scaling to ever-increasing DevSecOps demands. They asked for a fully managed platform that just works, so they can focus on building software, not infrastructure, CDNs, or clusters. And they recognized Cloudsmith as a fresh, modern, developer-friendly, API-first experience. Cloudsmith is infrastructure you don’t have to think about.

A successful startup transitions into scale-up mode when it solves customer problems in new and innovative ways, and starts to win real market share. Cloudsmith has arrived here. We [closed our Series B with TCV and Insight Partners](/company/press/cloudsmith-raises-usd23m-series-b) earlier this year to fund our growth. We’re seeing incumbents take notice. We’re seeing analyst firms like Gartner and Forrester recognizing Cloudsmith as a new and legitimate candidate for enterprises with complex needs. JFrog CFO Ed Grabscheid confirmed our growing market share when he [told investors at a Bank of America conference](https://www.investing.com/news/transcripts/jfrog-at-bank-of-america-global-technology-conference-balancing-innovation-and-profitability-93CH-4083861) on June 5 that they see two main competitors: Sonatype and a “_very, very small startup that is a cloud-native tool… not even worth mentioning the name,_” starting to “_kind of pop up._” I’m pretty sure he was talking about Cloudsmith.

We agree that large organizations are looking at three main options - JFrog, Sonatype, and Cloudsmith - for comprehensive artifact management. The artifact offerings from hyperscalers like Azure, AWS, and Google, as well as SDLC leaders like GitHub and GitLab, are limited to a handful of formats and use cases. They’re okay for small teams, but they’re not intended to scale across broad engineering organizations. We hear every day from JFrog and Sonatype customers who are curious if Cloudsmith is a viable alternative to their legacy vendor, and from platform engineering teams who recognize the benefits of a common internal set of universal artifact repositories.

I suppose it’s in the spirit of this head-to-head competition that [JFrog recently published an analysis](https://jfrog.com/blog/pitfalls-of-superficial-application-security/) of our advanced security offerings. They didn’t reach out to us in advance, and appear to have based their findings on their use of a Cloudsmith self-service trial account. We would have been happy to help them make a more well-informed comparison! We think their conclusions are misleading or highly confused, and they got a lot flat-out wrong. Our solutions engineers love working with prospective Cloudsmith customers to showcase the actual capabilities of Cloudsmith, in a way that’s relevant to their company’s processes, scale, and needs.

There is one point in JFrog’s analysis of Cloudsmith that I found telling. They seem to fault our approach to artifact security scanning for relying on third-party industry vulnerability data. This outlook seems to align with JFrog’s general position on partnerships (that they’re bad for business). At that same Bank of America conference, JFrog’s CFO said that when it comes to security scanning, “_point solutions_” cannot operate without having a proxy to JFrog for access to the binary artifacts, which is true. [He continued](https://www.investing.com/news/transcripts/jfrog-at-bank-of-america-global-technology-conference-balancing-innovation-and-profitability-93CH-4083861) to say that “_you could cut the oxygen off to these point solutions. We choose not to do that, but most customers see advantage to two things: consolidation, and to secure the most critical asset, which is your binary._”

We just have a different philosophy. We don’t think customers want their artifact management vendor to be their only source of vulnerability data and security scanning. In other words, not all JFrog Artifactory customers want to depend solely on JFrog Xray. We know that for sure, because they’ve told us. So we’re working hard to ensure Cloudsmith works well with commercial and open source security tools like ClamAV, Trivy, and Grype, as well as data sources like EPSS and CVSS, and we regularly incorporate their data into the metadata that’s available inside Cloudsmith repositories and exposed to our Enterprise Policy Manager (EPM). In this way, Cloudsmith is the control plane and the data plane for the entire software supply chain, but we don’t think we should be the sole provider of security data. We will not - to quote JFrog - “cut the oxygen off” from our partners in the ecosystem. We feel similarly about CI/CD, runtime scanning, observability, and hardened images; solving software supply chain security works best as a team sport.

If you want to see why so many companies are turning to Cloudsmith, [we’d love to talk to you](/company/contact-sales) about what a modern, scalable, cloud-native artifact platform could look like for your organization.

### **Exploring AI and the future of the software supply chain**

AI assistants will shape the future of the software supply chain, and today, we’re sharing a glimpse of a powerful idea in motion: [Cloudsmith MCP](https://cloudsmith.com/product/mcp-server), a **proof of concept** server that connects large language models (LLMs) like ChatGPT and Claude directly to your software supply chain using the emerging [**Model Context Protocol (MCP)**](https://github.com/modelcontextprotocol) standard. 

Imagine managing policies, surfacing security insights, or orchestrating package workflows with a simple natural language prompt. No dashboards, no scripting, just a simple question or instruction that delivers the right end result. If this sounds interesting, you should [register for early access](https://cloudsmith.com/product/mcp-server).

This isn’t a launched product (yet), but it’s a clear signal of where we think Cloudsmith is headed: toward **smarter, more conversational workflows** that make it easier to control your software supply chain.

## **Why we believe MCP matters**

**MCP **is a standard way to make information available to LLMs. Similar to an API, MCP provides a documented, standardized way for a client to integrate services from external sources.

MCP enables AI assistants to query and interact with software supply chain data, so it creates a foundation for smarter workflows and more accessible control over artifact management.

In essence, adding MCP capabilities to Cloudsmith offers up an entirely new interface to your software supply chain, with AI agents and LLMs working together to achieve your goals. We're exited to see MCP becoming a flexible new point of integration between our customers' third-party services and Cloudsmith.

## **What we've built**

```json
{
  "_key": "fd0e8d6b0b48",
  "_type": "wistiaVideo",
  "id": "g7hl8ptomq",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-b66ccc0f00d0da476d5d665dbed8b245218c2279-3840x2160-png",
      "_type": "reference"
    }
  },
  "title": "MCP server demo"
}
```

Our MCP prototype leverages Cloudsmith’s API-first architecture to provide programmatic access to developers through their AI assistant. Through standardized MCP requests, you can ask questions about your software supply chain or take safe, controlled actions - like managing policies or promoting packages - directly within Cloudsmith. This opens up conversational workflows with the Cloudsmith platform.

For example, you might ask your AI assistant to identify what package is trending up in usage month over month or see all of the versions of a particular package in use across your workspace. In the future, your AI assistant will be able to review your organization’s compliance and security requirements and recommend or create a set of policies in Cloudsmith’s Enterprise Policy Manager based on that input.

