The rise of AI coding tools means developers can create software applications faster than ever, but the risk for hacks and exploits is growing in lockstep. ThreatModeler, a cybersecurity company that helps developers identify vulnerabilities in their applications, announced on Thursday it is acquiring its largest competitor, IriusRisk. The deal is for over $100 million, according to a source with direct knowledge, who added that the annual recurring revenue for the combined companies is around $50 million.
In an interview with Fortune, ThreatModeler CEO Matt Jones said that his company’s goal is to “democratize” the practice of vulnerability detection at a time when many must rely on basic tools from larger platforms like Microsoft or turn to AI for threat modeling, which Jones argues is insufficient and can lead to massive risks. Jones said the acquisition will let ThreatModeler keep pace as firms are scaling up their coding capacity like never before. “For us to be able to bring the two leaders together,” he said, “We can be much more aggressive on [our] roadmap.”
Attack surface
Founded in 2010, the New Jersey-based ThreatModeler provides automated software that helps coders review security flaws in their applications before launching them. For many organizations, the alternative is relying on experts known as security architects, who review codebases after they’re live, which can be a cumbersome and often belated process.
Originally bootstrapped by founder Archie Agarwal, ThreatModeler took its first institutional funding in 2024 from the growth equity firm Invictus, which bought a majority stake in the company. Invictus will now be a majority investor of the combined businesses as well.
Until the acquisition, which closed at the end of 2025, ThreatModeler’s largest competitor was the Spain-based IriusRisk, with ThreatModeler even filing a patent infringement lawsuit against IriusRisk in early 2025.
Aside from resolving the litigation, Jones said that the deal made sense for customers by combining the two platforms, which he described as “80%” similar. “What we’re going to do is take the best of both and bring them together,” he said. The combined firms will have around 300 customers, which Jones said are mostly Fortune 1000 companies like banks and big tech operations, though he declined to name specific ones due to security concerns.
While ThreatModeler was founded well before the Nov. 2022 launch of ChatGPT set off the current AI revolution, Jones said that his company has integrated AI into its workflow, including a plan to launch an agentic product in the second half of next year that can adapt organizations’ threat models as their applications evolve.
The flip side of AI is that as organizations’ coding capacity increases, so does their need for software like ThreatModeler. “The more code that gets cranked out, the more that needs to be evaluated,” Jones said.
Different jurisdictions, including the U.S., Canada, and the European Union, are also implementing mandates for companies such as financial institutions and hardware manufacturers to maintain their own cyberthreat models.
As potential vulnerabilities accelerate, ThreatModeler’s new main competitor is likely companies turning to AI to develop their own threat modeling approach. But Jones said part of his company’s role is to educate on the need for robust cybersecurity practices. “If you do it yourself, you’re kidding yourself,” he said. “You may be thinking you’re doing threat modeling, when in fact you might be creating more risk for yourself.”
