ZeroPath: RSAC 2026 Innovation Sandbox Profile

← Back to comparison

This profile was compiled in March 2026 using AI tooling guided by security product strategy guidance from Lenny Zeltser's MCP server. The analysis was performed by AI without direct human validation, to demonstrate the capabilities of AI agents guided by an expert framework. Outside this demo, a human analyst would conduct iterative conversations with the AI agent to arrive at more accurate conclusions.

Overview Problem Product Competition Traction Team Trust RSAC Criteria Readiness Risks

Executive Summary

ZeroPath is a Y Combinator-backed AI-native application security platform that replaces traditional SAST tools with LLM-driven vulnerability detection and automated patching. The company claims 750+ customers and 200,000+ monthly scans within 18 months of founding. Its core differentiator is detecting business logic flaws and authentication bypasses that rule-based scanners miss, validated by third-party research on major open-source projects including curl and sudo. ZeroPath competes in the fast-growing AI SAST market against both incumbents (Snyk, Checkmarx, Semgrep) and emerging startups (Corgea, Arnica).

Company Overview

Field	Detail	Evidence
Founded	June 2024	Y Combinator profile
Headquarters	San Francisco, CA	Company website
Funding	Pre-seed from YC ($500K, Sep 2024); Seed led by SurgePoint Capital (amount undisclosed, Jan 2025). Additional sources report $7M or $20M but these figures are unverified.	ACN Newswire; Company website; SignalBase
Stage	Seed	Crunchbase
Employees	1-10 (LinkedIn data shows 2 confirmed, company size listed as 1-10)	Company website; LinkedIn
Key Investors	Y Combinator, SurgePoint Capital (lead seed), Paul Graham (angel), Multimodal Ventures, Orange Collective, Mergus Ventures, Olive Tree Capital	ACN Newswire press release; VCBacked
YC Batch	S24 (Summer 2024)	Y Combinator profile
RSAC Sandbox SAFE	$5M SAFE note from Crosspoint Capital (all 10 finalists)	RSAC announcement

Funding note: Multiple aggregator sites report different seed amounts ($500K, $5M, $7M, $20M). The company’s own press release from January 2025 confirmed the seed round led by SurgePoint Capital but did not disclose a dollar amount. The $500K figure appears to be the YC pre-seed only. The $20M figure from SignalBase and LeadsOnTrees is unverified and may be inaccurate. A LinkedIn post from October 2025 by a co-founder referenced “$7M in seed funding,” which appears the most credible figure for the seed round. Evidence tier: Company claim, partially verifiable.

Problem Definition and Market Opportunity

Traditional SAST tools generate high false-positive rates (often 70-90%) and rely on pattern-matching rules that miss business logic flaws, authentication bypasses, and complex vulnerability chains. Security teams spend more time triaging noise than fixing real issues. Manual penetration testing is expensive and infrequent.

The application security testing market is large and growing. Gartner projects the global application security market will exceed $10B by 2027. The shift toward AI-generated code (via GitHub Copilot, Cursor, and similar tools) amplifies the problem. AI-written code introduces novel vulnerability patterns that rule-based scanners were not designed to detect.

ZeroPath targets this gap by using LLMs as the core detection engine rather than as a triage layer on top of traditional rules. This positions the company at the intersection of two macro trends: the expansion of AI-generated code and the inadequacy of legacy SAST tools.

Evidence tier: Market data from analyst reports (confirmed third-party). Problem framing is company claim supported by independent researcher validation.

Product Capabilities

ZeroPath offers four core product modules:

1. AI-Native SAST The primary product combines Abstract Syntax Tree (AST) analysis with large language models to detect vulnerabilities across 15+ programming languages including Python, JavaScript, TypeScript, Java, Go, Ruby, Rust, PHP, Kotlin, C, C++, and more. The company claims this approach finds 2x more real vulnerabilities with 75% fewer false positives compared to traditional SAST tools. An independent benchmark cited an 81.7% detection rate versus Snyk’s approximately 40%. The platform detects categories that traditional tools miss: business logic flaws, authentication/authorization bypasses (AuthN/AuthZ), IDOR vulnerabilities, and prompt injection in LLM-integrated applications. It uses CVSS 4.0 severity scoring.