## **What we’ve learned**

Building this prototype was a good reminder of a few fundamentals. First, an API-first foundation makes it easier to experiment, so it’s good that Cloudsmith is built truly API-first. Second, the data running through platforms like Cloudsmith can offer valuable insights when it’s made accessible to clients in lots of different ways. We’re giving developers and AI assistants simpler ways to ask questions, take actions, and get things done.

There’s still plenty to figure out, but MCP is already making artifact management and software supply chain management more intuitive and straightforward, especially at enterprise scale.

## Help us shape the release version

[Cloudsmith MCP](https://cloudsmith.com/product/mcp-server) is currently a **proof of concept** and will be available in **early access** for select customers and partners. If you're exploring the intersection of DevOps, AI, and supply chain security, we’d love to work with you. [Register for early access](https://cloudsmith.com/product/mcp-server) on the announcement page.

Enterprises should prioritize securing their software artifacts to protect intellectual property (IP), maintain compliance, and mitigate supply chain risks. A strong security posture requires a deep understanding of access management, distribution controls, compliance enforcement, and software lifecycle governance.

This guide explores key principles of software security and best practices that enterprises can adopt to ensure software remains protected from unauthorized access, compliance violations, and supply chain threats.

**Implementing Enterprise-Level Access Control**

Effective access management is the foundation of software security. Enterprises should:

- Adopt Role-Based Access Control (RBAC) to define and enforce access policies at a granular level.
- Leverage Single Sign-On (SSO) via SAML to streamline authentication and centralize user identity management.
- Use SCIM integration to automate user provisioning and deprovisioning, ensuring timely access adjustments.
- Establish structured team and service account management to prevent unnecessary access and privilege escalation.

By implementing these controls, organizations ensure that only authorized personnel interact with software artifacts, reducing security risks and enforcing least privilege access.

**Controlling Software Distribution with Entitlement Management**

For enterprises distributing software externally, precise access control is essential. Best practices include:

- Using entitlement tokens to grant controlled, read-only access at an individual package level.
- Monitoring and tracking software downloads to maintain visibility over usage.
- Revoking or modifying access as needed to comply with licensing terms and security policies.

These techniques help organizations manage software distribution securely while maintaining complete visibility into how assets are accessed and used.

**Meeting Compliance and Location-Based Security Requirements**

Global enterprises must align software storage and access with compliance requirements. To do so, they should:

- Enforce Geo/IP restrictions to control where software can be accessed.
- Utilize custom storage regions to align with regional data sovereignty and regulatory requirements.

These measures ensure enterprises maintain compliance with industry regulations while safeguarding sensitive data.

**Auditing, Tracking, and Managing the Software Lifecycle**

Visibility and traceability are critical to software security. Enterprises can enhance security by:

- Maintaining client logs to track software access and detect unusual activity.
- Implementing audit logs to track administrative and operational changes.
- Defining retention and lifecycle rules to automatically archive or remove outdated software artifacts.

With continuous monitoring, organizations can quickly detect and respond to potential security threats while streamlining compliance reporting.

**Ensuring Secure Software Promotion and Delivery**

To maintain a secure software pipeline, organizations should:

- Implement package promotion workflows to control how software transitions from development to staging and production.
- 
- Establish provenance tracking to maintain an immutable record of software lineage.
- Enforce security policies that verify software integrity before deployment.

By embedding these security measures into the software development lifecycle, enterprises can reduce risks and ensure that only trusted, verified software is deployed to production environments.

**Adopting a Zero Trust Approach to Software Security**

A Zero Trust security model - where no entity is trusted by default - helps organizations maintain security across their software supply chain. By focusing on robust access controls, entitlement-based distribution, compliance enforcement, and continuous monitoring, enterprises can strengthen their security posture while maintaining the agility to innovate and scale.

By mastering these security principles and leveraging the right tools, organizations can take full control of their software IP, ensuring that their most valuable digital assets remain secure, compliant, and resilient against evolving threats.

For enterprises seeking a comprehensive solution to manage and secure their software artifacts, Cloudsmith offers a universal, cloud-native platform designed to meet these needs. With features such as role-based access control, entitlement management, compliance enforcement, and advanced observability, Cloudsmith empowers organizations to implement robust security measures across their software supply chain. To learn more about how Cloudsmith can enhance your software security strategy, [talk to an expert](https://schedule.qualified.com/5ChEKW5).

Continuous Integration and Continuous Deployment (CI/CD) pipelines power modern DevOps. They enable teams to deliver software faster, with greater reliability and confidence. However, as development accelerates, ensuring security, compliance, and quality becomes increasingly complex. Automated policy checks streamline CI/CD pipelines by addressing these challenges directly.

Why Automate Policy Checks?

- Enhanced SecurityManual reviews are error-prone and inconsistent. Automated policy checks enforce security protocols reliably, vetting builds, dependencies, and code changes against predefined standards. Cloudsmith provides a centralized platform to manage these policies, ensuring that every artifact and package meets compliance requirements before entering your pipeline.[ Secure and Compliant Software Delivery with Cloudsmith Policy Management](/blog/secure-and-compliant-software-delivery-with-cloudsmith-policy-management) explains how policy management features enable security and compliance enforcement.
- Regulatory ComplianceStrict compliance requirements in industries like finance, healthcare, and government demand precision. Automated checks ensure releases meet regulatory standards, minimizing the risk of fines or breaches. These compliance expectations are rapidly becoming industry-wide best practices, meaning all organizations - not just regulated industries - should adopt robust security and compliance policies. [Using Cloudsmith as a Dependency Firewall](/blog/using-cloudsmith-as-a-dependency-firewall) highlights the importance of controlling package consumption to ensure compliance.



- Increased EfficiencyManual interventions slow pipelines and create bottlenecks. While some teams may still manually review or approve changes, this approach is unsustainable at scale. Automated checks provide real-time feedback, accelerating delivery cycles while maintaining governance. The [6 Essential Features for Your Next Artifact Manager](/blog/6-essential-features-for-your-next-artifact-manager) blog outlines crucial capabilities that improve efficiency.



- Reduced RiskBy identifying vulnerabilities, misconfigurations, and compliance issues early, automated policy checks lower the chance of deploying faulty code. Policies managed at the artifact level - such as those provided by Cloudsmith - ensure that only secure, compliant assets enter production.

