Crash Override: RSAC 2026 Innovation Sandbox Profile

← Back to comparison

This profile was compiled in March 2026 using AI tooling guided by security product strategy guidance from Lenny Zeltser's MCP server. The analysis was performed by AI without direct human validation, to demonstrate the capabilities of AI agents guided by an expert framework. Outside this demo, a human analyst would conduct iterative conversations with the AI agent to arrive at more accurate conclusions.

Overview Problem Product Competition Traction Team Trust RSAC Criteria Readiness Risks

Executive Summary

Crash Override provides build inspection technology that captures metadata inside CI/CD pipelines, creating a single source of truth across code, infrastructure, tools, and teams. The company has pivoted its messaging toward AI-generated code discovery and security, a timely position given the surge of AI coding tools in enterprise development. Founded in 2022 by OWASP creator Mark Curphey and Capsule8 founder John Viega, the company raised $41.3M total including a $28M seed round led by GV and SYN Ventures in July 2025. Its open-source tool Chalk (415 GitHub stars, 16 contributors) embeds provenance metadata into build artifacts and generates SBOMs, providing SLSA Level 2 compliance out of the box.

Company Overview

Field	Detail	Evidence
Founded	2022	PitchBook, BusinessWire
Headquarters	New York, NY (offices also in London)	LinkedIn
Total Funding	$41.3M across multiple rounds	PitchBook
Latest Round	$28M seed (July 2025), led by GV and SYN Ventures, with Blackstone Innovations Investments and Bessemer Venture Partners	BusinessWire
Earlier Rounds	~$6.5M seed (Oct 2022) led by Bessemer and SYN Ventures; additional venture rounds in 2024-2025	Crunchbase
Stage	Seed (large seed, pre-Series A)	Confirmed (third-party)
Employees	~18-30	The SaaS News reports 30 total
Key Investors	GV (Google Ventures): $8B fund, enterprise/dev tools focus. Erik Nordlander (GP) joined board. SYN Ventures: Largest US cybersecurity seed fund ($75M), $600M+ AUM, founded by former Blackstone CISO Jay Leek. Leek joined board. Bessemer Venture Partners: Top-tier VC with deep cybersecurity portfolio (CrowdStrike, Auth0, Axonius). Blackstone Innovations Investments: Strategic corporate investor.	GV, SYN Ventures, BusinessWire
Board Members	Erik Nordlander (GV), Jay Leek (SYN Ventures), Gerhard Eschelbeck (former Google VP/CISO, CVSS co-inventor)	BusinessWire
RSAC Innovation Sandbox	Selected as one of 10 finalists (announced Feb 10, 2026). Each finalist receives $5M investment.	PRNewswire

Problem Definition and Market Opportunity

Modern software development suffers from fragmented visibility. Code comes from developers, open-source repositories, third-party tools, and increasingly AI coding assistants. Infrastructure teams cannot see the development process. Security teams cannot see either. Nobody knows with certainty what code runs in production, who wrote it, or how it got there.

This blind spot creates three compounding problems. First, vulnerability scanning generates noise because teams scan code that never reaches production. Second, supply chain compliance (SBOM generation, SLSA attestation, provenance tracking) remains manual and incomplete. Third, AI coding tools are adopted without guardrails, creating unknown risk.

Regulatory pressure reinforces the market need. The US Executive Order 14028 mandates software supply chain transparency. The EU Cyber Resilience Act (enforcing September 2026) requires SBOM generation. NIST’s SSDF framework requires provenance documentation. These requirements apply to every software vendor selling to government or regulated industries.

The total addressable market spans DevSecOps visibility, software supply chain security, and the emerging AI code governance category. The supply chain security tools market alone was projected to grow significantly, with Verizon’s 2025 DBIR reporting that 30% of data breaches involved third-party involvement, doubling year-over-year.

Evidence tier: Confirmed (third-party) for regulatory requirements and market data. Confirmed (company claim, verifiable) for the visibility gap framing.

Product Capabilities

Crash Override’s platform has two layers: an open-source foundation and a commercial cloud platform.

Chalk (Open Source)

Chalk is a GPL-3.0 licensed tool that captures metadata at build time and injects a small “chalk mark” into any build artifact (binaries, containers, scripts). It works by wrapping existing build tools, requiring as little as one line added to a build script or a Docker alias.