Evidence tier: Detection rate claims are company claims, partially supported by independent researcher Joshua Rogers’ comparative testing.

2. One-Click Patch Generation ZeroPath generates contextual code fixes for detected vulnerabilities and delivers them as pull requests. Patches can be adjusted using natural language instructions. The Aptos Labs case study reports a reduction in time-per-finding from 60 minutes to 20 minutes.

3. PR Reviews and CI/CD Integration Every pull request is scanned in under 60 seconds with inline comments. Integrates with GitHub, GitLab, Bitbucket, and Azure DevOps. Also integrates with Jira, Linear, and Slack for issue tracking.

4. SAST Tool Consolidation ZeroPath can import findings from existing SAST tools (Semgrep, Snyk, Checkmarx, SonarQube, Veracode, Fortify, Synopsys) and run them through its validation pipeline to eliminate false positives and generate fixes.

Additional capabilities: SCA with reachability analysis, secrets detection, IaC scanning (Terraform, Kubernetes, Docker, CloudFormation), policy engine for custom rules in natural language, and penetration testing services.

Open-Source Components

ZeroPath maintains a GitHub organization at github.com/ZeroPathAI with 16 followers. Key open-source repositories:

Repository	Description	Stars
OpenErrata	Crowdsourced inline LLM investigations	37
zeropath-ctf	Exploit development CTF challenges against real CVEs	21
validation-benchmarks	Forked XBOW benchmarks for AI security tool evaluation	9
zeropath-mcp-server	MCP server for querying ZeroPath via Claude, Cursor, Windsurf (MIT license)	8
zeropath-cli	CLI releases for local/CI scanning	5

Open-source adoption is modest. The repositories serve primarily as developer ecosystem integrations and community engagement tools rather than as the core product. The MCP server is the most strategically significant, connecting ZeroPath findings to AI coding assistants. The CTF repository builds community credibility with security researchers.

Evidence tier: Confirmed (GitHub, publicly verifiable).

Competitive Positioning

ZeroPath competes in a crowded application security market but differentiates on a specific technical claim: LLMs as the detection engine, not just a triage layer.

Direct AI SAST competitors:

Corgea — LLM-based code analysis with contextual awareness. Independent researcher Joshua Rogers ranked ZeroPath, Corgea, and Almanax as the top three AI SAST products.
Arnica — Agentic AppSec platform with multi-agent engine for continuous scanning.
Aikido Security — All-in-one security platform covering SAST, DAST, IaC, and more.

Incumbent SAST vendors:

Snyk — Strong developer adoption and SCA leadership but SAST offering considered less mature for complex custom code.
Checkmarx — Enterprise-grade with 35+ language support and compliance focus.
Semgrep — Rule-based, open-source, developer-friendly. Semgrep is beginning to integrate AI.
Veracode — Cloud-based, compliance-oriented, less developer-focused.

ZeroPath’s claimed advantages:

Built from scratch around LLMs rather than adding AI on top of a rule engine.
Detects business logic flaws and auth bypasses that competitors miss.
Sub-60-second PR scanning with automated fixes.
Validated by finding zero-days in Netflix, Hulu, and Salesforce codebases.
Third-party validation from Daniel Stenberg (curl maintainer) and researcher Joshua Rogers.

Key competitive risk: The incumbents (Snyk, Checkmarx, Semgrep) have large customer bases, enterprise sales teams, and are actively integrating AI capabilities. The window for differentiation may narrow as LLM-based detection becomes table stakes.

Go-to-Market and Traction

Customer base: ZeroPath claims 750+ companies as of August 2025, performing 125,000+ code scans monthly. By early 2026, the website references 200,000+ monthly scans. Named customers include Aptos Labs, Exodus, Commenda.io, and Aquanow. The company claims zero-day discoveries in codebases at Netflix, Hulu, and Salesforce.

Evidence tier: 750+ companies is a company claim, unverifiable. Aptos Labs case study is confirmed (published with direct quotes). Netflix/Hulu/Salesforce zero-days are company claims, partially verifiable through open-source disclosures.