### Key Areas for Automated Policy Checks



**Dependency Scanning**

Dependencies often introduce vulnerabilities. Automated tools analyze dependencies for security risks, license compliance, and outdated versions, blocking risky packages from production. Cloudsmith natively integrates these checks within its artifact management platform, offering an additional layer of security beyond CI/CD pipeline-level scans.

**Code Quality Gates**

Automated gates ensure new code meets quality standards, such as code coverage and complexity thresholds. While tools like SonarQube enforce these rules at the CI/CD level, policy management at the artifact level ensures only vetted packages are distributed downstream.

**Infrastructure as Code (IaC) Validation**

IaC tools, such as Terraform and CloudFormation, benefit from automated validation. These checks catch misconfigurations and enforce deployment best practices before infrastructure changes are applied. The [Enforce Secure Automated Deployment Practices through IaC](/events/webinars/enforce-secure-iac) webinar explores how policy enforcement in IaC can improve security.

**Container Security**

Teams using containers can automate image scans to flag vulnerabilities or misconfigurations before deployment. Cloudsmith helps enforce security and compliance policies at the artifact level, ensuring only approved container images are used in production.

**Deployment Policies**

Automated policies control deployment conditions, such as requiring approvals for production releases or enforcing restrictions on specific environments. Centralized artifact management allows organizations to implement stricter governance beyond what is possible within a CI/CD pipeline alone.

### Implementing Automated Policy Checks in CI/CD Pipelines



**Choose the Right Tools**

Select tools that integrate seamlessly with your existing CI/CD pipeline. A combination of CI/CD-based policy enforcement and artifact-level policy management, like Cloudsmith, provides a more comprehensive approach.

**Define Clear Policies**

Collaborate with security, compliance, and engineering teams to create policies aligned with organizational goals. Policies, defined as code, are the future and offer greater power and flexibility compared to rigid, rule-based checks. Using Open Policy Agent (OPA) allows teams to express policies in a declarative, code-based format for better automation and enforcement.

**Integrate Early**

Shift left by implementing policy checks early in the pipeline. This prevents issues from propagating downstream and ensures that security and compliance are addressed from the start.

**Monitor and Iterate**

Use logs, reports, and feedback to refine policies and improve tools regularly. Cloudsmith provides real-time insights into artifact security, compliance, and policy enforcement, helping teams proactively manage risk. [Consuming Open Source Securely Using S2C2F](/events/webinars/consuming-open-source-securely-using-s2c2f) provides guidance on incorporating open-source components securely into CI/CD pipelines.

### Conclusion

Automated policy checks are essential for scaling CI/CD pipelines without sacrificing security, compliance, or quality. While CI/CD tools can enforce some policies, centralizing policy enforcement at the artifact management layer with Cloudsmith provides a more holistic and effective approach.

Streamline your CI/CD pipeline today. Learn how Cloudsmith can help automate your policy checks and optimize your DevOps processes. [Talk to an expert](https://schedule.qualified.com/5ChEKW5) to get started.

Managing software artifacts across distributed teams and complex infrastructures securely demands proactive measures. Robust policy management is the best way to ensure compliance in your software supply chain. Cloudsmith, the leading cloud-native package management platform, can streamline policy management and strengthen security. Let’s explore why policy management matters and how we can simplify it for you.

### **The Importance of Policy Management**

Policy Management is a structured way to define, implement, and enforce rules and guidelines in your software delivery process. Effective policy management:

- Enhances Security: Enforces strict access controls and ensures the integrity of your software artifacts, reducing vulnerabilities and minimizing risks.
- Ensures Compliance: Helps you adhere to GDPR, HIPAA, SOC 2, and other regulatory frameworks, keeping you audit-ready.
- Maintains Consistency: Standardizes workflows across teams, ensuring that everyone operates within established guardrails.
- Boosts Efficiency: Automates policy enforcement, reducing manual overhead for approvals and compliance checks.

For a deeper dive into Cloudsmith's approach to enhancing security and compliance through policy management, check out [Cloudsmith's Enhanced Security with Policy Management](/blog/cloudsmiths-enhanced-security-with-policy-management).

### **Cloudsmith Policy Management: A Holistic Approach**

With Cloudsmith, you take full control of your package repositories with policy management. These make Cloudsmith the ideal choice for teams prioritizing security and compliance:

#### 1. **Fine-Grained Access Controls**

You set granular permissions for users, teams, and API tokens. Using role-based access control (RBAC), you can:

- Assign repository access based on user roles.
- Apply least-privilege principles to ensure users access only what they need.
- Monitor and audit access logs to detect anomalies.

Learn more about how Cloudsmith supports Zero Trust security principles in [Implementing Zero Trust Security with Cloudsmith in 5 Steps](/blog/implementing-zero-trust-security-cloudsmith-5-steps).

#### 2. **Custom Retention and Disposal Policies**

Efficient storage management reduces costs and enhances security. Cloudsmith lets you:

- Configure [Retention Policies](https://help.cloudsmith.io/docs/retention-lifecycle) to automatically remove outdated or unused artifacts after a specified time.
- Use Disposal Policies to securely delete artifacts while maintaining an audit trail, ensuring data governance compliance.

#### **3. Geo-Restriction Policies**

Controlling where your data can be stored or accessed is a crucial part of many compliance frameworks. Cloudsmith supports geo-restriction policies, allowing you to:

- Restrict repository access based on geographic regions.
- Comply with data residency requirements.

Check out how Cloudsmith has helped organizations like SaaS providers comply with GDPR and data residency requirements in our [case studies](https://cloudsmith.com).

#### 4.** Security Scanning and Vulnerability Policies**

To protect your software supply chain, Cloudsmith integrates security scanning directly into the platform. You can:

- Block packages with known vulnerabilities.
- Automatically notify teams when critical issues are detected.
- Curate secure repositories.

Learn how Cloudsmith serves as a [Dependency Firewall](/blog/using-cloudsmith-as-a-dependency-firewall) to secure your software supply chain.

#### 5.** License Management Policies**

Licensing compliance is an important part of managing open-source dependencies. With Cloudsmith, you can:

- Define acceptable licenses for your projects.
- Block artifacts that violate license compliance policies.
- Generate reports for audits, ensuring transparency.

### **Automating Policy Enforcement**

Cloudsmith empowers you to automate policy enforcement by integrating with CI/CD pipelines. By embedding policy checks into your workflows, you can:

- Automatically validate artifacts against predefined rules.
- Prevent deployment of non-compliant artifacts.
- Accelerate delivery cycles while ensuring compliance.