Core capabilities:

Build metadata capture: Records code authorship, timestamps, dependencies, environment details, and hundreds of other metadata points from inside the build process.
SBOM generation: Built-in Syft integration generates CycloneDX SBOMs automatically.
Code provenance and signing: Collects provenance data and digitally signs artifacts, achieving SLSA Level 2 compliance without additional tooling.
Runtime tracking: Extracts chalk marks in production to verify what code is deployed, enabling “prod or not” visibility.
CI/CD integration: Four lines of YAML in GitHub Actions or GitLab. A setup-chalk-action is available for GitHub.

Technical details: Written primarily in Nim (69%), with Python (25%) for tests. Latest release v0.6.8 (Feb 2026). 45 releases total, 1,045 commits, 16 contributors, 41 releases on GitHub.

Ocular (Open Source)

Ocular is a Kubernetes-native API for orchestrating out-of-band security scanning at scale. It originated at Blackstone and was open-sourced by Crash Override. It uses a four-component container architecture (Crawler, Downloader, Scanner, Uploader) to run security tools without embedding them in CI/CD pipelines. The ocular-extractor package has 350K downloads on GitHub Packages.

Commercial Platform (ERM)

The commercial Engineering Relationship Management platform builds on Chalk to provide:

AI code discovery: Automatically catalogs which AI coding tools developers use and where AI-generated code is deployed.
Real-time change ledger: Tracks all changes across code, builds, infrastructure, and deployments.
Catalog: Live inventory connecting code, infrastructure, builds, and deployments.
Campaigns: Structured initiatives to drive improvements (e.g., migrate to gold images, enforce code ownership files).
Shadow engineering detection: Identifies unapproved tools, container registries, and infrastructure.

Deployment requires four lines of YAML. The company describes it as “an AirTag attached to every commit, artifact, and pipeline.”

Evidence tier: Confirmed (company claim, verifiable) for open-source capabilities (code is public). Confirmed (company claim, unverifiable) for commercial platform features beyond what is publicly documented.

Competitive Positioning

Crash Override occupies a unique niche between several overlapping markets:

Category	Key Competitors	Crash Override Differentiation
Software Supply Chain Security	Chainguard ($892M raised), Anchore ($41M raised), Scribe Security, Xygeni	Focuses on build-time metadata capture rather than hardened images or SCA. Claims data collection from inside builds, not outside looking in.
SBOM Tools	Syft/Grype (Anchore), CycloneDX, FOSSA, Black Duck	SBOM generation is a feature, not the product. Chalk auto-generates SBOMs as part of broader provenance tracking.
DevSecOps Visibility	Apiiro, Legit Security, Cycode, Kodem	Build inspection approach captures data at the CI/CD layer rather than relying on API integrations to source code managers.
AI Code Security	Emerging category with few direct competitors	First-mover claim on discovering and tracking AI-generated code in builds. This is the current go-to-market focus.

The build inspection approach is the core IP differentiator. Most competitors rely on API-level integrations to GitHub, GitLab, and cloud providers, which provide metadata about code but not about what happens inside builds. Crash Override captures data from within the build process itself, providing provenance data that external APIs cannot access.

The competitive risk is that well-funded players like Chainguard ($892M raised, 414 employees) or established ASPM vendors could add similar capabilities. The AI code discovery angle is timely but early.

Evidence tier: Confirmed (third-party) for competitor funding and capabilities. Confirmed (company claim, unverifiable) for the “only build inspection technology” positioning.

Go-to-Market and Traction

Open-Source Adoption (Chalk)

GitHub stars: 415
Forks: 23
Contributors: 16
Releases: 45 (latest v0.6.8, Feb 2026)
Commits: 1,045
Watchers: 13
GitHub Package downloads (chalk): 1,380
License: GPL-3.0
Last push: March 13, 2026 (actively maintained)
GitHub org: 40 public repositories, 83 followers

Source: GitHub crashappsec/chalk

These are modest community numbers. For comparison, Syft (Anchore’s SBOM tool) has significantly higher adoption. The 415-star count suggests early-stage awareness among a niche audience rather than broad developer adoption.

Named References

Toyota Motor North America: Gabriel Lawrence cited “visibility, traceability, and code-to-cloud context” within developer workflows. (Company website testimonial)
Amazon: Wael Ghandour (Security Engineer) cited Crash Override’s approach to code ownership. (Company website testimonial)
Santander: Daniel Cuthbert (Head of Security Research) praised the build visibility capabilities. (Company website testimonial)

Evidence tier: These testimonials are Confirmed (company claim, verifiable) since the individuals are named with titles, but the depth of deployment is unknown.

