Provided here is our redacted investment memorandum, detailing our rationale for investing in and leading DeepSource’s Seed in 2020.
COMPANY OVERVIEW
DeepSource is a next generation static code analysis tool. Software engineers can connect their GitHub/GitLab profiles to DeepSource, which will then analyze their code to find potential bugs, security issues, antipatterns, etc and raise them to the developer before the code gets shipped to production. DeepSource already works with some of the most prominent open source projects like Uber’s Ludwig, Slack’s Python API client, and more.
The company was founded in November of 2018, and took place in the winter 2020 Y Combinator batch.
KEY HIGHLIGHTS
- Impressive Open Source Adoption: DeepSource was founded in December 2018. In March 2019, they signed up Uber’s Ludwig project as a user; since then, they have analyzed their code on GitHub ~900 times (almost 3 times a day on average). From one of their blog posts:
- Thoughtful Product Design: The first product offering, a static code analysis, is not a new concept. Codacy, SonarQube, and other tools have educated the market about it, but have never built a compelling enough use case to get mass adoption. Google, Facebook, and other large engineering organizations have built their own tools to solve this problem. The DeepSource team has studied research from those teams to figure out how to improve on the experience.
- Purity of Motivation: Jai and Sanket have been involved in open source and developer tools most of their careers. Their first startup together, DoSelect, was a recruiting platform that helped with software engineers recruiting, onboarding, and training (RocketReach estimates revenue to be $5.8M).
- Large Market Opportunity: The developer tools market has been on the rise, with more and more developers entering the workforce every year. There will be 28 million developers out there by 2023, creating a TAM of $4.7B. This market is only now starting to get closer to maturity, and it has already generated a $375M exit in Coverity, as well as a $60M ARR company in SonarQube. DeepSource can capture a large share of it through their unique approach.
“We resolved more than 50 bugs, which made the codebase much more stable and dependable. This was possible also thanks to our friends at deepsource.io, as their tool allowed us to identify areas for improvement in the codebase.”
INDUSTRY OVERVIEW
Capers Jones, one of the leading experts in software development metrics and measurement, has spent a lot of time analyzing why bugs slip through the cracks, how many you can realistically fix, and how expensive it is to not do it. Steve McConnell mentions two of his papers in his “Code Complete” book. The two had a lot of good insights around bugs and why fixing them early makes engineering teams more productive, as well as saving companies money:
- Finding and fixing non-severe software defects after delivery is about twice as expensive as finding these defects pre-delivery. Finding and fixing a severe software problem after delivery is often 100 times more expensive than finding and fixing it during the requirements and design phase.
- Peer reviews only catch 60% of the defects and that having multiple perspectives represented during software reviews is an effective practice.
This makes it very important for companies to have thorough, early detection of bugs in their development process, but at the same time not every team has the resources to have a dedicated code reviewer for each pull request. Especially in distributed teams with different time zones, a developer might have to wait a day for his peer to review their code changes. This slows down software development, but at the same time it’s a necessary part of it.
To fix some of these problems, companies have started adding automated code quality check tools, either by paying for SaaS products like Codacy, or by rolling out their own solutions with open source tools like Danger. More sophisticated organizations like Google and Facebook have built their own static code analysis tools, rather than relying on existing solutions.
Static code analysis hasn’t gained widespread adoption in the developer world for a few reasons:
- Current tools like Codacy and SonarQube all have the same functionalities, and don’t really help with anything other than telling developers “You might be wrong”. This doesn’t create any virtuous loops that lead engineers to loving the tool.
- Solutions in the market are very noisy and have similar issues to security monitoring tools: when everything is an issue, nothing is an issue. By not being opinionated to begin with, developers don’t get a good experience out of the tool unless they spend time setting it up.
- Most of these tools don’t have great flexibility around writing custom rules, how to prioritize them, etc. They are mostly thin wrappers around open source tools like Rubocop and ESLint, for example.
DeepSource is going after both issues:
- DeepSource is building an “Autofix” engine: rather than just telling you about potential mistakes, DeepSource will be able to write new code to fix them for you. This will save developers time, and make them want to check back in the product to see what can be automated. We believe this tool can really expand the market by making the tool useful even to small teams, who might not even have code review processes in place.
- DeepSource is very opinionated and strives for <5% false positives. For example, they don’t flag style issues as blockers as default, unless the developers have turned this on in their linter configuration. By making the tool more focused, developers will react to it; once they react, they realize it is useful, building trust into it.
- DeepSource is planning to open source all of their autofix engines; this will allow developers to fully customize both how issues are detected and how they are fixed. By allowing everyone to contribute to the engines, it will make it faster for them to get fixes for new rules in the product.
COMPETITIVE LANDSCAPE
Codacy
- Codacy was founded in 2012 and raised $14.4M to date. At a high level, they have a product offering very similar to DeepSource (static code analysis on demand), but fail to offer more advanced features like custom rules writing, or an “Autofix” functionality. They have good customer logos including PayPal, Adobe, Delivery Hero, and Blue Bottle Coffee.
