The insight: Most security scanners find problems but don't fix them. Industry average time to fix critical vulnerabilities is 65+ days. We generate the actual fixes and create PRs automatically, including educational content on the nature of the vulnerability and the fix in the PR description.
Technical approach: - AST-based pattern matching (moved from regex, dropped false positives from 40% to <5%) - Multi-model AI for fix generation (Claude, GPT-4, local models) - ~170 patterns across 8 languages + framework-specific patterns; can grow this easily but need more customer validation first.
Business model experiment: Success-based pricing - only charge when fixes get merged ($15/PR at the moment). No upfront costs. This forces us to generate production-quality fixes & hopefully reduces friction for onboarding.
Early observation: Slopsquatting (AI hallucinating package names that hackers pre-register) is becoming a real attack vector. It's pretty straightforward to nail and has a lot of telltales. Building detection & mitigation for that now.
Stack: Elixir/Phoenix, TypeScript, AST parsers