Revenue and ARR

Not publicly disclosed. Given the Innovation Sandbox requirement of under $5M ARR and the company’s seed stage, revenue is likely well below $5M.

Web Traffic

Monthly visits: ~1,318 (SimilarWeb)
This is very low, suggesting limited inbound demand or a sales-led GTM motion.

Evidence tier: Revenue is Not publicly disclosed. Web traffic data is Confirmed (third-party) via SimilarWeb.

Team and Credibility

Co-Founders

John Viega, CEO

30+ years in application security
CEO of Capsule8 (runtime security; acquired by Sophos ~2021)
Author of multiple books on software security
CTO/VP at McAfee; EVP at BAE Systems Applied Intelligence; EVP at SilverSky
Founder of Secure Software, Inc.
Adjunct Professor of Computer Science at NYU
MS Computer Science, University of Virginia

Mark Curphey, Co-Founder (CMO)

Founded OWASP in 2001 (now the global standard for web application security)
Founding CEO of SourceClear (software composition analysis; acquired by Veracode 2018)
Co-founder/CTO at Open Raven (data security; acquired by Formstack 2024)
VP Professional Services at Foundstone (founded by CrowdStrike CEO George Kurtz; acquired by McAfee)
Product Unit Manager at Microsoft Developer Division
Royal Holloway, University of London

Key Leadership

Brandon Edwards, CTO

Co-founder/Chief Scientist at Capsule8 (acquired by Sophos)
Co-founder, VP of Intelligence at Exodus Intelligence
VP Threat Labs at BAE Systems Applied Intelligence
Hacker-in-Residence at NYU Tandon
ZDI Security Researcher at TippingPoint; Senior Security Architect at McAfee
Deep expertise in vulnerability research, reverse engineering, exploit development

David Coffey, CPO | Laura Paine, VP Marketing | Kathleen Foreman, VP Operations

Board/Advisors

Gerhard Eschelbeck: Former Google VP/CISO, co-inventor of CVSS, CISO at Kodiak Robotics, board member at multiple cybersecurity companies. Doctorate in CS from Johannes Kepler University.
Erik Nordlander: GP at GV, former Google engineering leader (DoubleClick, core infrastructure), MIT CS.
Jay Leek: Managing Partner at SYN Ventures, former CISO at Blackstone, former security leader at Equifax and Nokia.

Notable Endorsements (from Chalk launch, 2023)

Omkhar Arasaratnam, Executive Director of OpenSSF (formerly VP Infrastructure Security at Google)
Jason Chan, former Head of Security at Netflix
Amit Yoran, CEO of Tenable and former National Cyber Security Director at DHS
Marco Massenzio, Principal Engineer at Cruise Automation (formerly Apple, Google)

Evidence tier: Confirmed (third-party) for career histories via LinkedIn. Confirmed (company claim, verifiable) for endorsement quotes (named individuals with verifiable titles).

The founding team has exceptional credibility. Curphey literally created the dominant web application security framework (OWASP). Viega built and sold a company to Sophos. Both have deep McAfee/Foundstone lineage (George Kurtz ecosystem). This is among the strongest founding teams in the Innovation Sandbox cohort.

Trust Readiness

Dimension	Assessment	Evidence
Open-source transparency	Strong. Chalk is GPL-3.0, fully open on GitHub with active development. Ocular also open-source.	GitHub
Security policy	Published SECURITY.md in Chalk repo. CLA required for contributions.	GitHub
Compliance capabilities	Chalk generates SBOMs (CycloneDX), provides SLSA Level 2 compliance, digital signing.	Chalk docs
SOC 2 / certifications	Not publicly disclosed	N/A
Data handling	Build inspection data stays within customer CI/CD. Cloud platform data handling not publicly documented.	Company website
Open Source Fellowship	Funds core developers for important security projects (first recipient: ZAP/OWASP). Demonstrates ecosystem commitment.	Crash Override blog

Evidence tier: Open-source aspects are Confirmed (third-party, verifiable). SOC 2 and data handling are Not publicly disclosed.

RSAC Judging Criteria

RSAC does not publish an official judging rubric. The five criteria below are extrapolated from press descriptions of what judges evaluate: the problem a company addresses, the originality of its technology, its go-to-market strategy and team, market validation, and product demonstration.