To learn how policy enforcement can be integrated into your DevOps workflows, explore [Enterprise Policy Manager](/blog/introducing-cloudsmiths-enterprise-policy-manager-strengthening-security-and-compliance-with-flexible-observable-policy-as-code-solutions).

### **Real-World Use Cases**



**Kong – Streamlining Artifact Management and Distribution**

Kong, a prominent open-source API management platform, required a robust solution to manage and distribute their software artifacts efficiently. By partnering with Cloudsmith, Kong was able to:

- Centralize Artifact Storage: Utilize Cloudsmith's universal artifact management to store all their packages in a single, secure location.
- Implement Fine-Grained Access Controls: Define and enforce policies that ensure only authorized personnel have access to specific repositories and artifacts.
- Enhance Distribution Efficiency: Leverage Cloudsmith's global edge caching to deliver artifacts swiftly to their global user base.

This collaboration resulted in a more streamlined and secure artifact management process, allowing Kong to focus on developing their core products without worrying about the complexities of artifact distribution.

### **Best Practices for Policy Management in Cloudsmith**

Policy management is even more powerful with some planning, collaboration, and continuous improvement. Here are some best practices to help you maximize the value of Cloudsmith policy management:

#### 1. **Define Clear Policies**

Your security, compliance, and development teams can establish policies that align with your organization’s goals. Consider these steps:

- Identify Key Objectives: Are you looking to adhere to regulatory requirements like SOC 2? Or reduce security vulnerabilities in production?
- Collaborate Across Teams: Involve stakeholders from DevOps, security, and legal teams to ensure policies cover access control, licensing, and vulnerability scanning.
- Create a Policy Library: Maintain a centralized repository of all approved policies so it’s easy for teams to reference and follow them.

Pro Tip: Use policy templates and the Enterprise Policy Manager to standardize and scale policy creation across multiple teams. Learn more about Cloudsmith's [Policy Management capabilities](https://help.cloudsmith.io/docs/policy-management).

#### 2. **Enable Continuous Monitoring**

Continuous monitoring helps you stay ahead of potential risks and ensure compliance over time. Cloudsmith offers built-in monitoring tools to help you track and report policy adherence. To maximize their effectiveness:

- Audit Regularly: Leverage Cloudsmith’s Audit Logs to monitor actions performed by users, systems, and service accounts. This feature provides a complete history, enabling you to identify anomalies and ensure compliance.
- Track Key Metrics: Monitor metrics like artifact vulnerability rates, license violations, and geographic access patterns to stay proactive in your security efforts.
- Set Alerts: Configure notifications for critical issues, such as non-compliant artifacts or unauthorized access attempts, so your team can respond quickly.

For more details, check out Cloudsmith’s guide to [Audit Logs](https://changelog.cloudsmith.com/en/boost-compliance-and-security-with-audit-logs) to improve your monitoring practices.

#### 3.** Integrate with DevOps Workflows**

By embedding policy checks into your DevOps workflows, you can maintain compliance without slowing down delivery. Here’s how:

- Automate Artifact Validation: Use Cloudsmith’s APIs to automatically validate artifacts against predefined policies during your CI/CD pipeline runs.
- Prevent Non-Compliant Deployments: Configure your CI/CD tools to block deployments that fail security or compliance checks, ensuring that only approved artifacts make it to production.
- Leverage Pipeline Integration: Integrate Cloudsmith with popular CI/CD tools like CircleCI, GitHub Actions, and GitLab to streamline policy enforcement.

For more information on managing package promotion workflows, check out [How to Manage Your Package Promotion Workflows with Cloudsmith](/blog/how-to-manage-your-package-promotion-workflows-with-cloudsmith).

By automating policy enforcement, your team can accelerate delivery cycles while maintaining security and compliance.

#### 4. **Review and Update Policies Regularly**

Your policies need to keep pace with change. Regularly reviewing and updating your policies ensures they remain relevant and effective. Follow these best practices:

- Schedule Regular Audits: Conduct quarterly policy audits to ensure they align with current regulations and organizational goals.
- Adapt to New Threats: Stay informed about emerging vulnerabilities and security risks, updating your policies to address them.
- Solicit Feedback: Encourage teams to share their experiences with existing policies and suggest improvements. This collaborative approach fosters a culture of compliance and innovation.
- Document Changes: Maintain a change log for your policies to track updates and communicate them effectively across the organization.

Pro Tip: Use Cloudsmith’s reporting features to generate compliance reports that provide valuable insights and help refine your policies over time.

Stay up-to-date with Cloudsmith’s latest features and updates by joining our [webinars](https://cloudsmith.com/webinars).

Ready to empower secure and compliant software delivery? Book a [demo](https://schedule.qualified.com/5ChEKW5) with an expert today and see how Cloudsmith transforms your software artifact management.



