Sonatype®️, a global leader in AI-driven DevSecOps, has chosen Hyderabad as the newest node in its worldwide innovation network with the opening of a 200+ person Innovation Hub. As software supply chain security becomes a defining issue for enterprises, the move signals India’s growing role as both a talent powerhouse and a testing ground for cutting-edge digital trust. In a conversation with Bhagwat Swaroop, CEO of Sonatype, we explore the strategic thinking behind this expansion, the misconceptions holding enterprises back, and how AI is reshaping what it means to build software securely in 2025 and beyond.
1. You're opening a 200+ person innovation hub in Hyderabad. What's the strategic inflection point that made India—and specifically this city—essential to Sonatype's global mission? Is this primarily about scaling engineering talent, or are you positioning India as the innovation epicenter for software supply chain security itself?
India has become the innovation engine of the world, and Hyderabad stands at the forefront of that transformation. India boasts a unique mix of world-class talent, deep engineering expertise, and a forward-looking government that understands the value of secure digital innovation. This is far more than a scaling play. This center will serve as a global hub for innovation and will drive advancements in AI-driven security, open source intelligence, and cloud-native software protection. We’re building a community in Hyderabad to shape how software is built and secured in the age of AI.
2. In your first 100 days as CEO, you met with 100 enterprise customers globally and kept hearing the same message: speed means nothing without trust. What's the one most surprising misconception you encountered about software supply chain security—and how should Indian enterprises rethink their approach to balance velocity with resilience in the age of GenAI?
The most surprising misconception I’ve heard is that it is something you can “add on” after development. It must be embedded within every step of the DevSecOps process. In the GenAI era, speed has become effortless. Code that once took weeks can now be written in minutes. But if organizations don’t pair velocity with governance, they’re building on an untrusted foundation. My message is simple: treat trust as a product feature. Automate your security processes. Use AI responsibly to detect and prevent vulnerabilities before they enter production. True innovation happens when security is woven seamlessly into the fabric of development.
3. Your Q3 report exposed over 845,000 malicious packages targeting developers as the easiest entry point into enterprises. With India home to one of the world's largest developer communities, what's the real threat landscape here—and what's the one action Indian enterprises should take immediately to protect their developer workforce?
The reality is that developers are now the front line of cybersecurity. Attackers understand that compromising a single developer’s workspace can be far more effective than breaching a corporate firewall. Protecting developers is protecting innovation itself. India’s massive developer ecosystem, one of the most active in the world, makes it both a target and a testing ground for this kind of attack. Indian enterprises must secure the software supply chain from the inside out. That means giving developers trusted sources for open source components, automating dependency scanning, and using AI-powered tools to block malicious code before it’s ever used.
4. India is simultaneously one of the world's largest sources of developers and an emerging target for supply chain attacks. How does Sonatype view India's dual role—and what responsibility do Indian tech leaders and organizations have in shaping the future of global software integrity?
India plays a powerful and pivotal role. It’s the world’s largest builder of software, but it’s becoming a target for increasingly sophisticated attacks that exploit the very openness of the ecosystem. We view this as an opportunity for leadership. India can set the global standard for software integrity by combining innovation with responsibility. Indian technology leaders and policymakers have the chance to shape how open source and AI are governed — ensuring that as we build faster, we also build safer. By fostering collaboration between government, industry, and academia, India is creating a digital ecosystem that’s not only innovative, but trusted. That trust will be the currency of the global software economy.
5. Drawing from 30 years in cybersecurity leadership across Entrust, Proofpoint, Symantec, and now Sonatype, if you had one critical message for India's chief information and security officers heading into 2026, what would it be?
By 2026, AI will define the balance between security and innovation. CISOs must use AI proactively as the strongest line of defense, not reactively as a tool of response. Cybersecurity is no longer just the responsibility of large financial institutions — every organization, developer, and piece of software plays a role. Attackers are using automation and AI to scale their reach; defenders must do the same. That means securing open source and implementing governance models that eliminate “shadow AI.” Those who harness AI to protect the software supply chain responsibly will define the next era of trust. In the end, trust is the foundation of innovation, and safeguarding that trust must be our shared mission.
