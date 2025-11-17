SAN FRANCISCO, Nov. 17, 2025 (GLOBE NEWSWIRE) -- SubImage , the first company to bring an open-core cloud security graph to the enterprise, announced today it has raised $4.2M in seed funding from FundersClub, Y Combinator, Phosphor Capital, and Transpose Platform. The company will be using the funds to grow its engineering team, expand customer pilots, and ship features that shorten the time to fix security issues.

SubImage’s co-founders, Alex Chantavy and Kunaal Sikka both worked on security teams across government, enterprises, and hypergrowth startups.

Chantavy began his career at the National Security Agency (NSA), later joining Microsoft’s Red Team, where his job was to act like a real attacker and identify Microsoft’s immediate fixes. “The most important tool was our internal cloud knowledge graph because it showed us a map of the easiest attack paths,” said Chantavy. He later joined Lyft, where the team open-sourced those ideas as Cartography, which went on to influence a wave of graph-based security platforms. “One of the most effective ways to defend an environment is to see it the same way an attacker would,” said Chantavy. “This makes it clear what to fix first and why, especially when teams don’t have the resources to fix everything at once.”

With SubImage, Chantavy and Sikka are bringing automation to the graph-first approach they pioneered at Lyft. Over the years, many teams paired commercial scanners with Cartography to fill visibility gaps. SubImage closes that divide by learning each organization’s context and surfacing findings that matter to them.

Many teams still struggle to turn that visibility into action. “Organizations need to know what assets they have and how they’re configured, because getting that wrong means getting hacked,” said Chantavy. “Most tools stop at visibility or bury data behind closed schemas. We’re building an open, extensible system that not only shows what’s wrong, but explains why it matters and how to fix it.”

SubImage bridges this "last mile" of remediation for customers by:

1. Correlating infrastructure and event data to infer ownership.

2. Prioritizing findings based on real exploitability and an organization's risk profile.

3. Remaining open-core and extensible so that users aren't locked into proprietary ecosystems.

“Our foundation is Cartography, which many companies already trust,” said Sikka. “We are an open-core alternative to Wiz. We’ve kept it open so teams can extend coverage to anything they rely on. It also means users aren’t locked out of understanding how their own security graph works. That openness builds confidence, especially during incidents that need real-time response and can’t wait on vendor support.”

“We are thrilled to support the team behind Cartography that is bringing automation and intelligence to mapping infrastructure with an open-core approach,” said Alex Mittal of FundersClub. “SubImage will be critical for companies that need to map all of their assets in their cloud environment and end-user devices, and we’re excited to help them grow their team and surface, prioritize, and address vulnerabilities for their customers.”

About SubImage

SubImage is the first company to bring an open-core cloud security graph to the enterprise. It maps your entire infrastructure so you know exactly what’s exposed, misconfigured, or needs attention first. Security teams use SubImage to fix vulnerabilities, identify ownership, and respond to incidents faster. Developed by the team behind Lyft's Cartography open source project, SubImage is backed by FundersClub, Y Combinator, Phosphor Capital, and Transpose Platform. Learn more at https://subimage.io .

Contact

Kerry Metzdorf

kerry@big-swing.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/060d0a1f-39af-4f29-aab2-e0da18960618