Announcing two acquisitions and a funding round

Two Acquisitions, One Funding Round, and a Bigger Platform.

‍
We have been very busy in the past few months. In March, we released the Developer Endpoint Security product, in response to two new realities affecting every software team:

• Agents are writing a significant portion of the new code being released. These agents need to be managed to ensure safe code is produced, and that these agents are not themselves attacked via supply chain attacks.
• Supply chain attacks are increasingly causing damage on the developer endpoint - a blind spot for organizations. Many credentials are stored on developer machines (API keys, Cloud access keys, registry publish keys, LLM API keys, etc) - and very little control/visibility exists. One ‘uv add’ or or ‘npm install’ gone wrong and a lot of credentials need to be rotated. If you’re not vigilant - IP can be stolen, malware can be inserted into your code bases, and data breaches can occur.

In April, we released SmokedMeat, an OSS exploitation tool - think metasploit, but for CI/CD pipelines. We have been researching this area for many years now - and while we have tried to spread the knowledge - we realized that this particular attack surface is still misunderstood. Attacks on CI/CD pipelines have been increasing in number, and in sophistication. With this tool - every defender can evaluate their particular exposure, and act on it. 
‍

Today, we are thrilled to announce two acquisitions:

1. Korbit.ai: Korbit, founded by Iulian Serban - built an impressive Code Review solution that, among other capabilities, had built-in AI Native SAST. The technology has been around since 2019, and has reviewed hundreds of millions of lines of code, finding, triaging, and fixing tens of thousands. In particular, what impressed us was their ability to reduce hallucinations, focus on high quality results only, keep the results consistent across runs, all the while adapting/learning from the developers prior decisions. 

2. SecureIQx: SecureIQx was started by an MIT team to solve the problem of binary, as well as source composition analysis; in particular, they focused on addressing the “should I fix this?” issue via reachability analysis. While reachability analysis is not new, and boostsecurity already has support for some languages - SecureIQx brought to the table an innovative approach, that leverages small and large language models, working in conjunction - to perform the reachability analysis at a speed, and with accuracy that is significantly better than the more traditional approaches (pure SAST based approaches).

‍

Our customers today use the boostsecurity platform to protect the entire software factory - whether code is written by human or agent - and we secure the inputs, the process, and the outputs. 

These acquisitions will add essential capabilities to our platform; whether code is generated by humans or AI, these new Agents will be working in our customers favor to uncover vulns that only an AI Native SAST can find, improve the triage process, remember organizational preference, and prioritize and fix reachable composition vulnerabilities across a dozen languages, as well as binary files.

In future blog posts - you will hear directly from the founders about the technology they built - and what makes their technology unique.

The rate of change in the industry is staggering: Mythos, Supply Chain attacks, Coding as a profession transforming in front of our eyes. It is estimated that there is going to be 15x more code produced this year than last year.

Rapid innovation is needed to keep up with these changes. That is what we are going to continue to do.

We’re also thrilled to welcome on board - 3 of Canada’s top early stage investors: White Star Capital, Amiral, and Accelia !