This post is a bit different from my prior “why we invested” pieces – almost a two-for-one – as we’ve actually invested in DryRun Security twice.
Two Founders and an Idea
We were excited to invest in DryRun Security’s initial seed financing. At that point, the company was just the two co-founders and an idea, and we were compelled to invest by both.
We liked the space. Every company is now a software company. Companies must develop software applications to leverage their data and power their business to stay relevant and competitive. Those applications must be protected from threats and vulnerabilities to prevent data loss, disruption, or other financial costs. The process, tool and techniques that provide this protection is called Application Security (AppSec).
Three factors have made AppSec more critical than ever:
- More Code: The rise of coding autopilots means more lines of code are being written than ever before.
- Increased Complexity: The shift to cloud-native architectures and microservices has made applications more complex.
- Growing Threats: Attackers continue to evolve, finding new ways to exploit vulnerabilities.
Despite the critical need, we saw a space that was fundamentally broken. Existing AppSec solutions were brittle. They relied on pattern-matching rules that were difficult to write and limited to specific programming languages. This made it hard to keep up with new technologies, leaving critical gaps in security.
To make matters worse, these solutions produced considerable noise (false positives), forcing AppSec professionals to sift through endless alerts to find the true needles in the haystack. This not only wasted valuable time but also risked undermining their credibility by raising a false issue with development. Additionally, existing solutions slowed developers down by presenting confusing results long after code was written – often requiring them to untangle dependencies that had since been built on top of the vulnerable code.
DryRun set out to solve all of this. James Wickett and Ken Johnson, DryRun’s co-founders are veterans in the DevOps and AppSec communities. With experience as practitioners, instructors, and early employees at leading AppSec startups, they were uniquely positioned to tackle this challenge. This gave them a sense for not only founder-problem-fit, but also founder-market fit.
Context Is Everything
Fast forward, and DryRun Security’s vision started to take shape. By integrating directly into customers’ development pipelines, such as GitHub, DryRun recognized code risks as soon as developers checked in code, clearly communicating risks in near real-time—rather than days later.
DryRun Security chose to build their solution from the ground up leveraging LLMs. LLM’s are powerful at understanding code regardless of specific language syntax. This enabled them to move beyond pattern-matching, more easily extend across programming languages, and be less brittle.
But it’s what DryRun Security was able to do next that represented a true leap forward in application security and compelled us to lead their next round. Existing solutions all looked at the literal syntax of code to identify risk. But there are still risks in the code base even if the syntax is correct. For example, there may be authorization issues stemming from an API endpoint being assigned an incorrect role or permission—which is very difficult to detect without analyzing the context. Or a developer adds a new SSO provider, something that’s syntactically correct but deserves review due to being outside of the standard process. Without knowing the context around the code change, risky code changes get missed by pattern-matching tools.
DryRun’s breakthrough, Contextual Security Analysis (CSA), goes beyond looking at the literal syntax of code and allows AppSec teams to understand risk based on code context and behavior. For the first time, DryRun Security enables the left hand of application security to fully grasp the security implications of what the right hand of development is doing – even if there’s not technically an insecure pattern in the code.
Why We’re Excited
DryRun Security is revolutionizing how application security teams protect complex, fast-moving codebases. By combining Contextual Security Analysis (CSA) with the power of LLMs, they’re addressing risks that traditional tools simply can’t—enabling developers to write secure code without slowing down.
James and Ken are leaders who deeply understand the challenges AppSec professionals face, and their innovative approach is already delivering real, tangible benefits for customers.
As software development continues to accelerate and applications grow more complex, the need for smarter, AI-native security solutions has never been greater. DryRun Security’s groundbreaking technology is set to redefine the future of AppSec, and we’re proud to support them on this journey.