Pricing:

Team: $1,000/month + $60/developer (14-day free trial)
Enterprise: Custom pricing with on-premise/self-hosted options, BYOK (bring your own LLM keys), SCIM provisioning
Startup discount: Up to 50% off
MSP/white-label options available
Free access for independent security researchers

Revenue: Extruct.ai estimates $5M in revenue. This is unverified and should be treated as an estimate. Evidence tier: Inferred from third-party aggregator, not confirmed.

Distribution channels:

Self-serve signup with GitHub app (under 30 seconds claimed)
Enterprise sales with proof-of-value engagements
MSSP/white-label partnerships
Developer community through open-source projects, CTFs, and security research publications
Content marketing through extensive blog with CVE analyses and technical posts

Industry verticals: Fintech, healthcare, cryptocurrency/blockchain, and technology. The Aptos Labs case study demonstrates traction in blockchain infrastructure security.

Compliance: SOC 2 Type II and GDPR compliant. ISO 27001 in progress. Evidence tier: Company claim.

Team and Credibility

ZeroPath has four co-founders with security engineering backgrounds. The team is small (1-10 employees) but technically credible.

Dean Valentine — Co-Founder and CEO

Previously co-founded Mevlink (low-latency DeFi trading data), acquired by bloXroute Labs in 2023.
Holds OSCP (2018) and OSCE (2020) certifications from Offensive Security.
Prior exit provides entrepreneurial credibility.

Raphael Karger — Co-Founder and CTO

Former Google Security Engineer (L3 to L4), working on GCP offensive security. Compromised 200+ high-value production systems during internal security campaigns.
Former Bishop Fox consultant (penetration testing).
Former Air Force Research Laboratory cybersecurity researcher.
MS in Cybersecurity and Policy from Brown University.
Strongest technical security pedigree on the team.

Nathan Hrncirik — Co-Founder

Former Tesla Red Team security engineer (intern).
Google Infrastructure Hardening intern.
Claims $100K+ in bug bounties (per YC profile).
OSCP certified.
BS from University of Texas at San Antonio.

Etienne Lunetta — Co-Founder and COO

Previously co-founded Mevlink with Dean Valentine (acquired by bloXroute in 2023).
Senior Software Engineer at bloXroute Labs post-acquisition.
Co-founded Leonard Cyber, a cybersecurity aptitude testing platform.
Economics (LOA) from University of Southern California.
Brings operational and business experience; two prior startups.

Team assessment: The founding team combines offensive security expertise (Tesla Red Team, Google security, Bishop Fox, OSCP/OSCE certifications) with prior startup experience (one acquisition). The team is credible for building an AI-powered security product. The main gap is the absence of an enterprise sales leader or a seasoned GTM executive, which matters as they move upmarket. The team is very small for a company claiming 750+ customers.

Evidence tier: Work histories confirmed via LinkedIn. Bug bounty claim from YC profile (company claim). Mevlink acquisition confirmed (third-party).

Trust Readiness

SOC 2 Type II: Claimed on website. Evidence tier: Company claim, verifiable upon request.
GDPR compliant: Claimed. Evidence tier: Company claim.
ISO 27001: In progress. Evidence tier: Company claim.
Enterprise deployment options: On-premise, self-hosted, private cloud, and BYOK (bring your own LLM keys). This addresses data sovereignty concerns that may block LLM-based security tool adoption.
SARIF output: CLI produces standard SARIF format for integration with any security tool pipeline.

The BYOK option is strategically important. Many enterprises resist sending proprietary code to third-party LLMs. Self-hosted deployment with customer-provided model keys removes a significant adoption barrier.

RSAC Judging Criteria

RSAC does not publish an official judging rubric. The five criteria below are extrapolated from press descriptions of what judges evaluate: the problem a company addresses, the originality of its technology, its go-to-market strategy and team, market validation, and product demonstration.

