Clearly AI: RSAC 2026 Innovation Sandbox Profile
This profile was compiled in March 2026 using AI tooling guided by security product strategy guidance from Lenny Zeltser's MCP server. The analysis was performed by AI without direct human validation, to demonstrate the capabilities of AI agents guided by an expert framework. Outside this demo, a human analyst would conduct iterative conversations with the AI agent to arrive at more accurate conclusions.
Executive Summary
Clearly AI automates enterprise security and privacy reviews using AI that ingests design documents, source code, and organizational knowledge to produce threat models, data flow diagrams, and compliance assessments. The company addresses a structural bottleneck in application security: the industry average of 1 security engineer per 200 software engineers makes manual review unsustainable, especially as AI-generated code accelerates deployment velocity. With 17 enterprise customers including Rivian, Ericsson, and Okta, and a reported 90%+ reduction in review times, Clearly AI has moved quickly from its June 2024 founding to demonstrable enterprise traction. The husband-wife founding team brings direct domain experience from Amazon Alexa AI Security and Moveworks, giving them an unusually specific founder-market fit for this problem.
Company Overview
| Field | Detail | Evidence |
|---|---|---|
| Founded | June 2024 | Y Combinator profile |
| Headquarters | Seattle, WA (Ballard neighborhood) | GeekWire |
| Funding | $8.4M seed (Feb 2026), led by Basis Set Ventures; earlier $500K pre-seed from Y Combinator (Sep 2024). Also received $5M SAFE from RSAC as Innovation Sandbox finalist. Total disclosed: ~$13.9M | Basis Set Ventures blog, PRNewswire |
| Stage | Seed | Crunchbase |
| Employees | 12 (as of Feb 2026). Three open roles listed on YC jobs page. | Y Combinator, GeekWire |
| Key Investors | Basis Set Ventures (lead, $850M AUM, early AI-focused VC, portfolio includes Drata), Crosspoint Capital Partners ($1.3B fund focused exclusively on cybersecurity and infrastructure software, portfolio includes Forescout, Absolute Software), Argon Ventures, Ritual Capital, Y Combinator (S24 batch) | Basis Set Ventures website, Crosspoint Capital, GeekWire |
Problem Definition and Market Opportunity
Enterprise security teams face a widening gap between the volume of software shipping and their capacity to review it. The industry ratio of 1 security engineer to 200 software engineers, according to Clearly AI’s framing (company claim, unverifiable), means most new features, products, and vendor integrations ship without thorough security or privacy review. AI-assisted code generation is compounding this problem. As Basis Set Ventures noted in their investment thesis, “AI-generated code is flooding into production with increasing velocity” and existing review tools cannot keep pace.
Traditional security reviews involve security engineers manually reading design documents, architecture diagrams, and code to identify threats and compliance gaps. This process takes days to weeks per review. Organizations that ship hundreds of features per quarter face a painful choice between slowing releases or accepting unreviewed risk. Emily Choi-Greene experienced this firsthand at Amazon, where she led Alexa AI Security and was responsible for AppSec across 2,500+ engineers and scientists. She performed hundreds of these reviews manually before founding Clearly AI.
The total addressable market spans application security, privacy impact assessments, vendor risk management, and compliance automation. These markets collectively represent tens of billions in enterprise spending, though Clearly AI’s specific segment, AI-automated security design reviews, is nascent and not yet tracked by major analyst firms.
Product Capabilities
Clearly AI’s platform functions as an AI security engineer that reads and reasons through unstructured enterprise documentation. The system ingests design documents, source code, configurations, internal knowledge bases, and tickets from tools like Jira, GitHub, Confluence, Google Drive, Slack, and Notion. It then generates several outputs.
Threat Modeling. The platform produces STRIDE-framework threat models by analyzing architecture and design documents. It identifies security risks such as unencrypted storage, missing authentication controls, or exposed secrets, and generates mitigation recommendations aligned with each organization’s internal security policies. (Confirmed, company claim; Dark Reading article corroborates the approach.)
