DryRun Security

High-Level Overview

DryRun Security is an AI-native application security (AppSec) startup that builds Contextual Security Analysis (CSA) tools to automate security reviews in developer workflows, particularly during code changes and pull requests.[1][2][3] It serves development and security teams at organizations like Gusto, BrightHR, and Tines, solving the problem of detecting complex code risks—such as business logic flaws and behavioral vulnerabilities—beyond basic static patterns, while reducing false positives and bridging the gap between devs and security pros.[1][2][3] The company raised $8.7 million in seed funding to expand go-to-market and engineering, launched Natural Language Code Policies (NLCP) for plain-language policy enforcement, and achieved early traction including BlackHat Startup Spotlight 2024 finalist status and GitHub Marketplace availability, enabling real-time analysis across thousands of daily code changes.[1][2][3][4]

Origin Story

DryRun Security was co-founded by James Wickett (CEO) and Ken Johnson (CTO), both AppSec veterans with deep industry experience.[1][2][5] Wickett launched the company driven by the belief that developers prioritize security but lack effective tools, while Johnson recently led security code reviews and developer training at GitHub.[5] The idea emerged to automate security analysis in code reviews before deployment, addressing pain points the founders encountered firsthand; early milestones include raising $8.7M seed funding, securing customers like Gusto and BrightHR, and launching key features like NLCP and GitHub integrations.[1][2][3]

Core Differentiators

• AI-Driven Contextual Security Analysis (CSA): Analyzes code behaviors, paths, developer intent, and language-specific checks in seconds, detecting complex risks like business logic flaws that traditional SAST misses, with real-time feedback in pull requests.[1][2][3]
• Natural Language Code Policies (NLCP): Allows security teams to define and enforce policies in plain language, moving beyond wikis to instant, accessible safeguards without complex setups.[1][2][3]
• Developer-Centric Workflow Integration: Embeds security as a "force multiplier" in tools like GitHub, providing actionable insights, reducing friction, and scaling reviews for high-volume changes without slowing velocity.[2][3][4]
• Low False Positives and Team Empowerment: Offers code insights across organizations, plain-language guidelines for all skill levels, and customer-validated impact like "doubling" AppSec capacity at firms like BrightHR.[3]

Role in the Broader Tech Landscape

DryRun rides the AI-native AppSec trend, where LLMs and agents transform static analysis into dynamic, context-aware security that fits DevOps speed, amid rising software supply chain attacks and compliance demands.[1][2][3] Timing aligns with explosive growth in AI-dev tools and GitHub ecosystems, enabling seamless integration as code volume surges; market forces like talent shortages in AppSec and shift-left security favor its approach, reducing standoffs between teams.[2][3] It influences the ecosystem by pioneering agentic analysis, open-source contributions, and resources like the CSA Guide, helping organizations scale secure releases and setting standards for human-centric, frictionless security.[3][4]

Quick Take & Future Outlook

DryRun is poised to expand with its $8.7M funding fueling engineering hires, GitHub Marketplace growth, and NLCP enhancements, targeting broader adoption amid AI security agent proliferation.[1][4] Trends like multimodal AI analysis and zero-trust DevSecOps will amplify its edge, potentially evolving it into a full-stack AppSec platform influencing standards via community and enterprise wins. As AI bridges dev-security divides, DryRun exemplifies how targeted automation turns security from bottleneck to accelerator, securing the next wave of software innovation.[2][3]