Criterion	Score (1-5)	Assessment
Problem/Market	4	Software supply chain visibility is a validated pain point with regulatory tailwinds (EO 14028, EU CRA). The AI code discovery angle is timely but the core problem is established, not emerging.
IP Originality	4	Build inspection from inside CI/CD is a differentiated approach. Chalk’s metadata injection into artifacts is novel. Most competitors work outside the build process via APIs.
GTM/Team	5	Founding team is world-class. Curphey created OWASP, Viega sold Capsule8 to Sophos. Investor roster (GV, SYN, Bessemer, Blackstone) and board (Gerhard Eschelbeck, former Google VP/CISO) are top-tier.
Validation/Revenue	3	Named testimonials from Toyota, Amazon, Santander. Revenue not disclosed. Open-source adoption (415 stars) is modest. No published case studies with measurable outcomes.
Product/Demo	4	Product is live and actively developed. Likely under $5M ARR given seed stage. CI/CD integration with visible output makes for a strong live demo.

Overall RSAC Fit: 20/25. Crash Override has one of the strongest founding teams in the cohort and a differentiated technical approach. The main gap is limited evidence of commercial traction beyond named testimonials.

Startup Readiness Assessment

This eight-dimension assessment appears in the comparison matrix on the main page. It evaluates broader startup readiness using dimensions from the security product analysis framework. Five dimensions overlap with the RSAC criteria above. Three are added: funding efficiency, category clarity, and incumbent defensibility.

Dimension	Score (1-5)	Assessment
Problem Clarity	4	Software supply chain visibility is a validated pain point with regulatory backing (EO 14028, EU CRA). The AI code discovery pivot is timely but the core problem is established, not emerging.
Capability Depth	4	Chalk captures build metadata from inside CI/CD and injects provenance into artifacts. SBOM generation, SLSA Level 2 compliance, and digital signing are built in. The commercial platform adds AI code discovery and change tracking.
Market Timing	3	Software supply chain security is an established category. The AI code discovery angle is new and relevant, but the market is not in a “must-buy-now” moment. Regulatory tailwinds exist but enforcement timelines are gradual.
Team Credibility	5	OWASP founder (Curphey) plus Capsule8 exit to Sophos (Viega). Board includes Google’s former VP/CISO and CVSS co-inventor (Eschelbeck). Among the strongest founding teams in the cohort.
GTM Proof	3	Toyota, Amazon, and Santander testimonials are named but deployment depth is unknown. Revenue not disclosed. Web traffic of approximately 1,300 monthly visits suggests limited inbound demand.
Funding Efficiency	4	$41.3M total for approximately 18-30 employees. The $28M seed is large, providing extended runway. GV and Blackstone backing signal institutional confidence.
Category Clarity	3	”Engineering Relationship Management” is not a recognized buyer category. Messaging has pivoted to AI code discovery, which is clearer but still emerging and not yet a budget line item.
Incumbent Defensibility	2	Chainguard ($892M raised), Snyk, and ASPM vendors could add build inspection capabilities. The AI code discovery angle has low barriers to fast-followers.

Overall: 28/40.

Key Risks

Modest open-source traction: 415 GitHub stars after 2.5 years is low for an open-source-led GTM strategy. Comparable tools like Syft have much broader adoption. This suggests Chalk has not achieved the community flywheel that drives open-core businesses.
Messaging pivot risk: The company has shifted emphasis from “Engineering Relationship Management” and DevOps visibility (July 2025 funding announcement) to “AI-generated code discovery and security” (current website). Rapid messaging pivots can signal product-market fit uncertainty.
Revenue opacity: No disclosed revenue, customer count, or deployment scale. The Innovation Sandbox requirement is under $5M ARR, but the company has not confirmed even this threshold publicly.
Competitive pressure from well-funded players: Chainguard ($892M), Snyk, and ASPM vendors could add build inspection capabilities. The AI code security angle is a land-grab with low barriers to fast-followers.
Small team for enterprise ambitions: 18-30 employees serving enterprise customers (Toyota, Amazon, Santander) is thin. The $28M raise should enable growth, but execution risk remains.
Web traffic suggests limited market pull: ~1,300 monthly website visits is very low, suggesting the company has not yet generated significant inbound demand.

Sources

← Back to comparison