Security and Privacy Assessments. Clearly AI automates design reviews, privacy threshold assessments, and privacy impact assessments for new features and products. It evaluates compliance with relevant regulations and internal standards, producing documentation that previously required weeks of manual work. HID Global’s Sr. Director for Product Security and Privacy, William Brown, stated that documentation “generated within a minute” would have “taken developers weeks to create” (GeekWire).
Vendor Risk Assessments. The platform automates third-party vendor security and privacy reviews, enabling faster procurement decisions. It maintains a centralized repository for all security and privacy documentation, including FAQs for engineering teams.
Risk Triage and Prioritization. Findings are prioritized so security teams review the most critical issues first. The platform uses a human-in-the-loop model where AI augments analysis and humans make final decisions. Clearly AI claims built-in safeguards against hallucinations, though the specific technical mechanisms are not publicly disclosed.
Continuous Monitoring. Unlike traditional point-in-time reviews, the platform monitors continuously as designs and code evolve. This shift from periodic assessments to ongoing evaluation represents a meaningful architectural difference from legacy GRC tools.
Integrations. Jira, GitHub, Confluence, Google Drive, Slack, Notion, Linear, and Lucid are confirmed integration targets. The platform reads from these sources rather than requiring teams to change their workflows.
Competitive Positioning
Clearly AI operates in an emerging segment that analyst Paul Shomo of Dark Reading described in a January 2026 article alongside peers Seezo, PrimeSec, and Clover Security. These startups all use LLMs to process unstructured design and architecture data for security purposes. The competitive landscape includes several categories.
Direct competitors in AI-powered design review and threat modeling. SecurityReview.ai offers similar review automation. Oplane focuses on AI-assisted threat modeling from repository data. Clover Security provides design-led product security. Dawnguard focuses on security architecture for cloud environments. IriusRisk (Bex AI) offers conversational security design feedback through Jira.
Adjacent competitors in code security. ZeroPath, a fellow RSAC Innovation Sandbox finalist, focuses on code-level vulnerability detection through SAST, SCA, and secrets scanning. Backslash targets security for AI-generated code specifically.
Legacy incumbents. Traditional AppSec tools from Synopsys, Checkmarx, and Veracode address code scanning but not the design review and privacy assessment workflows that Clearly AI targets.
Clearly AI’s differentiation rests on breadth. It covers the full software development lifecycle from design review through threat modeling to privacy impact assessments, rather than focusing on a single phase. It also emphasizes learning each organization’s specific standards, frameworks, and internal policies, claiming it is “not a generic AI tool” (company claim). Whether this breadth creates durable competitive advantage or invites competition from both sides, code security vendors expanding upstream and GRC platforms adding AI, remains an open question.
Go-to-Market and Traction
Clearly AI reports 17 enterprise customers as of February 2026 (confirmed, company claim via GeekWire). Named customers include Rivian, Ericsson, Okta, Webflow, Affirm, and HID Global. This is notable enterprise traction for a company less than two years old with 12 employees.
Customer results (company claims, partially corroborated by named testimonials):
- Rivian reduced review times by 90% and expanded team capacity fourfold.
- HID Global accelerated reviews across more than 300 products. William Brown (Sr. Director, Product Security and Privacy) provided a public testimonial.
- Webflow described the experience as “highly collaborative” with “impressive accuracy in surfacing security issues during spec reviews and threat modeling.”
The company’s go-to-market appears focused on mid-to-large enterprises with dedicated product security teams. The buyer persona spans security, privacy, and GRC teams. Clearly AI was also a finalist in the Okta Startup Challenge in October 2025, receiving recognition at Nasdaq alongside Okta Ventures (LinkedIn post, confirmed via Company website). Emily Choi-Greene has maintained an active conference speaking presence at BSides Vancouver Island, BSidesPDX, OWASP Global AppSec, ThreatModCon, and IAPP AI Governance Global throughout 2025.
Revenue figures are not publicly disclosed. Given RSAC Innovation Sandbox eligibility requires under $5M ARR, the company likely falls below this threshold.
