We're excited to lift the covers on DryRun Security! We led the preseed and doubled down in the seed round led by LiveOak Ventures, alongside Cannage Capital, for a total of $8.7M raised.

DryRun Security helps application security teams cut through thousands of code changes to find critical vulnerabilities by combining contextual analysis with natural language security policies.

The Problem

Application security has reached a new level of scale and complexity. Web applications remain one of the primary attack vectors for organizations, with issues like SQL injection, broken access control, and API vulnerabilities consistently appearing in breach reports. 

Modern development practices have created several compounding issues:

• Velocity has outpaced security tools. Development teams are shipping code faster than ever, with organizations pushing thousands of changes daily across hundreds of microservices. Traditional security tools, designed for an era of monthly releases and monolithic applications, simply can't keep up with this velocity. When security scans take minutes to complete or require manual configuration, they inevitably get bypassed or ignored.‍
• Architecture complexity has exploded. The shift to microservices, containerization, and API-first development means that vulnerabilities often emerge from the interactions between components rather than isolated services. Static analysis tools (SAST) can catch basic issues, but struggle to detect vulnerabilities that don’t match known bad patterns. In modern architectures, authorization issues under the classification of Indirect Object Reference (IDOR) are notoriously difficult for SAST tools to detect.

The result: security teams spend endless hours writing and maintaining complex rules to catch potential threats, only to generate hundreds of alerts that overwhelm developers. With multiple security warnings per code change, teams struggle to prioritize which issues need immediate attention - causing critical vulnerabilities to get lost in the noise. The result is growing security backlogs, alert fatigue, and increasing friction between security and development teams.

The Solution

Security tools need to think like security teams do - considering not just the code itself, but how it fits into the broader application. DryRun Security takes this approach through their AI-native Contextual Security Analysis (CSA) engine, which examines each code change in its full context to identify truly critical security issues. By analyzing everything from code patterns to runtime behaviors, CSA can spot vulnerabilities that emerge from complex service interactions - all while keeping pace with modern development speeds.

The company's latest feature, Natural Language Code Policies (NLCP), tackles another major pain point: the endless cycle of writing and maintaining security rules. Instead of crafting complex rule sets, teams can define security requirements in natural language. These policies are then automatically enforced across the entire codebase, regardless of programming language or framework.

The platform seamlessly integrates into existing GitHub workflows, enabling teams to:

• Identify unknown risks before they enter production
• Enforce security policies without slowing down development
• Get precise, contextual feedback directly in developer workflows
• Eliminate the complexity of traditional rule-writing

DryRun Security is already seeing strong validation from customers like PlanetArt, BrightHR, and Gusto, who are using the platform to process tens of thousands of code reviews weekly.

The Team

DryRun Security was founded by two longtime appsec leaders - James Wickett and Ken Johnson. James brings deep expertise from his time as an early engineer at Signal Sciences, where he built out the initial product infrastructure before moving into developer advocacy as Head of Research. Ken's experience as Director of Product Security Engineering at GitHub gives him unique insight into securing code at massive scale.

We're thrilled to support James, Ken, and the entire DryRun Security team as they build the next generation of AI-native application security tools.