Investing in depthfirst

The next major security platform will be in product security

Cybersecurity is comprised of a small number of expansive attack vectors: enterprises must protect their networks, their endpoints, their clouds, their identities, their emails, their data, and their applications. Each substrate is large enough to support a standalone company, but also serves as a high ground from which a company expands into adjacencies. Importantly, each category is dominated by one player that owns an outsized share of the market, whose brand becomes synonymous with its respective coverage area. Palo for the network, CrowdStrike for the endpoint, Wiz for the cloud. Product and application security, notwithstanding many attempts, is still left without a crowned victor.

Yet, a victor is needed more than ever. For years, cybersecurity has struggled to keep pace with development, and that gap is only widening now that development has been democratized. What’s worse, garage-level hackers now have access to nation-state level tooling thanks to the progress of AI models.

The prior generation of tools brought attention to the problem but drowned security teams in false positives. Rules-based systems created conflict between reducing noise and addressing real vulnerabilities. False negatives created even more risk, as incumbent scans lacked the contextual understanding needed to catch business logic flaws.

Enter depthfirst

We nearly gave up on the space until AI’s reasoning capabilities injected new life into it, enabling technology to understand an environment in the way a team of advanced security engineers might. That’s where depthfirst comes in. They’re an applied AI lab focused on production security. They build a semantic model of each customer’s environment, contextualizing code, dependencies, business logic, and infrastructure to flag vulnerabilities that pattern-based tools miss. Every vulnerability runs through an exploitability proof to reduce false positive by design. The platform then produces recommended bug fixes while learning from user feedback around the quality of alerts.

depthfirst broadens the focus away from “are there vulnerabilities in my codebase” to “is this product exploitable in the real world.”

Importantly, they follow a theme we are tracking closely: applied AI companies that train specialized models for discrete problems informed by a data flywheel. Today, depthfirst announced dfs-mini1, which outperformed frontier models on finding vulnerabilities in smart contracts while running at 10x to 30x lower cost. This allows them serve the right model for the right problem set, all controlled by a best-in-class harness.

It’s these same reasons that each customer we spoke to was effusive over their love for the depthfirst product after years of becoming disillusioned with prior tools or more recent DIY attempts with AI models.

Partnering with depthfirst

Ultimately, a bet on depthfirst is a bet on Qasim Mithani, Andrea Michi, Daniele Perito, and the team they’ve assembled. It’s rare to meet a group that combines savant level aptitude across engineering, real world cybersecurity threats, and AI research. They exude ambition balanced with a practical sense of how to solve the most important cyber risks at hand, and they deeply appreciate what’s at stake as AI threats advance.

We’re thrilled to lead their Series B and partner with this team.