2024 was a year of incredible stories. At Cloudsmith, we had the privilege of being part of our customers' journeys as they reached significant milestones, driving growth, innovation, and strengthened trust across the globe. Our customers led the way, leveraging Cloudsmith’s capabilities to enhance their workflows, scale their operations, and secure their software supply chains. Let’s explore the amazing progress our community made together and the stories behind these achievements.

```json
{
  "_key": "6fd758aa9383",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T08:03:53Z",
    "_id": "image-f1d5e137d4502288bb8fb11509eae93c8c6b6087-1200x4000-png",
    "_rev": "2MVa2LY6RC9Yy6hPJdl9dn",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T08:03:53Z",
    "assetId": "f1d5e137d4502288bb8fb11509eae93c8c6b6087",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "bS8E$qkat8W9o*WaxgaeadoO",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.3,
        "height": 4000,
        "width": 1200
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAABDCAYAAACcAiVCAAAACXBIWXMAAAsTAAALEwEAmpwYAAAQ/ElEQVR4nE2YeVTU59XHp63oLOzMMCDimrgrzAAzwwzMDMvsMMPADDDAsAiyyCaCgLhrjFvcNSY25jUu0WiSJtamTd82bRNP2sQmJjUqLrEalySapJq02dD59Mxg+75/fM+9z3N+53u+5z7399x7H8FPcuCnufCznIcI+g/Xof1cGJETYITxC0ZmHkWoqEeUYkGUYgohQmklVlUQssG1IMwEYitE2CD8ISL+HyJtEGWHKNsPSPIuIsrciyitHmGKjah0G5Mtlai8TSEbmW5DEG4P8EglpDRASj0oG0HVAup5w8hqB0MnaFpA0fADUys+RmY6gCitiXidlyxfK86WReh8rcRrXQikru8xzr+Pb3WAyscC1K2Hps3QHMQW6H4Sep+C2rVQuiKAa/EPPOq7hlB7kOjMZlJc9eRUdzDbVUeMyoEgynyamdW3MXYOYV7wAFdPAF8/VPZDRT/ULhmGuxMcrWBtCZBS+iPJeecYm7WFacZ2FOZOHsluIFbpRiBULSfC8EtizFcY6/gCU9m3NDU+oGMezO+ABZ3Q1QmdrdDRCu2t0NYKrc33aG14n/aGX9Nef4Kq0iPo8zYgEKYWIlS2MTJjO4nZL+OvHOSpxd9xYFWAIxvgpW3DOPoEHNsERzfBi9vh5R33eWnbt7yy62te2XGPvUtvs7hyEEHwqCVKB+HpHpI086goeYnd3Xc41H+fw0sDvPhYgBdXBziyLMC+ZQG2L4XNy2HLCti8LMDmlQF2rgjwVM8Dttf9iECcaiZK7SBWV4BUVYTauJJ2759ZV/0525vu8fT8f7Kj5R7ra75iYfXX1LUMUd8HjYtgTi/U9ASobg0wr/pHVlTcG1YYkWELkYYrrcjSSsnIXkGR9QAt1a+xuOtNWqpfx2N7BZvzLTxdX9C5LUD3LujcDq1bAngH7qMvv4XD8QYC8cNsj0q3hxI1Ot1OvKqYcdpaZtu60ZauZZb9MZJ1fYwxbEdZfRF7732cAwEK+h9g63tAVue3TK9+j6nu9QgkqebQr5OkL2F8bul/MdFUy6OORUwq3EGSZQ/R2esRazYRmXuSWNsd4uz3SCi6y6Tar5jVfou07j+i7l43rDCoboyhhEmmcibmlzHJVMGjtg6muHYywfUbZNaTiLOPMUr1BCNVWwnTHCFMe5xoy3GmNh1H1fcK6t59aLpXD8dQrLAQq3GTaPSTaKxDrq9Bmt1KnHE70fl/RJz7EWFZbzBSvRNhejdCZQOitDqkWU1Mdi1glq+Xyd52xjlrhgnDVSXIzb1MLH2SRyueY0LJTmSmVUi06xBnnyDOcYkx7gsku95EZjqMRL2MuPQ5pOcswlW0m0L3DmbndRKdUYggMrOaRPsqZs79Ndres+gHLqHtPcPM+teQ2Z5CanmV1Dm3sCz8FlvvXVLnfEpc3h+Yqt9FY+nrbO24ytrWMxQ4dxCXVoRgbPkhpjf+gcz+y5hW3aTg8VuYVt5E23eBqQ1vMd73HsrGu5h6Alh6A6Q0DJFgu0iG6Re0lr3F6obL9FT/hRzrBmLSXAiUCy5jXXWdsk2f4d/2OXU7PsO3+TO8Gz/FsvIGM+fdYHzFJ0zwXmKCZxB54Xlic99gimEH+vxNGPI2kZo9wGhVFZJUK4KM7s/xb75Lz95v6H7maxY88zWde76mZdc9vOvvktpxjYSiV4kxrCNOv4pI3Uokqm6i0/xI0zzEKIoIT7EjSjEP39iP1p4ms+Mctv6L2PoHsfZ9RH7PGfSdf0PZ/AET/b9HZn0Mqa6cZGMp8VklhGc4EKf+pwzk/7cchAhjzTuJs+wl3rYfuX0PcssTxJtWIs1fSlzeEmKMPURoqohML0SaWUSsxklEupXgHSBKsT6E5f8UijSPE2XYTYJlH9K8bUg0XYiUZYgUDsQKOxKFDbGiAElaGZJ0P+FpHiQKO+JUKxFpHmI1fqJUPiQKZ4hUMCpzH0kFvyNz7inSq3/NONsmEg1NyLXFxGTYQ9d6QnYV4y2LmGhbyrj8dmQ6H7JMD1MLusiqXk9G2XLG5MwhXGlHMFL3Msnu9zF1XaWo7zSmeUcx1j2OqrSNsTleZNoiJpiaSfWuJd23hVnuFYzNq2d8fjU6/0qK5+/B3rKVGc6O4cQeqd2PzPZ7lLWnMLa8gb7+WdS+xcwsrEeuKyJCaSdGXU68fh5yYw+yrGZi1CVIM4tJzmtikr2XCZYu5Nk1wwpHqVcTnr0LWf5eEk3bSMxZiExbQayqkMg0GxKFFUkwnko3YqUHsdKJWBE8FAsiRQFCRUkIotTC4UMRq5sQa+YjzuxBomlDovYTqS4hTluCPLuUeH0p8SFbhlwfVFpGrNZDuMqNJMOFOIj0IAoRpxUgiNI3EpE9lwh9M9E5nUQZmogx1CHPayTJ2s4EZzeTi/uZ5l3CFM8yJrhXMLpgOTLbcuLMvUQbm4nIriZSX0dMbieC0ealyPO7kZv7SC7cTLLtcUbn9ZNkWsJ4xxpSfNvRNz5LTushtE1HmO4/wqSKl5hY+QvGeZ9jtGMt8fndJJgHGFv8NAKt/VnSrdtIt+3AUHQMS9Gr5DsOY3QcJMf5PPaKY3jmvoKn+VXs9S+jKTtCivt5ZrgPMM35NLPtO0izbiXNtpM010EETscxLLb9WGwHKCk8QV3xn6lzv02l6w3K3a9TVfEb6upfo7bxON6ao+S69qKy7iTFvIkU00ay7XuxOg5jsu3HYH0GgcK0nhTzBlItW0IfGhzPYSg4RFbhQXTOQxi8R3DUvYSr6Rfk1BxD6TnIzOIDTCvez3TPYdLKTpBR/AIpti3MsG5AEKtvIC63DbmphyTbQpLMvSTmLyLRvJRE62rGOjcwu2IXGXN+zjTfzxnreYax3ucYV/484yteDMUy2f0kMlMPMvNCBBJNCeE6H9GGaqSmWmJzaojKqiZaX0uMsZ643CbkplZGWzuIN3cSm99JTH4XsfndxJkXIjX3EpPbRmS2n8jsWgTitEIkGW7C1SVEBMlVbiJUJcRoy5FmVyDN8iHNKidBX0GivhKZrpxojZfwjGLEqhIkKi9ilRdJRgmSjGIE4woGmORcwkTnEpJs/cQae5Aal5FsWccYy0akxrWMMaxAY1+D2b2BXOd6NKbVTNYvJsGwnPi8Ncjz1hBnWIlE04sgt+8dCpadwr70FJr5bzO55k1m1XxAdssl1I0fk+S6wKPWD2n0n2Xj/Mts7PyYZbUXqCj5kHTvWab7LzGj6jITPOeJyD+FILPnDMaBCxgGLpLRPcj0pvOkNFwju+0O2tYvGVf6BZPtt2jy3WJL8x22NX/JxtovaCn9lBTXLeKL7hBf9CUxBV8wMv8zBEnOrYwt2cNYz16SS55htPNp4i17SbAcRm45RlTOC8iyD5KZt49i22G89mN4bUfJMR0kMWsfI7WHCdMeJSzzBUZkvoBAovIQriknXFNBhMZHZKaPyKCvqiFcVUukuo4YTQ1yTRXJmdWhJmqcrpZETRURaeUIlZWI0qoRpdeErCBeU408s5Y4TSVxGh/J+jlMzJ3LGKN/+JYxlJKQ4yPeUIFUX4HcWIk8p4rYrPJQZkjUHqKy/aEUi9RVISguPkKp9xgFxfuwFP0cj+cFvMVHyXHsYrppgDG5bcjyFhGX/wRxpm3IzNuQW7cjNW8lKvcJovJWI7WvQu5cjdQ6gODJ3ts8u+IOe5bfYtfiG+zu/5wtrbdZVHmZKvfvyLQdINnyKlLbO8Q5TiEtOIXc+T5y52niHO8QbXuZOMdWpPYVxFp6ERwauM+La4Y4vnWI13YNcWL7EC+svM+TLd+z2PcpRUXnmFZwEbntHLGWk8TaTyErPE+86yLSYBdhP0m0+QAROQNE6OsQ7KgfYnfLEPv6hnjhsR84uuYH9g8Msa35O/orb+Mqucqsor+T7Pgr8ZYTyBx/Qu76K3LXO8gK30bqeItoy4tE5C4lyliNYKD8Okt8N1nmv8ny2pusqPuUZbWf0Vn3Gb66TzDXXkRbd5YU/194xPe/jCl9HbnrMHHmzcTmriU6dw0x+UsYXdTFRF8bAkvBYWyFL2Mt/C0m5/uYnOfIc50mq+ID1PMuYez7O86VVyhYcQld7yAzW95jatlRZls3oTI/way8FcPVr7SR2Y3zESQE/0njdpLMrzG55GOml90hufBjEl3vMaXxIwxLruFad5Oi9TfJX3EdXccgTv+7dPpPs7zhAu1VJ9FZ15CUW0GipQyBUD3ASN0Bws3neKTyX8yac5941zeITZdI9P6V1I4L6AY+IWvxdTK7L2Ou/xvzqz9mV9s37O+7z87OL6gqPsY4dW2otRaMynicEbrfMyrvK2IKHyArChBuGyIs93MibB8yac4Z0hdeRd13jezWQar853is9jZPzRtiT2uAXc3f0ev7EF3O2uHhcaRqM2GGDxll+oGw/EAIImsAoflbhKZrJJSeYXrbZRSdV7A1DNJXc53dbd+xtyvA7uYAu+Y+YHP9Xerdv2WKtgPByIzVhBlOM8ocJHzAiLwhxJYhROZvEOZfQe75kGmtl1B2XsFef57e2qvsav+avQuGeGregxDhzrnf0+l9l9TsRQiEijrCMp8jTP8BI/TnCTNeRGS6QbhlkJiCk0yofQ9lz1XUvdfQNp+hoPJtmqrP0jfnNr3+r1jo+5IFpVdwWp8nWVWHQBzsWzLmIlQtQaTdQLTlKAmed0jy/YXx1W8ydd4ZUrqvkdp9jRlt55le9xYZ1X/GUHMObdlF0gs+IDX/OON0SwgPxjA4NEr1bmKyvMTlLWRi1XFmtp1levsg09oGmdn5MakLhglndf2dqW2DTGs9z4y2SzxSfxFZ0buEGw8h1vQhSq9EEJflItFUQnxeBUmujcxuex91/w2UC68zs+s6ip7robWm/wZpC68zq+sTZs7/BEXPDWZ0XCWx/BSSvIOItAOIMqoQRKrsxGgLidZ5kdtWMWXum6TMv8CM9rNMbT3LjPZBZnecY3bHWWZ2DDJ13tlQGGZ2XGBKy99I8BwnIncdksy5oS4sNICLFDZEylIitfOQOzaS7HmW5JI9jCl+mrGe/yG5eNgP7o8J+u7dJHv3keh+muj8pUh09UhUbkQKKwJRsHFMdSBUVCJSVhGpLkOqr0JurEZu8JNgrCHBWE283o/cEPRrGJ1Tg8xQQ5S2IlSLg7U9SBZq2kMKU63DHWhqARHpNmS6QhIMRSToh5H40CZkFzHaWEJynge5wU0wXOKQIPN/ZxaBKG0OwvQ5iB4iXF1PlLaRaF1TCFHa/6CWaE0J0eoCYrWFxGQWEp7uCIkQpdgezioWBGLDCaSWEyQ6fsVox4kQEh0nSLCdIME+vE6w/5Lo3EOI1EsRKrzDikI9diFCRTHCVCei1CJEijIE0QX3mF5zD1XTPdIb75E29y7pjXdRNPyD2XX/YFbtXab67yJ3fYZQf5KRGSsRproQplgeNuzlCFPLECrrGJXWgSDeHUDXcZ+CgSFyu3/E2PUDtr7vMC/8F+lN/2SM9ztinUOIrff5mfE2I4JPfkp/aCQTKjwIFX6EylqEaU0I09oRJJQEMPf+SNXab3Et/RrH4n9QsvwO7qWfou+4QXzRDX6a8yWCnO8RGO8SpvsVkepGpBon0syS4akqy49UW0lURhmCCAdMqxlC3foN6S23UTZfJ3XuFWbVXWCa/yPiCt5nRM5H/CTnFj8xfs7IrNeQZbcxIa+UR8wVTLZWMtlWxcT88uHnvuALpjD/AeG2fxJZeIvIwktE2M8SbvmAcPO7iPJOEmb8Ez8znuanxiuE6U4QpWlGrnORkOUmMdsdSqcgWfB15d91IAlKB8ZKDAAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2d465e",
          "foreground": "#fff",
          "population": 0.28,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#123976",
          "foreground": "#fff",
          "population": 7.02,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0540f8",
          "foreground": "#fff",
          "population": 7.18,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#8c88a4",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9466f5",
          "foreground": "#fff",
          "population": 5.86,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6188a3",
          "foreground": "#fff",
          "population": 0.85,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0540f8",
          "foreground": "#fff",
          "population": 7.18,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "2024_final_v3.png",
    "path": "images/rafvlnhi/production/f1d5e137d4502288bb8fb11509eae93c8c6b6087-1200x4000.png",
    "sha1hash": "f1d5e137d4502288bb8fb11509eae93c8c6b6087",
    "size": 1117716,
    "uploadId": "os8rJsIrNy8Tm7sjm6owuG1ifsoCMwT8",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/f1d5e137d4502288bb8fb11509eae93c8c6b6087-1200x4000.png"
  },
  "caption": null,
  "link": null,
  "markDefs": null
}
```

