How Tim Miller is building Kusari to bring more transparency to software supply-chain security

Tim Miller

Modern software moves fast. Developers build with open-source libraries, cloud services, containers, internal tools, APIs, third-party packages, and automated pipelines. That speed has changed how products are built, but it has also made software harder to understand.

A company may know what its main application does, but not always what sits underneath it. One product can depend on hundreds or even thousands of components. Some are direct dependencies that engineering teams choose on purpose. Others are transitive dependencies pulled in quietly through other packages. When a vulnerability appears, the real challenge is not just fixing code. It is knowing where the risk exists in the first place.

That is the space where Tim Miller is building Kusari. As co-founder and CEO, Miller is focused on one of the most important questions in software security today. How can organizations trust the software they build, ship, and use if they do not have clear visibility into what is inside it?

Kusari is built around the idea that software supply-chain security needs to be more transparent, practical, and useful for real engineering teams. Instead of treating security as a separate checkpoint at the end of development, the company is working to bring better insight into the places where software is actually created, reviewed, and released.

Who is Tim Miller

Tim Miller is the co-founder and CEO of Kusari, a company focused on software supply-chain security. His background gives the founder story a practical edge. Before Kusari, Miller spent more than two decades leading engineering work in financial services, including environments where secure, reliable, mission-critical systems were part of daily life.

That kind of experience matters. In financial technology, software is not just a convenience. It supports trading systems, operational workflows, sensitive data, compliance demands, and business-critical decisions. When systems fail, the consequences can be serious. When security gaps appear, teams need to understand them quickly and act with confidence.

This background helps explain why Kusari is not built around vague security promises. The company is tackling a real operational pain point. Developers and security teams often work with incomplete information about software components, dependency chains, build processes, and open-source risk. Miller’s work with Kusari is aimed at making that information easier to see and easier to use.

What Kusari does in software supply-chain security

Kusari helps organizations improve visibility into their software supply chains. In simple terms, that means helping teams understand what software is made of, how it was built, which components it depends on, and where risk may be hiding.

This includes important areas such as SBOMs, dependency mapping, vulnerability context, software provenance, CI/CD pipeline checks, and open-source risk management. These terms can sound technical, but the basic idea is easy to understand. Teams need a clearer picture of the software they are trusting.

A strong software supply-chain security process can help answer questions like these:

  • Which open-source packages are being used across our applications
  • Which dependencies are vulnerable or outdated
  • Which components came from third-party sources
  • Where are transitive dependencies creating hidden exposure
  • Can we prove how a piece of software was built
  • Are security checks happening before code reaches production
  • How quickly can we respond when a serious vulnerability is disclosed

Kusari’s mission fits into a larger shift in cybersecurity. Companies no longer want security tools that simply create long lists of alerts. They want context. They want to know which issues matter, where the risk is located, and what action should come next.

Why software supply-chain transparency matters now

The software supply chain has become one of the most important security topics for modern organizations. The reason is simple. Most software today is assembled as much as it is written.

A developer might write original application code, but that code usually sits on top of frameworks, packages, libraries, containers, build tools, and cloud infrastructure. This creates a deep chain of trust. If one part of that chain becomes compromised, outdated, or poorly understood, it can create risk across many systems.

Transparency helps reduce that uncertainty. It gives teams a way to see what is running, where it came from, and how it connects to other parts of the system. Without that visibility, security teams often end up reacting under pressure.

A serious vulnerability can force organizations into a race against time. Teams need to know whether they are affected, where the vulnerable component appears, who owns the application, whether a patch exists, and how quickly it can be deployed. When that information is scattered or missing, response becomes slower and more stressful.

This is why Tim Miller’s work with Kusari is timely. The company is not just chasing a cybersecurity trend. It is addressing a growing reality for engineering teams that depend on open source and cloud-native development.

How Tim Miller is positioning Kusari around practical security

One of the strongest parts of Kusari’s story is its focus on making software supply-chain security usable. Security tools can fail when they sit too far away from developer workflows. If a platform adds friction, creates noisy alerts, or makes developers leave their normal tools, it often becomes another dashboard that teams ignore.

Kusari’s approach is more connected to the way software is actually built. The company’s work touches areas such as pull requests, code review, CI/CD pipelines, dependency analysis, and release readiness. That matters because many software supply-chain risks can be handled earlier if teams catch them at the right moment.

