Arsham Memarzadeh
564 posts








.@AlmanaxAI is joining @depthfirstlabs! @mmwtsn and I started the company two years ago because we'd grown tired of seeing weekly multi-million-dollar hacks destroying blockchain companies and stealing people's life savings. We believed the industry needed to move from annual security audits and pentests to continuous ones, and that AI would eventually get us there. We were among the first to see the potential of AI in cyber and build new solutions in this space. When we started, most security teams told us our product wouldn't work, they didn’t need more findings, and they didn't trust AI to be good. But then we saw how the commercial tools our clients were using were missing many of the vulnerabilities we were detecting, while producing an absurd number of false positives. We ended up working with some of the largest blockchain companies: Solana, Stellar, Aptos, Privy and Bridge (now part of Stripe), DFNS, Algorand. When people didn't believe, we showed them results: we found issues in Vitalik's code (arguably one of the best software engineers on Earth), ethically disclosed hundreds of vulnerabilities (to Ripple, Coinbase, Fireblocks), and won security competitions against thousands of researchers. As we progressed, we realized that while crypto companies were among the most vulnerable (exploits directly steal money), the problem was widespread beyond blockchain. The rise of vibe coding created an enormous new attack surface and new models and harnesses were detecting vulnerabilities that had gone unnoticed in software packages for decades, some of which power most of today’s internet. The time between CVE public disclosure and first confirmed in-the-wild exploitation has dropped from 2.3 years in 2018 to eight hours today. This and the release of frontier cyber models shook the industry. So we expanded our product support to languages and tech stacks used widely by enterprises. But the scale of what needs to be done requires more than what any one small team can do alone We believe joining forces with depthfirst will significantly accelerate our shared vision to secure the world’s software. depthfirst is already swinging at the same future we set out to build, with the team and the resources to lead the way. Their bet, and now ours, is that the next major security platform will be in product security. As their investor @arshammem put it, every category eventually gets one company whose name becomes synonymous with it: Palo Alto Networks for the network, CrowdStrike for the endpoint, Wiz for the cloud. Product and application security, notwithstanding many attempts, is still left without a crowned victor. We think depthfirst can be that company. Thanks to our great team, investors, and customers who believed in us and shared our vision of the world. Our ambition is now even bigger and we’re excited to build that future with @qasimmith, @andreamichi, Daniele, and the entire @depthfirstlabs team.


AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this, today we’re launching the depthfirst Dependency Firewall to find and block malware in supply chain dependencies before they’re installed. It uses the same engine that discovered NGINX Rift, now optimized to detect malware in open-source packages. We want companies to move faster with AI, without compromising security. Above all, @depthfirstlabs is a mission driven organization. This is another step towards achieving our mission of securing the world's software, an increasingly urgent need as artificial intelligence accelerates how software is built, deployed and attacked.

SpaceX filed its S-1 last week, and my partner @ausw2000 read all 318 pages (and made all the charts) so you don’t have to. The result: three businesses in one — Space, Connectivity (Starlink), and AI. AI is set to become the largest revenue segment within a year. The company did $18.7B in FY25 revenue, up 33% YoY, and is reportedly expecting a $1.75T valuation that would make it a top-10 company globally.

It feels like every infrastructure company in SF has customer concentration risk. I'm actually having a harder time finding someone that doesn't.