Criterion	Score (1-5)	Assessment
Problem/Market	5	Application security is a massive, well-understood market. The shift to AI-generated code creates urgent new demand. Traditional SAST tools are widely acknowledged as inadequate for complex vulnerability classes.
IP Originality	4	LLM-native detection (not LLM-as-triage) is a genuine architectural differentiator today. Third-party validation from the curl project and researcher Joshua Rogers supports the technical claims. However, competitors are converging on similar approaches.
GTM/Team	3	Strong technical founders with security pedigrees and one prior exit. 750+ customers is impressive for the stage. However, the team is very small, lacks enterprise GTM leadership, and funding is relatively modest compared to well-capitalized competitors.
Validation/Revenue	4	750+ companies, 200K+ monthly scans, named enterprise customer (Aptos Labs), zero-days found in Netflix/Hulu/Salesforce codebases, curl maintainer endorsement. Revenue estimated at $5M (unverified). Strong signal for an 18-month-old company.
Product/Demo	4	Multi-module platform (SAST, SCA, secrets, IaC, PR reviews, auto-fix) with documented integrations and case studies. CLI, MCP server, and VS Code extension show developer ecosystem investment. Sub-60-second PR scans are demo-friendly.

Overall RSAC Fit: 20/25. ZeroPath is a strong Sandbox contestant. The combination of a real technical advance (LLM-native detection), third-party validation (curl, Joshua Rogers), rapid customer adoption (750+ companies), and a demo-friendly product makes for a compelling 3-minute pitch. The main weaknesses are the small team size, unverified funding amounts, and an increasingly competitive AI SAST market where incumbents are closing the gap.

Startup Readiness Assessment

This eight-dimension assessment appears in the comparison matrix on the main page. It evaluates broader startup readiness using dimensions from the security product analysis framework. Five dimensions overlap with the RSAC criteria above. Three are added: funding efficiency, category clarity, and incumbent defensibility.

Dimension	Score (1-5)	Assessment
Problem Clarity	5	Application security is a massive, well-understood market. The shift to AI-generated code creates urgent new demand that traditional SAST tools cannot address.
Capability Depth	4	LLM-native detection is a genuine architectural differentiator today, validated by third-party research on curl and by researcher Joshua Rogers. Competitors are converging on similar approaches.
Market Timing	4	AI-generated code is expanding the attack surface faster than rule-based scanners can adapt. ZeroPath enters at the right moment, though the window for differentiation is narrowing.
Team Credibility	3	Strong technical founders with security pedigrees and one prior exit (Mevlink). However, the team is very small, lacks an enterprise GTM leader, and has no seasoned executive hires beyond the founding group.
GTM Proof	4	750+ companies, 200K+ monthly scans, a named customer (Aptos Labs), and curl maintainer endorsement. Strong adoption metrics for an 18-month-old company.
Funding Efficiency	3	Funding is opaque, with reports ranging from $500K to $20M. A 1-10 person team serving 750+ customers suggests either remarkable efficiency or sustainability questions depending on actual capitalization.
Category Clarity	4	AI-native SAST is a recognizable category. Buyers understand where it fits in the AppSec stack and how it replaces or augments existing SAST tooling.
Incumbent Defensibility	2	Snyk, Checkmarx, and Semgrep are integrating LLM capabilities into their platforms. The window for differentiation may narrow within 12-18 months as incumbents ship similar features with larger sales teams.

Overall: 29/40.

Key Risks

Funding opacity. The seed round amount is not publicly confirmed. Reports range from $500K to $20M. If the actual raise is on the lower end, the company may lack runway to compete with well-funded incumbents and emerging AI SAST startups.
Team scale. A 1-10 person team serving 750+ customers raises questions about support capacity, enterprise readiness, and ability to execute across multiple product modules simultaneously.
Competitive convergence. Snyk, Checkmarx, Semgrep, and others are integrating LLM capabilities. ZeroPath’s current advantage in LLM-native detection may erode within 12-18 months as incumbents ship similar features with larger sales teams and established customer relationships.
LLM dependency. The platform’s core value depends on LLM performance for code analysis. Model quality, latency, cost, and hallucination risks are ongoing technical challenges. The BYOK option suggests awareness of this risk.
Customer concentration uncertainty. 750+ companies is a strong claim, but the breakdown between free-tier/trial users and paying customers is not disclosed. Revenue quality is unclear.
Open-source traction is limited. GitHub repositories have low star counts (max 37). This limits community-driven adoption compared to competitors like Semgrep with deep open-source roots.

Sources

← Back to comparison