For developers, useful security means clear feedback. It should explain what is wrong, why it matters, and what can be done without slowing the entire team down. For security teams, useful security means visibility and control. They need confidence that the software moving through the pipeline meets the right standards.

Miller’s leadership sits at that intersection. Kusari is trying to help developers and security teams work from the same source of truth. That is an important part of software supply-chain transparency. When both sides can see the same dependency data, risk context, provenance details, and policy results, decisions become less emotional and more grounded.

The role of Kusari Inspector

Kusari Inspector is an important part of the company’s product story. It is designed to help teams review code and dependencies with more context. Instead of only pointing to possible issues, the goal is to help teams understand the relationship between code changes, third-party packages, transitive dependencies, vulnerabilities, and safe remediation steps.

This is especially useful as development teams move faster. Pull requests can contain new code, package updates, configuration changes, and dependency shifts. A small change may look harmless on the surface, but it can introduce a deeper risk if it brings in a vulnerable component or weakens the software’s security posture.

Tools like Kusari Inspector aim to make that risk visible earlier. This supports a more natural workflow for modern teams. Developers do not need to wait for a late-stage audit to discover a problem. Security teams do not need to chase every issue manually. The system can surface meaningful context closer to the point where code is written and reviewed.

This is one reason Kusari’s work is relevant beyond large enterprises. Open-source maintainers, startups, cloud-native teams, and fast-moving engineering groups all face the same core issue. Software is becoming more complex, and teams need better ways to understand that complexity without slowing down delivery.

Kusari’s open-source roots and the GUAC connection

Kusari’s story is also closely tied to open source. One of the most important names connected to the company is GUAC, which stands for Graph for Understanding Artifact Composition.

GUAC is an open-source project focused on bringing more understanding to software supply chains. It works by collecting software metadata, such as SBOMs and other security-related information, and mapping relationships between software components. Instead of treating each package, vulnerability, build artifact, or attestation as separate data, GUAC helps show how those pieces connect.

That kind of graph-based view is valuable because software risk is rarely isolated. A vulnerable package may affect several applications. A missing attestation may matter more for one release than another. A dependency may look low risk until it connects to a critical system. By showing relationships, teams can make better decisions.

GUAC was started by Kusari, Google, and Purdue University, and later became part of the OpenSSF ecosystem. That connection gives Kusari more credibility in the software supply-chain security space. It shows that the company’s work is not only about building a commercial platform. It is also connected to broader community efforts around open-source security, shared standards, and supply-chain transparency.

For Tim Miller, this strengthens the founder story. Kusari is not approaching the problem from the outside. It is participating in the same open-source ecosystem that many modern companies depend on.

The funding milestone behind Kusari’s growth

Kusari raised $8 million in combined pre-seed and seed funding to support its mission of bringing more transparency and security to the software supply chain. The company’s funding gives the story a clear achievement angle, but it also reflects something larger in the market.

Investors are paying attention to software supply-chain security because the problem is becoming harder for companies to ignore. Open-source software is everywhere. Development pipelines are more automated. AI-assisted coding is speeding up output. Cloud-native systems depend on many moving parts. At the same time, customers, regulators, and enterprise buyers are asking tougher questions about software trust.

For a startup like Kusari, this creates a meaningful opportunity. The company is building in a category where the pain is real, the technical challenge is deep, and the market need is growing. Miller’s role is not just to lead a cybersecurity company. It is to turn a complicated technical problem into a product that engineering teams can actually adopt.

That is often the hardest part of building a security startup. The best tool is not always the one with the most features. It is the one that fits naturally into the way teams already work and helps them make better decisions without adding unnecessary friction.

How Kusari is supporting the open-source security community

Kusari’s work with the broader open-source community adds another strong layer to the story. In 2026, Kusari partnered with the Open Source Security Foundation, known as OpenSSF, to provide Kusari Inspector at no cost for OpenSSF projects.

This matters because open-source maintainers carry a heavy responsibility. Many projects are used by thousands or even millions of people, but the teams maintaining them may be small. They often need to manage security, releases, community issues, dependencies, documentation, and code review with limited time and resources.

