From Reactive to Proactive: Clover Security's Design-Led Revolution

Security teams have been told to "shift left" for years. The logic is sound: catch issues early, when they're cheapest and easiest to fix. But the reality is that most security tools still catch vulnerabilities after code is written. They surface problems when developers are already shipping features, generating tens of thousands of alerts that teams scramble to prioritize. 

Security teams are stretched impossibly thin, with engineers outnumbering product security engineers 300:1 at most tech companies. Meanwhile, AI is accelerating everything. More PRDs (Product Requirements Document), more code, more products shipped faster than ever. 

We've been tracking this space closely, watching teams try to solve an increasingly urgent problem: how do organizations actually scale and prevent security issues before they're created? Fast forward to today, and Clover Security has become one of the most compelling answers to this question we've seen. That's why Notable Capital is proud to lead Clover's $30M Series A, with $36M in total financing.

The Missing Context Piece that Clover is Fixing

Fundamentally, code and business logic exist in separate silos. Implementation lives in GitHub while product context is spread across Confluence, Jira, and Google Docs. AppSec tools can scan code, but they have no idea why a system was designed a certain way or what security requirements actually matter. This forces security engineers to manually bridge that gap.

Clover Security rethinks product security for the era of AI-native development: make software products secure by nature, without forcing teams to change how they work, switch tools, or learn new systems.

Here's how it works. Clover's AI agents embed security into the earliest stages of development, before a single line of code exists. The platform plugs into the tools where product context already lives: Confluence, Notion, Google Docs, Jira, Asana, GitHub, GitLab (plus company-wide policies, compliance requirements, and customer contractual obligations that all live outside the engineering context). It ingests product design documents, understands system behavior, and applies security frameworks like OWASP ASVS or AWS Well-Architected.

Then it does what an experienced product security engineer would do: identifies potential security flaws, anticipates where threats could emerge, and provides guidance to both security and engineering teams directly in their workflow, whether that's Slack, Jira tickets, or documentation.

Security becomes second nature, with issues caught when they're conceptual, not when they're compiled. Teams prevent risk rather than react to it. And critically, small product security teams can scale their impact without becoming bottlenecks.

Early customers are seeing dramatic results and understaffed security teams supporting hundreds of developers have increased their review coverage by several multiples while going deeper and detecting significantly more threats at the design stage. They're intervening weeks earlier than was previously possible. 

The Future is Full-Scale AI Security Engineers

CEO Alon Kollmann (who previously led product strategy at Dazz, which was acquired by Wiz) approached his co-founder search quite methodically, meeting many potential partners before teaming up with Or Chen. Or spent five years at Checkmarx leading SCA and API security products. He built a team from 5 to 70 people and scaled the business to over $40M in ARR. Together, they're a powerful combination: a customer-facing leader who deeply understands the problem, paired with a technical co-founder who knows exactly how to solve it. 

Since our first meeting, they've consistently exceeded expectations and built at a remarkable velocity. It’s exceptionally rare to see startups reach millions in ARR while still operating in stealth mode, but that’s what Alon and Or have pulled off. 

Already today, Clover is integrated deeper into the SDLC, beyond design. Clover taps into sources like GitHub, GitLab, and Bitbucket, not just as another vulnerability scanner; but rather to extract more context, understand existing code patterns, and identify gaps between design and implementation.

The next evolution is to treat AI coding agents like cursor, Claude Code, and Devin and provide them with the design guidance and security review context, the same way Clover does for human developers.

The long-term impact is profound. As AI code generation improves and introduces fewer basic security flaws, the industry will shift focus to security threats at the logic layer.

Why Now

We're at a rare inflection point: AI capability, market readiness, and exceptional team execution have converged. A window has opened for design-led security that simply wasn't possible before.

Clover is at the center of this massive shift, helping companies reimagine product security for the AI era and building the foundation for how the next generation of software will be built.

Clover is the only platform with the context necessary for true design-phase security and the product resonates strongly with both CISOs and developers, which is a rare feat in security. We're proud to partner with Alon, Or, and the entire Clover team as they make secure-by-design the default.