Clover Raises $36M to Automate Product Security Reviews

A startup run by a former Dazz and Hysolate product leader emerged from stealth to automate and augment product security tasks for enterprise development teams.

See Also: Complete Guide to Building an Identity Protection Strategy

New York-based Clover Security plans to use the $36 million from Notable Capital and Team8 to shift product security from a reactive, scanner-based model to a proactive, design-led approach powered by AI, said co-founder and CEO Alon Kollmann. The company’s flagship agent automates design and architecture reviews, easing the burden on lean security teams by collecting context, he said.

“What they’ve been doing is just very manual, repetitive work, trying to review documents, trying to provide guidance to developers, trying to train developers and product managers about security, trying to answer their questions whenever questions come up about security,” Kollmann told Information Security Media Group. “Now, we bring them agents to augment and automate a lot of these activities.”

Clover Security, founded in 2023, employs 54 people and has been led since its inception by Kollmann, who spent nine months leading Dazz’s product strategy and more than three years as an engineering manager at Hysolate. Dazz was acquired by Wiz in November 2024 for $450 million, while Hysolate was purchased by Perception Point in March 2022, which was in turn bought by Fortinet in December 2024 (see: Wiz Fortifies Application Security With $450M Dazz Purchase).

Where Traditional Product Security Practices Come Up Short

Traditional product security practices are based on scanning code or infrastructure after development is complete, which Kollmann said is unsustainable in the era of AI-accelerated development. Clover’s core innovation lies in shifting the security paradigm upstream into the design phase, before a single line of code is written, which Kollmann said helps security teams get involved earlier.

“Up until Clover, every tool that security teams had was super reactive. It was a scanner scanning either code or cloud environments,” Kollmann said. “It was about telling developers what they got wrong after the fact, after they already coded. Whereas with Clover, we’re adopting a much more design-led, proactive approach, collaborating with developers to make sure they take security into account.”

Clover plans to enhance its current product by maturing its existing agents in complex areas such as code analysis and will continue developing new agents to handle adjacent use cases, further automating the product security pipeline. The company also wants to expand its presence among large enterprises, increase customer acquisition and deepen existing customer relationships through more robust use.

“We understand there’s a big opportunity right now in the market, but we have to move quickly,” he said. “Organizations are adopting AI super quickly, and they’re looking for solutions right now for securing how development is changing in their organizations and to tackle those new challenges. It’s something we need to do now. That’s why we’ve been moving pretty aggressively as a company.”

Security teams are increasingly overwhelmed by the volume and complexity of software development, particularly with the acceleration brought on by AI tools including Copilot or Cursor, Kollmann said. Rather than adding headcount or relying on outdated scanners and reactive alerts, Clover deploys AI agents that automate and augment large portions of a security engineer’s responsibilities, Kollmann said.

“We’re leveraging AI agents to augment and automate a lot of the manual work that today’s small and lean security teams have to deal with more manually,” Kollmann said. “We’re focused on product security and security architecture.”

How Clover Streamlines Design and Architecture Reviews

Design and architecture reviews historically required pulling together fragmented information across project planning tools, tickets, Confluence pages, technical diagrams and Slack threads, Kollmann said. But Clover’s AI agent automatically collects, synthesizes and analyzes this information, surfaces relevant threats, makes security recommendations and initiates outreach to developers to gather more context.

“Designing architecture reviews was a very natural first agent, because many of the prospects we spoke to already spent time and effort trying to do design reviews, but it took them a lot of time, a lot of resources that they just don’t have,” he said. “Once we deliver them that value, and they understood how the engine works, they came up with more and more requests for additional adjacent things.”

AI-assisted development introduces its own risks, and Kollmann said developers using tools like GitHub Copilot, Cursor, or other generative code assistants at scale can inadvertently introduce vulnerabilities. To address this, Kollmann said Clover has developed a specialized agent that integrates with these tools to enforce security guardrails and recommend secure patterns in real time as code is generated.

“This is another unique capability that we can offer with a specialized agent that can focus on surfacing these drifts from design to implementation,” Kollmann said.

Clover’s platform is designed for modularity and reuse, enabling the company to quickly introduce new agents without rebuilding infrastructure from scratch. This architecture supports feature expansion, meaning 90% of Clover’s backend systems are shared across all agents and the company can release new agent capabilities without requiring customers to go through complex onboarding each time.

“We reuse not only the underlying data and context that we have about the organization, but also a lot of the capabilities around defining automation workflows and deciding where agents should engage versus where they shouldn’t,” he said. “For the customer, it’s abstracted. They integrate Clover, they do it once, and we use the underlying analysis we do to serve every single agent that Clover offers.”