By giving OpenSSF projects access to Kusari Inspector, Kusari is helping maintainers map dependencies, understand transitive risk, identify gaps in provenance, and reduce manual investigation. That kind of support can help open-source teams make better security decisions without forcing them to become full-time security operations teams.

Kusari also announced work with the Cloud Native Computing Foundation, or CNCF, to support cloud-native projects. This is important because cloud-native software often depends on complex ecosystems of containers, orchestration tools, distributed services, APIs, and infrastructure components. The more connected the system becomes, the more important supply-chain visibility becomes.

These partnerships show that Kusari is building with the ecosystem in mind. The company is not only selling to organizations that consume open-source software. It is also helping the communities that create and maintain it.

Why Tim Miller’s approach stands out

Tim Miller’s approach stands out because it is grounded in a practical view of security. Software supply-chain security can easily become abstract. People talk about SBOMs, provenance, attestations, CVEs, SLSA, dependency graphs, and policy checks. All of those things matter, but they only create value when teams can use them in real workflows.

Kusari’s work is built around turning supply-chain data into action. That means helping teams move from asking broad questions to making specific decisions. Is this dependency safe enough to use? Does this pull request introduce new risk? Which application is affected by this vulnerability? Can we prove where this artifact came from? What should be fixed first?

This is the kind of clarity that security teams need, especially when software environments are growing more complex. Miller’s achievement is not simply that he co-founded a startup in a hot cybersecurity category. It is that he is building around a problem that sits at the center of modern software development.

The best security companies often succeed because they understand both sides of the workflow. They understand the pressure developers face to ship quickly, and they understand the pressure security teams face to protect the business. Kusari is trying to reduce the gap between those two worlds.

How AI coding tools make Kusari’s mission more important

AI coding tools are changing the way software gets written. They can help developers move faster, generate code, suggest fixes, and speed up repetitive tasks. But faster development also creates new pressure on code review, dependency management, and security checks.

If teams are writing and modifying code more quickly, they also need stronger ways to review what changed. They need to know whether new dependencies were introduced, whether generated code follows secure patterns, and whether a change creates risk inside the software supply chain.

This does not mean AI coding tools are bad. It means visibility becomes even more important. The faster software moves, the more teams need reliable context. Security cannot depend only on manual review, especially when the volume of code and dependency changes increases.

This is another reason Kusari’s work feels relevant right now. The company is building for a future where software delivery is faster, more automated, and more dependent on shared components. In that future, transparency is not optional. It becomes part of the foundation for trust.

Why Kusari matters for engineering and security teams

For engineering teams, Kusari’s value is tied to speed with confidence. Developers do not want to stop every time a security question appears. They want clear guidance that helps them keep moving without creating unnecessary risk.

For security teams, Kusari’s value is tied to visibility and prioritization. A security team cannot fix what it cannot see. It also cannot treat every issue as equally urgent. Better supply-chain data helps teams understand which risks matter most and where to focus first.

For leadership teams, the value is trust. Customers and partners increasingly want to know whether software is secure, where it came from, and how it is maintained. Stronger software supply-chain visibility can support audits, compliance needs, procurement reviews, and internal risk management.

This is why Tim Miller’s work with Kusari sits at the intersection of engineering, cybersecurity, and business trust. It is not just about scanning code. It is about helping organizations understand the software they depend on.

Tim Miller and the next phase of software supply-chain security

The next phase of software supply-chain security will likely be shaped by transparency, automation, and developer-friendly workflows. Companies will need better ways to generate and use SBOMs. They will need clearer dependency graphs. They will need stronger provenance data. They will need security checks that happen inside CI/CD pipelines instead of after release.

Kusari is building toward that future. Through its product work, open-source involvement, and partnerships with security communities, the company is positioning itself as part of a larger movement toward clearer, more trustworthy software.

For Tim Miller, the success story is still being written. But the direction is clear. He is building Kusari around a problem that every modern software organization has to face. As software gets more connected, more automated, and more dependent on open-source components, the need for transparency will only grow.

That is what makes the story worth covering. Tim Miller is not just building another cybersecurity startup. He is helping push software supply-chain security toward a more practical future, where teams can see more clearly, act more quickly, and build with greater trust.

Facebook
Twitter
Pinterest
Reddit
Telegram