#### **🚀New Year, New WebApp**

In 2024, our customers embraced the all-new WebApp, a major upgrade designed to make artifact management more intuitive and efficient. This enhanced user experience enabled teams to streamline their operations and focus on delivering value to their customers.

#### 📈** Riding the Wave of Growth**

Throughout the year, more and more teams turned to Cloudsmith, resulting in a staggering 53% increase in packages delivered. Each delivery represented a project moving forward, a product getting closer to market, or a team achieving its goals. This growth was a testament to the trust our customers placed in Cloudsmith as their reliable partner in artifact management.

#### 🎉 **Empowering Users with New Features**

2024 was the year where our customers gained unprecedented control over their software supply chains. With the introduction of Broadcasts and Policy Management, teams were empowered to oversee their operations with greater clarity and precision. These features were catalysts that enabled our customers to work smarter and safer in an ever-evolving digital landscape.

#### 🌐** We met our tribe**

This year, our customers met us at events like KubeCon, GitHub Universe, and SREcon. These weren’t just conferences - they were chances to learn, share, and grow together. Our customers brought their experiences and challenges to the table, and together, we explored new ways to innovate and push the industry forward.

#### 🔄 **Seamless Integration for Greater Impact**

For teams integrating Cloudsmith with tools like Azure DevOps and ArgoCD, 2024 was about making life easier. These integrations weren’t just about technology - they were about creating seamless workflows that allowed teams to focus on their goals, knowing their tools would support them every step of the way.

#### ❤️** Delivering Unmatched Support**

Throughout the year, our customers’ success was our top priority. With a 96.8% customer support satisfaction rating, every interaction aimed to empower users and solve challenges swiftly. Behind each support ticket resolved was a team able to move forward with confidence, knowing Cloudsmith had their back.

#### 💬** What Our Customers Say**

We measure success not only through metrics but also by the impact we've had on our customers' businesses. Here’s what a few of them had to say about their experiences with Cloudsmith in 2024:

**PagerDuty**“Cloudsmith has significantly simplified our artifact management. By using Cloudsmith, we can easily store and share artifacts across the organization, while also ensuring the security and compliance of every release. It’s been a true partner in our growth.”– Sandy McNeely, Director of DevOps, PagerDuty

**Diligent**“Cloudsmith’s solution has made a noticeable difference in our workflow. We’ve streamlined the way we manage and distribute software artifacts, and the speed and reliability have been key in helping us meet our goals.”– Tom Dillon, Senior VP of Engineering, Diligent

**Humanising Autonomy**“Using Cloudsmith allowed us to ensure our products were shipped more securely and efficiently. The ability to have fine-grained control over our software supply chain means we can focus on building innovative solutions while Cloudsmith handles the infrastructure.”– Chris Sutherland, CEO & Founder, Humanising Autonomy

**Kong**“Cloudsmith has been integral in supporting our continuous delivery pipeline. The easy integration and flexibility it offers have significantly enhanced the speed at which we can release new features and improvements.”– Matt **Boersma**, Senior Software Engineer, Kong

### **Looking Ahead**

As we move into 2025, we’re excited to keep building alongside our customers. Their stories drive us to innovate, improve, and support them even better. To all the teams we work with - thank you for an amazing 2024.

Want to see what’s next? Join us on our journey in 2025 by exploring our latest updates and features or by booking a [demo](https://schedule.qualified.com/5ChEKW5).

What a year it’s been at Cloudsmith. As we look back on 2024, it’s hard not to feel a sense of pride - and even a little awe - at how far we’ve come. From a scrappy startup to a trusted partner for some of the biggest names in the world, this year has been a turning point, both for our company and the people who make it special.

In this video, our CEO, Glenn Weinstein, reflects on the highs, the challenges, and the moments that defined this year for us. Here’s a little glimpse into what made 2024 unforgettable.

```json
{
  "_key": "f0508774f9ca",
  "_type": "wistiaVideo",
  "id": "r5d3j2nz4m",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-dff3515c841d3f4a6a26d200b69afc7c09c530c6-960x540-jpg",
      "_type": "reference"
    }
  },
  "title": "Coffee with Cloudsmith 2024"
}
```

### Growing Up Without Losing Who We Are 🌱🏢

We’ve doubled our count of Cloudsmithers in 2024! It’s exciting, of course, but also a little bittersweet. It’s harder to fit everyone into a room these days - we’d need a really big room! - and keeping up with all the new names can be a challenge. But growth means something important: we’re helping more people, solving bigger problems, and making a real difference for our customers.

Our mission hasn’t changed - to make developers’ lives easier. What’s shifted is our focus. Over the past 18 months, we’ve zeroed in on enterprises, especially those with massive teams using countless tools, languages, and formats. Cloudsmith’s strength is bringing all that chaos together in one place, making it simpler, faster, and more secure to build great software.

### A Team That Feels Like Family 👩‍💻👨‍💻❤️

One of the things that sets Cloudsmith apart is the people. Early on, we were all generalists - pitching in wherever we were needed. But this year, we’ve started to mature, hiring specialists with deep expertise who can push us to the next level.

And while our roots are firmly in Belfast, where Cloudsmith began, we’ve expanded to Dublin, London, other locations around Ireland and the UK, as well as India and the United States, too. Belfast, though, holds something special - it’s become home for many of us, including our New York-born CEO, Glenn Weinstein.