Team and Credibility
Emily Choi-Greene, Co-Founder and CEO. Dartmouth College, High Honors in Computer Science. Five years at Amazon (2017-2022) progressing from Software Engineer to Sr. Security Engineer, where she served as tech lead for Alexa AI Security, managing AppSec responsibilities for 2,500+ engineers and scientists. She then led data security and privacy at Moveworks (2022-2024), which was acquired by ServiceNow in 2025. She developed Moveworks’ first customer data protection roadmap and led projects in data masking, privacy-preserving ML, and access control. Y Combinator Summer 2024 batch. (LinkedIn)
Joe Choi-Greene, Co-Founder and CTO. Carnegie Mellon University, Computer Science. Nearly nine years at Amazon (2015-2024) across three divisions: Shopbop (personalization services), Alexa Secure AI Foundations (built privacy services enabling millions of customers to delete Alexa data, managed exabyte-scale datalakes), and Project Kuiper (led satellite telemetry team, building software running in space and mission control). (LinkedIn)
The founders met in 2019 during an Alexa security review at Amazon. Emily’s direct experience performing hundreds of security reviews provides strong founder-market fit. Joe’s background in data infrastructure, privacy engineering, and secure systems complements the security domain expertise. Both are technical founders, which is unusual for a company also selling to enterprise GRC teams.
Notable hire. Chris Altonji serves as Founding Engineer. Hires come from Amazon (3), Moveworks (2), Rivian (1), Brex (1), and Apple (1), suggesting ability to attract talent from strong technical organizations. Three open roles (Sr. Software Engineer, Technical Implementation Lead - Security, Founding UI/UX Design Engineer) indicate active scaling with salary ranges of $125K-$200K.
Trust Readiness
Clearly AI’s own security posture is not extensively documented publicly. The company published a blog post discussing SOC 2 certification for startups, arguing that vendor risk assessments should focus on actual security practices rather than treating SOC 2 as a checkbox. This suggests awareness of the trust question but does not confirm whether Clearly AI itself holds SOC 2 certification. No public trust center, SOC 2 report, or penetration test results were found during research. Given the company handles sensitive design documents, source code, and security assessments for enterprises like Rivian and Ericsson, customers are likely conducting due diligence, but the specifics are not publicly disclosed.
The platform’s claim of “built-in safeguards against hallucinations” is important given the high-stakes nature of security assessments, but the technical implementation details behind this claim are not public.
RSAC Judging Criteria
RSAC does not publish an official judging rubric. The five criteria below are extrapolated from press descriptions of what judges evaluate: the problem a company addresses, the originality of its technology, its go-to-market strategy and team, market validation, and product demonstration.
| Criterion | Score (1-5) | Assessment |
|---|---|---|
| Problem/Market | 4 | The security review bottleneck is well-understood by practitioners, and the 1:200 security-to-developer ratio creates a structural need. AI-generated code acceleration adds urgency. The problem is specific and quantifiable. |
| IP Originality | 3 | The application of LLMs to unstructured security documents is not unique to Clearly AI. Several competitors (SecurityReview.ai, Oplane, Clover Security) pursue similar approaches. Differentiation comes from breadth of coverage and organizational context ingestion. |
| GTM/Team | 4 | Seventeen enterprise customers in under two years, with recognizable brands (Rivian, Ericsson, Okta, Affirm), is compelling for a 12-person seed-stage startup. Founders’ direct domain experience at Amazon Alexa AI Security provides strong founder-market fit. |
| Validation/Revenue | 4 | Named enterprise customers with public testimonials provide validation. Rivian reports 90% review time reduction. Revenue is not disclosed but likely under $5M ARR. No third-party analyst validation yet. |
| Product/Demo | 4 | Product launched in 2024, actively serving 17 customers. The workflow of ingesting documents and generating threat models should demo effectively in a live setting. Integrations with Jira, GitHub, Confluence, and Slack are confirmed. |
Overall RSAC Fit: 19/25. Clearly AI has strong enterprise traction for its stage and a clear, quantifiable value proposition. The main risk is competitive convergence as multiple startups and incumbents pursue AI-powered security review.
