Cloudsmith, the Belfast-headquartered artifact management platform, has raised $72 million in Series C funding led by TCV, with participation from Insight Partners and other existing investors. The round, announced on 23 April 2026, takes the company’s total funding to well over $100 million and positions it as one of Northern Ireland’s most significant software businesses, with a valuation that public reports place close to the $1 billion mark.
Cloudsmith was founded in 2016 by Alan Carson and Lee Skillen, who met working for the New York Stock Exchange’s Belfast engineering operation, and now employs around 130 people, the bulk of them at its Belfast headquarters. The new capital will fund product development and an expansion of go-to-market capabilities, as the company moves to consolidate its position in an artifact management category that has become a front line in enterprise software supply-chain security.
Inside the round
TCV — the growth investor best known for backing Netflix, Spotify and Airbnb — leads the Series C, with continued participation from Insight Partners, which joined Cloudsmith’s Series B in 2025. The round fits a pattern in 2026 of large growth-stage cheques written into infrastructure companies that sit on the compliance-critical path for enterprise software delivery.
Cloudsmith has the scale and the broad view across the open-source ecosystem to protect enterprises against the new kinds of threats that AI-driven development introduces.
Glenn Weinstein, CEO, Cloudsmith
Morgan Gerlak, partner at TCV, added that “Cloudsmith is uniquely positioned to become a platform enterprises rely on for compliance, control, and security.” Thomas Krane of Insight Partners echoed the framing, citing Cloudsmith’s position to help power enterprise and AI-driven builds and mitigate emerging risks.
Why artifact management is in the spotlight
Cloudsmith sells a universal artifact management platform — the system of record for the software packages, container images and binaries that modern applications depend on. It supports dozens of package formats, integrates with enterprise identity and policy tooling, and increasingly doubles as a control plane for software supply-chain security.
The category has become strategically important for two reasons. First, regulators on both sides of the Atlantic — from the US executive order on improving cybersecurity to the EU’s Cyber Resilience Act — have pushed formal requirements for software bills of materials (SBOMs), provenance attestation and vulnerability response. Second, the explosion of AI-assisted code generation has dramatically increased the volume of third-party dependencies flowing into enterprise codebases, amplifying the risk surface that artifact-management platforms are designed to contain.
Cloudsmith’s pitch is that enterprises can no longer rely on a collection of format-specific repositories — one for npm, another for Docker, another for Python — stitched together with in-house policy scripts. The company is betting that a single cloud-native platform with deep security telemetry will win against both incumbents such as JFrog and Sonatype, and against open-source self-hosted tooling that has become difficult to govern at scale.
New product direction
Alongside the funding, Cloudsmith announced an expansion of its security stack. The company highlighted two core additions: continuous package enrichment, which continuously updates metadata, vulnerability intelligence and provenance for stored artifacts; and OPA-based policy management, which applies Open Policy Agent rules to artifact workflows. Features flagged include cool-down periods for newly published packages, exploitability-based prioritisation, deeper SBOM inspection and detection of malicious packages.
For enterprise security teams, the pitch is operational: less time triaging low-risk CVEs, more automated enforcement of policy, and a clearer audit trail for AI-generated code paths.
The competitive and regulatory picture
Cloudsmith’s main public competitors are JFrog, which went public in 2020, and Sonatype, which has remained private under Vista Equity Partners. Both command substantial enterprise footprints, but both were architected before the current wave of supply-chain legislation and AI coding workflows. Cloudsmith’s bet is that a newer, API-first architecture lets it move faster on the capabilities enterprise buyers now prioritise — particularly around SBOM, attestation and AI-specific risk controls.
For Belfast’s technology scene, Cloudsmith’s Series C is a significant moment. Northern Ireland’s startup ecosystem has produced a number of notable outcomes over the last decade but relatively few growth-stage software companies operating at this scale. The round will bring increased focus on Belfast’s talent base, particularly in cyber and developer tooling, and will put further pressure on local universities and government agencies to keep pace with hiring demand.
What to watch
The questions ahead for Cloudsmith concern durability more than direction. Growth-stage infrastructure rounds raise the bar on net dollar retention, multi-product adoption and enterprise penetration. The company will need to show that its AI-era security story converts into measurable platform stickiness — and that the artifact management layer becomes, as Weinstein argues, the mandatory chokepoint for compliant software delivery.
For Sesamers readers tracking European software infrastructure, Cloudsmith is one of the most interesting growth-stage stories on the continent: a European-built platform now backed by two of the most consequential American growth investors, positioned squarely at the intersection of regulation, AI and enterprise developer tooling.
Source: Tech.eu — Cloudsmith raises $72M Series C to secure the AI-era software supply chain (23 April 2026)