- Codacy raised a $7.7m Series A round in October of 2019 from a syndicate of investors, led by Join Capital. At the time, the company had 450 customers. On the company’s website, the company states that it has 40 employees and 65,000 developers using its product. At the moment, there’s ~2,000 projects on GitHub with a `.codacy.yml` configuration file. DeepSource already has 1,000+ projects after just one year, showing much quicker open source adoption than Codacy.
- Despite its rapid growth in users and customers, there isn’t much indication of the actual revenue growth that Codacy has generated. Its current team size and funding suggests that the business is in the $5m to $10m revenue range, which is a small size for a company founded in 2012.
Code Climate
- Code Climate was founded in 2011 and raised a $4.5m Series A round from USV and Lerer in 2016. When announcing its Series A round, the company cited 80,000 developers using its product. At the time, the company stated its vision to be “Empowering every developer to improve the quality of their code and the outcomes of their projects with the most advanced, open and extensible platform for source code analytics.”
- Their initial product was similar to DeepSource, but they have since then pivoted into an engineering team performance platform. They still offer the code quality review tool, but it’s not their main focus anymore. Their offering suffers similar issues (low flexibility, high noise/signal ratio).
- Similar to Codacy, CodeClimate doesn’t appear to have scaled. The company appears to be between 20 and 30 employees, based on LinkedIn, and hasn’t raised a Series B, even given that 4 years have passed since the Series A round.
SonarQube
- SonarQube is part of SonarSource, which was founded in 2008 and raised $45M from Insight Ventures in 2016. Their product was built in 2008 and still leverages some of those technologies, like Java. Nowadays, software engineering is moving forward with more modern languages like Python and Go, and it will be hard for Sonar to grow their user base. Their custom rules engine only works with XPath and Java, which aren’t as popular anymore.
- The company is doing ~$55-60M of ARR, and has been growing at a good rate. Their model is opposite to DeepSource, since it focuses on top down sales.
ShiftLeft
- ShiftLeft was founded in 2017 and raised $29.3M to date from Bain Capital Ventures and Mayfield Fund (one of their founders was an advisor in residence here). Their product is a security-focused static code analyzer: rather than helping you fix all potential issues, their main goal is to help you avoid security vulnerabilities, outdated dependencies, etc. DeepSource partially offers this too, but it’s not their main offering. The two products aren’t necessarily competitive at the moment (you could use both of them), but in the future they might bump into each other.
Coverity
- Coverity was founded in 2002, only raised one funding round of $22M from Benchmark and Foundation capital in 2012, and was then acquired in 2014 by Synopsis for $375 while doing ~$20M of revenue. The company is currently installed on 6,600 open source projects, and used by 33,000 developers.
- The last blog post regarding a customer success story is from 2013, so this seems the project isn’t being marketed by Synopsis that well. They also focus on mostly legacy languages, like C, C++, and Java.
TEAM OVERVIEW
The team currently employs 12 people, 8 of which are in engineering. Jai and Sanket plan to return to San Francisco once the COVID-19 restrictions are lifted and start building a team there, mostly around developer evangelism and marketing.
Jai and Sanket previously worked together at DoSelect, a startup that aimed to make the engineering recruiting process more efficient and fair. They raised a seed round for the company in 2016, but didn’t raise any follow on. The company is still active today and seems to be growing, having reached 200,000 Alexa Global Rank.
Both founders have experience in open source and developer platforms. Jai used to be a Senior Application Reviewer at Mozilla for 3 years, where he helped review code for applications that were deployed in the Firefox Marketplace, as well as working with OEMs to ship FirefoxOS to India. He also participated in Google’s Summer of Code in 2015. Sanket has spoken at more than 50 events around developer communities, and is a contributor to major Python projects like Django.
MARKET SIZING
There are 23 million software developers in the world, a number that is expected to reach almost 28 million in the next three years. We divide this market in two segments, “starter” developers (i.e. working at small shops, agencies, early stage startups, etc) and “enterprise” developers (i.e. working in engineering teams with 75-100+ members).
We estimate starter developers to account for 75% of the market size, and enterprise ones to be 25%. The main difference between the two groups is not skills, but feature requirements like SLAs, audits, compliance, etc.
This market as a whole would generate a TAM of $4.7B. We size the serviceable market to be smaller than that, at least initially:
- We assume that only 25% of “starter developers” will be addressable initially (due to budget constraints, not having good engineering practices in place, etc), but expect this to grow as DeepSource becomes well-known in the industry. This is similar to what happened in the CI/CD market, it was initially a niche product, but it is now a widespread, must-have practice in DevOps and spawned multiple large companies like CircleCI and Jenkins.
- In the enterprise, we assume that half the market either doesn’t want to use a tool like this at the moment, or it already has an existing solution that they are happy with. The other half is the set of companies like Uber, Slack, etc (both existing DeepSource users) who are quickly scaling their engineering teams and have increased need for stability and consistency in their code base.
After putting these limitations in place, it leaves us with 7.2M software developers for a $1.7B TAM. The underlying market is also growing independently, with the number of software developers growing quickly year over year.