SubImage

What do they actually do

SubImage is a hosted, agentless, read‑only service that builds a single graph of a company’s cloud, SaaS, and on‑prem assets and their relationships so security teams can see realistic attack paths and prioritize what to fix first (homepage; YC launch).

Teams connect their accounts via read‑only APIs, SubImage continuously ingests metadata into a queryable graph, and the UI highlights exploitable paths with explanations and recommended remediations. It integrates with existing tools (e.g., SIEM/SOAR/ticketing) and is built on the open‑source Cartography project for inspectability and extensibility (homepage; Cartography repo; YC launch). Today they recommend fixes but do not automatically generate Terraform, which they’ve discussed as a next step (HN launch/answers).

Who are their target customer(s)

• Small/internal cloud security teams: They struggle to maintain an accurate, up‑to‑date picture of access across cloud and SaaS and end up manually checking changes rather than addressing the highest‑risk issues (homepage; YC launch).
• Vulnerability‑management teams: They face hundreds of alerts and need to know which ones are actually exploitable via a real chain to sensitive data so they can focus engineering time on the fixes that reduce risk (YC launch).
• DevOps/SRE owners: Routine config or permission changes can introduce silent risk; they want continuous, agentless checks and clear remediation steps rather than noisy, manual audits (homepage).
• Compliance and IT‑risk managers: They need to prove least‑privilege and provide audit trails, but excessive permissions and limited visibility make it hard to show who has access to what and how it changed over time (YC launch – prune permissions).
• Security teams at larger orgs wary of black‑box tools: They want a managed service that’s inspectable and extensible, not a locked vendor schema; open‑core and Cartography alignment helps verification and custom rules (homepage; Cartography repo).

How would they acquire their first 10, 50, and 100 customers

• First 10: Start with organizations already using Cartography and the founders’ YC/OSS network; offer free white‑glove onboarding and a short audit that maps attack paths and demonstrates noise reduction, leveraging the agentless/read‑only setup and public demos to lower trial friction (Cartography repo; homepage; HN demos).
• First 50: Turn early wins into case studies and technical how‑tos; run targeted outreach to small internal cloud security and vulnerability teams via community channels and list connectors/self‑serve trials to enable quick evaluation. Begin partnering with select consultancies/MSSPs and use the open‑core story to reduce lock‑in concerns (homepage).
• First 100: Formalize reseller/MSP partnerships, add deeper integrations (ticketing/SOAR/IAM) to streamline remediation workflows, and publish onboarding templates for common verticals. Use ROI case studies to support a small SDR/AE motion for larger teams that need SLAs and audits (YC roadmap; homepage).

What is the rough total addressable market

Top-down context:

Analysts estimate the CNAPP market at roughly $2.8B in 2024, growing to about $7.7B by 2029 (Dell’Oro). Adjacent CSPM/cloud security segments are similarly in the low‑to‑mid billions today and are forecast to roughly double over 3–5 years (MarketsandMarkets).

Bottom-up calculation:

Illustrative: if SubImage initially targets ~2,000 mid‑market and enterprise organizations with internal cloud/security teams that prefer managed, inspectable tools, and achieves an average ACV of $50k–$150k, that implies a near‑term addressable segment of roughly $100M–$300M. This frames a realistic wedge within the broader multi‑billion‑dollar CNAPP/CSPM market.

Assumptions:

• There are on the order of a few thousand mid‑market and enterprise buyers actively evaluating CNAPP/CSPM‑style tools with internal security teams.
• Willingness to pay for a managed, graph‑first offering falls in a $50k–$150k ACV range depending on size and scope.
• Open‑core/inspectability is a meaningful selection criterion for a subset of these buyers.

Who are some of their notable competitors

• Wiz: Broad cloud security platform that builds a security graph, finds attacker paths, and prioritizes fixes across vulnerabilities, misconfigurations, and identities; the main incumbent SubImage calls out.
• Orca Security: Agentless‑first cloud security vendor that scans cloud resources for vulnerabilities and risky configurations and surfaces prioritized findings; overlaps on fast, read‑only coverage.
• Prisma Cloud (Palo Alto Networks): Enterprise CNAPP suite covering posture, workload protection, and compliance with extensive integrations; competes on full‑stack coverage and enterprise features.
• Tenable / Ermetic: Ermetic (now part of Tenable) focuses on cloud identity and entitlement management and least‑privilege enforcement, overlapping SubImage’s permissions‑pruning roadmap.
• Sonrai Security: Maps cloud identities, data, and relationships to find risky access paths to sensitive data; competes on identity/data graphing and governance use cases.