Codenotary Raises $16.5M for Supply Chain Security

Codenotary $16.5M for Software Supply Chain Security

📖 Estimated reading time: 5 minutes | 📅 Last updated: 2025-12-01

Introduction

Software supply chain security is no longer an IT checkbox — it is a strategic imperative that determines whether modern enterprises can operate, comply, and compete. That urgency helps explain why Codenotary has secured $16.5 million from existing and new investors to accelerate product development and global expansion.

Organizations from major financial institutions to government and defense agencies are demanding continuous, automated ways to verify trust and integrity across distributed software environments. Codenotary’s pitch is to use AI-driven automation and deterministic verification to deliver real-time policy enforcement at scale.

Why AI-driven trust reshapes software supply chain security

Limitations of traditional controls

Traditional supply chain controls—manual attestations, periodic scans, one-off signatures—fail when software moves continuously across CI/CD pipelines, cloud services, and edge devices. These approaches generate noisy signals and leave gaps as artifacts traverse environments.

Deterministic evidence paired with AI

Codenotary couples deterministic methods (cryptographic provenance, immutable attestations) with AI to automate policy decisions and surface high-confidence anomalies in real time. Deterministic evidence of what changed, when, and by whom, plus AI triage, reduces noisy alerts and helps security teams focus on true risk.

Technical approach: SBOM, attestations, policy-as-code

Technically, this approach combines SBOM-style component visibility, runtime and artifact attestation, and continuous verification against policy-as-code. In practice, that translates to rapid validation during build and deployment, continuous enforcement across environments, and scalable telemetry for audits.

• Rapid validation: Validate software components during build and deployment.
• Continuous enforcement: Enforce policies as artifacts travel across environments.
• Scalable telemetry: Generate logs and proofs that support audit and compliance needs.

What $16.5M enables: product acceleration and market scale

The capital will fuel three linked plays: deeper product engineering, expanded commercial coverage, and localized presence in high-demand regions. Codenotary says it will hire across engineering and sales teams and accelerate market entry into additional countries, with clear momentum in the United Kingdom and Asia.

This geographic focus aligns with rising regional requirements around software provenance and government supply-chain protections. Investor interest has shifted toward platforms that provide continuous assurance rather than point tooling, and Codenotary positions itself in that space with a hybrid deterministic/AI model.

For large enterprises, the company claims rapid deployment and scale to support continuous verification across applications and infrastructure — helpful for CIOs and CISOs negotiating cloud transformation and stricter audit cycles.

Operational and strategic consequences for different stakeholders

Security leaders must translate platform capabilities into governance and operational routines. Procurement, engineering, and compliance functions will need new inputs and processes to consume continuous attestation data.

For procurement teams, Codenotary’s approach changes vendor risk assessments: organizations can require continuous attestation feeds and policy enforcement endpoints instead of episodic questionnaires. For engineering, the ask is to adopt policy-as-code and integrate verification without slowing delivery.

For compliance officers, continuous logs and cryptographic proofs simplify audit evidence collection and reduce friction during audits.

“With Codenotary’s AI technology we have unlocked new use cases for our IT operations which add tremendous value to our efficiency, security and operational excellence. As a technology supplier to the Swiss Armed Forces, data sovereignty and data security when using AI and LLMs is paramount for RUAG, and we build on our trusted relationship with Codenotary.”
— Marcel Schlauss, RUAG

Anticipated challenges and how to manage them

Adoption won’t be frictionless. Integrating continuous verification into complex legacy ecosystems can surface policy conflicts, produce false positives, and require new skill sets.

To manage adoption risk, organizations should start with high-value pilots, implement progressive enforcement, align policies with existing compliance frameworks, and invest in upskilling teams on attestation and cryptographic provenance.

• Start small: Pilot on critical apps and high-risk third-party components.
• Progressive enforcement: Monitor first, then enforce policies.
• Policy alignment: Map controls to existing compliance frameworks to avoid duplication.
• Upskilling: Train teams on attestation, cryptographic provenance, and policy-as-code.

The platform is not a silver bullet: governance discipline and clear incident playbooks remain essential even with automation that reduces operational load.

A strategic playbook for leaders

Leaders who move fastest will treat software supply chain security as cross-functional infrastructure. Practical steps include mapping critical software flows and prioritizing verification points.

• Map flows: Identify critical software flows and verification points.
• Integrate: Feed attestation outputs into SIEM and incident response pipelines.
• Contract terms: Negotiate rights to continuous attestation data with suppliers.
• Data sovereignty: Enforce controls where national security or regulatory mandates apply.

Bold insight: adopting continuous, AI-assisted verification converts trust from manual assurance to measurable operational telemetry that improves decision-making across teams.

Conclusion

Codenotary’s $16.5 million raise reflects a broad shift: enterprises now expect continuous, automated trust mechanisms as a standard part of IT operations. AI-enabled automation layered on deterministic attestation helps organizations validate components, maintain compliance, and respond faster to supply-chain risk.

For leaders, the takeaway is clear: prioritize continuous verification, embed policy-as-code in pipelines, and treat provenance data as a first-class asset. Software supply chain security is becoming operational infrastructure — those who treat it as such will reduce risk and enable faster innovation.