Startup Readiness Assessment
This eight-dimension assessment appears in the comparison matrix on the main page. It evaluates broader startup readiness using dimensions from the security product analysis framework. Five dimensions overlap with the RSAC criteria above. Three are added: funding efficiency, category clarity, and incumbent defensibility.
| Dimension | Score (1-5) | Assessment |
|---|---|---|
| Problem Clarity | 4 | The 1:200 security-to-developer ratio creates a well-defined, quantifiable bottleneck. AI-generated code acceleration compounds the need. The specific “AI-automated security design review” segment is not yet tracked by analyst firms, which limits external validation. |
| Capability Depth | 4 | Working product with documented integrations across Jira, GitHub, Confluence, Slack, and Notion. Delivers STRIDE-framework threat models, privacy assessments, and vendor risk automation. HID Global’s testimonial confirms document generation capability. |
| Market Timing | 4 | AI-generated code acceleration increases demand for automated security review. The timing is favorable, but this is a new sub-segment without established category recognition from major analysts. |
| Team Credibility | 4 | Emily Choi-Greene led Alexa AI Security for 2,500+ engineers. Joe Choi-Greene built privacy infrastructure at Amazon. Both are technical founders with direct domain experience. Active conference speaking circuit (BSides, OWASP, IAPP) builds credibility. |
| GTM Proof | 5 | Seventeen enterprise customers including Rivian, Ericsson, Okta, Affirm, Webflow, and HID Global. Named testimonials with measurable outcomes (90% review time reduction). Okta Startup Challenge finalist. Strongest GTM traction in the cohort for the company’s stage. |
| Funding Efficiency | 4 | $13.9M total funding for 12 employees serving 17 enterprise customers. Strong capital efficiency with clear product-market fit signals. |
| Category Clarity | 4 | ”AI-powered security design review” maps to existing security engineering budgets. Buyers understand the problem even if the solution category is new. |
| Incumbent Defensibility | 3 | Code security vendors (Synopsys, Checkmarx) expanding upstream and GRC platforms (ServiceNow, OneTrust) adding AI could narrow the competitive window. |
Overall: 32/40.
Key Risks
Competitive convergence. Multiple startups pursue the same “AI for security design review” thesis, as documented in Dark Reading. Code security vendors (Synopsys, Checkmarx) and GRC platforms (ServiceNow, OneTrust) could add similar AI capabilities. The moat may narrow quickly.
LLM dependency and accuracy. Security assessments carry high consequences for errors. The platform’s reliance on LLMs introduces risks around hallucination, inconsistency, and adversarial manipulation of input documents. The “human-in-the-loop” model mitigates but does not eliminate this risk.
Scaling from early adopters. Seventeen customers is strong for the stage, but enterprise security teams are conservative buyers. Scaling from early-adopter enterprises to mainstream adoption will require establishing category credibility, possibly through analyst recognition or industry certifications not yet obtained.
Trust readiness gap. For a company handling sensitive security documentation and source code, the lack of publicly documented SOC 2 certification or a trust center is a potential friction point in enterprise sales cycles. Larger prospects may require this.
Key-person risk. Emily Choi-Greene’s domain expertise and community presence are central to the company’s credibility. With only 12 employees, the team is stretched thin across product development, customer success, and business development.
Sources
- RSAC Innovation Sandbox 2026 Finalists Announcement (PRNewswire)
- GeekWire: Seattle security startup led by husband-wife duo raises $8.4M
- Basis Set Ventures: Clearly AI’s $8.4M Seed + RSA Sandbox Award
- Y Combinator: Clearly AI Company Profile
- Dark Reading: Startup Trends Shaking Up Browsers, SOC Automation, AppSec
- TechnoTrenz: Clearly AI Raises $8.4M Seed for Enterprise Security
- VentureBeat: RSAC’s Innovation Sandbox
- CybersecurityIntelligence: Clearly AI Profile
- Clearly AI Blog: Security, SOC 2, and Startups
- Crosspoint Capital Partners
- Basis Set Ventures
- Emily Choi-Greene LinkedIn
- Joe Choi-Greene LinkedIn