Glenn, who splits his time between the U.S. and Belfast, shares in the video how much he’s come to love the city. “There’s something about walking the streets of Belfast, grabbing dinner, or just soaking up the atmosphere that makes you feel welcome,” he says. “As someone from New York, I never imagined Belfast would feel like home, but it truly does.”

Even though we’re a remote-first team, we believe in the magic of in-person connection. That’s why we bring everyone together three times a year for offsites in Belfast. Those few days - full of laughs, ideas, and even a pint or two - are what fuel the trust and camaraderie that make Cloudsmith such a unique place to work.

### Building What Matters 🛠️✨

For our Engineering team, 2024 has been a year of transformation. What used to be a single team now includes specialized squads like Bytebusters, Sentinel, Platform, and Kronos. These groups allow us to go deeper into what we’re building, whether it’s improving security, expanding formats, or creating a sleek new web app that’s already winning over customers.

Looking ahead to 2025, the roadmap is ambitious - and that’s putting it mildly. From digital signatures to advanced policy management tools, we’re diving headfirst into solving some of the biggest challenges in the software supply chain. It’s a big task, but one we’re excited to tackle.

### Putting Customers First 🤝💡

If there’s one thing that’s really hit home this year, it’s this: our customers don’t just need great software - they need a partner. As we’ve worked with Global 2000 and Fortune 500 companies, we’ve realized that onboarding isn’t just about flipping a switch. It’s about walking alongside them, helping them adapt, and making sure every team - whether it’s five people or 500 - feels supported.

This has been a game-changer for us. We’re not just delivering a product; we’re building relationships. And those relationships? They’re built on trust, understanding, and a commitment to helping our customers succeed.

### Looking to the Future 🔮🚀

As we close out 2024, we feel like we’re just getting started. Yes, we’ve grown. Yes, we’ve achieved incredible things. But our dreams are bigger than ever. Glenn Weinstein puts it perfectly: “Cloudsmith isn’t just a feature or a niche. We’re building something foundational, something that will change how enterprises everywhere manage their software supply chains.”

We believe Cloudsmith can be a cornerstone for enterprises - a platform that simplifies, secures, and transforms how software is built. We’re still on the journey, still learning, still growing. And we’re so grateful to everyone who’s been part of it - our team, our customers, and our community.

Watch the video above to hear more from Glenn Weinstein about this incredible year and what’s ahead. And if you’re curious about how Cloudsmith can help your team, we’d love to show you.

Here’s to 2025 and everything it holds. Let’s build it together. 💪✨

Last month, Datadog announced an interesting and useful new feature they call the [Supply-Chain Firewall (SCFW)](https://github.com/DataDog/supply-chain-firewall). It offers a real-time scanning approach that identifies vulnerabilities as developers pull packages from public registries like npmjs. It highlights the broader challenge organizations face when securing their software supply chain: managing risk consistently and efficiently at scale.

Anything that helps developers choose better, more secure open source packages is a good thing. That said, the Cloudsmith perspective on this would be that once you get beyond individual developers or small teams, it makes sense to create curated repositories - a proactive, centralized way to manage packages and enforce security policies. Let’s compare the two approaches.

### **What Datadog’s Supply-Chain Firewall Offers**

Datadog’s SCFW intercepts and scans packages from public repositories in real time as developers pull them into their projects. This allows developers to get immediate feedback about vulnerabilities.

Key Benefits of SCFW:

- Real-Time Scanning: Developers are alerted about vulnerabilities as soon as they pull a package, reducing the risk of introducing issues further down the development pipeline.
- Pluggable Scanning Architecture: SCFW allows integration with different scanning engines, offering some flexibility for developers to tailor the tool to their needs.

SCFW focuses on individual package decisions during development. This works great at the individual developer level. For larger organizations, you’re probably going to need a more scalable solution to supply chain security. Here’s where just using SCSW would fall short in a larger organization -

1. No Persistent Package Management:SCFW focuses on scanning in real time rather than managing a persistent, curated list of approved packages. Without a centralized repository, decisions about which packages and vulnerabilities are acceptable must be made repeatedly, often by individual developers.



1. Inconsistent Security Decisions:Developers are tasked with deciding whether a vulnerability is acceptable. This can result in inconsistent decisions across teams - two developers may allow or block the same package based on personal judgment. For larger teams, this can become unmanageable without centralized oversight.



1. Lack of Policy Enforcement:SCFW lacks a policy engine to define and enforce consistent rules for what constitutes an acceptable package. Without a policy framework, decisions are made on a case-by-case basis, which can increase the risk of vulnerabilities slipping through.



1. Scalability Concerns:As teams and projects grow, real-time scanning could impact performance, particularly if a high volume of packages is being pulled. For organizations with complex pipelines, this may create bottlenecks.



1. Limited Package Format Support:Currently, SCFW supports only a limited set of package formats (e.g., npm). Modern software teams typically work across multiple formats - such as Docker, Maven, PyPI, and others - which requires broader support.

The alternative to this is curated repositories. Rather than pulling directly from public sources, developers retrieve packages from trusted, centralized repositories that are managed and approved by their organization’s security team. Why is that better?

1. Centralized and Persistent Security Control:With curated repositories, security teams or DevSecOps professionals define and maintain a trusted list of approved packages. Developers no longer need to assess vulnerabilities individually - every package pulled is already vetted, reducing risk and eliminating inconsistent decision-making.



1. Policy-Driven Automation:Cloudsmith supports policy enforcement that automates decision-making about which packages are allowed. Security teams can set clear rules, such as blocking known vulnerabilities or restricting certain versions, and those policies are consistently applied across the organization.



1. Scalability at Enterprise Levels:Cloudsmith is designed to scale seamlessly. Curated repositories ensure fast, efficient access without performance bottlenecks.



1. Support for Multiple Package Formats:Cloudsmith (and other platforms like ours) supports a wide range of formats - including npm, Docker, Maven, PyPI, NuGet, and more - ensuring all teams can centralize their artifacts and manage security consistently, regardless of the technologies they use.



1. Reduced Developer Burden:By shifting security decisions to a centralized repository and automated policies, Cloudsmith removes the need for developers to manually assess vulnerabilities. This allows teams to focus on building software, confident that they’re pulling packages from a secure, trusted source.

Real-time vulnerability scanning, like Datadog’s SCFW, is an innovative approach for identifying risks early in the development process. We love seeing this kind of innovation to solve what are becoming increasing urgent issues in securing the software supply chain. That said, for larger organizations, it’s not quite a complete solution.
