DryRun Security

Throwing your hat in the ring of AI security? Meet us at RSA and we'll give you our thoughts on the future of appsec/prodsec. 👇 And a hat! DM us here or email us at hello@dryrunsecurity.com to schedule some time.

📊 NEW REPORT: The Agentic Coding Security Report is live. We wanted to understand what actually happens to application security when AI coding agents start writing real software. So we tested it. We gave Claude, Codex, and Gemini the same job: build two production applications from the same specifications using a normal pull request workflow. Across 38 scans we found 143 security issues, and 87% of pull requests introduced a vulnerability. The patterns were surprisingly consistent across every agent. Issues like broken access control, OAuth flows implemented incorrectly, JWT secrets mishandled, and rate limiting defined but never wired up kept appearing during development. These are not new vulnerabilities. They’re the same security issues teams have dealt with for years, now showing up at agentic speed as AI accelerates development. Our report covers >> • What happens when AI coding agents build real applications • The vulnerability patterns that repeatedly appeared across agents • Why security needs to move earlier in the development process • What this means for teams adopting agentic development workflows 📄 Read the full Agentic Coding Security Report: dryrun.security/the-agentic-co…

Agentic AI is forcing a rethink of enterprise security. DryRun Security sat down with Heather Wishart-Smith to discuss the changing speed and scale at which agentic AI risk can emerge. According to our own CTO @cktricky: “Autonomy plus authority creates behavioral risk, not just code risk.” Without guardrails like strict authority limits, auditability and human escalation points, he warns that “autonomous agents with production access, no kill switch and no audit trail can introduce silent, systemic security failures.” Full piece @Forbes here: forbes.com/sites/heatherw…

PR FEEDBACK IS LIVE IN DRYRUN SECURITY 🔥🔥🔥 When a security finding shows up in a pull request, it shouldn’t turn into a side quest. PR Feedback closes that loop. Now when DryRun Security flags something, developers can reply directly in the thread to mark a false positive or nitpick. DryRun updates the findings instantly, regenerates the PR summary, and logs the action for a clean audit trail. No tickets to file. No separate workflow to manage. No chasing someone down to clear it. Read how it works → dryrun.security/blog/security-…

Commerce replaced SAST noise with Code Security Intelligence. Here’s what changed ↓ Operating under PCI, SOC, and ISO expectations across 12+ languages, Commerce needed security that could keep up with modern, AI-driven development without slowing engineers down. After rolling out DryRun: • Dramatic improvement in PR comment quality from Day 1 • Clear, line-by-line explanations of what changed, why it matters, and how it could be abused • Less triage time on findings that don’t map to real risk • A shift from pattern matching to contextual, exploitability-aware analysis “The context that you get within the pull request being surfaced to engineers is outstanding.” Instead of generic rule text, developers now get real security feedback directly in the PR that builds stronger secure coding habits over time. 💡 See how Commerce did it → dryrun.security/case-studies/c…

Injection. Data leaks. Supply chain risk. None of that is new. What’s new is how fast those “old” problems surface when an LLM system starts reasoning from language and context, and that output gets reused in your app. @wickett breaks it down in this @DEVOPSdigest article, and explains why the OWASP Top 10 for LLM Applications is so relevant right now. Read it here: devopsdigest.com/securing-llm-a…

AppSec leaders: quick gut check. Can you answer these questions about your program with confidence? In this short video, @cktricky, DryRun Security CTO & Co-founder, shares the pointed questions he keeps hearing teams struggle with as development and risk accelerates: ❓Can you train developers based on the actual risks they introduce instead of one-size-fits-all training? ❓Do you know what’s being shipped without being told beyond the release/review process? ❓Are your developers ready to build secure AI applications? ❓Do you know which teams are using AI coding assistants, and do you have the right guardrails? ❓Can you respond to zero-days in minutes, with clear visibility into exposure and next steps? If any of these made you pause, you’re not alone. A lot of teams are still forced into the “old way” of doing AppSec while engineering velocity keeps climbing. We built DryRun Security to help practitioners close these gaps with a modern approach to code risk and visibility. If you want confidence in answering these questions, schedule a demo with us at dryrun.security/get-a-demo

Andrew’s relationship with DryRun runs deeper than a typical board appointment. Our CEO, @wickett, first worked with Andrew during the early days at Signal Sciences, where Andrew built trust the same way he built companies: by staying close to the team, leading with consistency, and focusing on what matters most. One lesson from that time has become part of our DNA at DryRun Security: “Make meaningful progress today.” It’s a simple idea, but it reflects a leadership style rooted in steady execution, strong relationships, and a culture that compounds over time. As application security enters a new era, shaped by AI-native development and accelerating engineering velocity, Andrew brings firsthand experience defining and scaling security categories at exactly the right inflection points. We’re grateful to add his perspective as we continue building for the future of AppSec. Andrew, we’re glad you’re here. Read the full post at dryrun.security/blog/welcoming…

📢 We’re thrilled to welcome Andrew Peterson to our Board of Directors, effective immediately! Andrew is a rare blend of security builder, technologist, and investor with a track record of helping create category-defining companies. He: ➡️ Co-founded Signal Sciences, helping pioneer modern web app & API security (acquired by Fastly in 2020) ➡️ Founded Aviso Ventures, an early-stage fund focused on enterprise & infrastructure software ➡️ Has backed standout AI security teams including Protect AI (acquired by Palo Alto Networks in 2024) and SGNL.ai (acquired by CrowdStrike earlier this year) As Andrew put it: “As AI agents take on more responsibility in writing and reviewing code, security must evolve into something more intelligent, contextual, and adaptive.” That’s exactly the mission at DryRun Security: AI-native code security intelligence built for the agentic era—reducing noise, surfacing real risk, and bringing policy-driven visibility to agentic code changes. Since emerging from stealth, DryRun Security customers are now running 250,000+ code reviews per month through DryRun Security, proof that the way software is built is changing fast, and security has to keep up. Welcome, Andrew! We’re excited to build what’s next! 💥 🔗 Read more at globenewswire.com/news-release/2…

Next week, @jcran and @cktricky are doing Security Reviews, IRL: a live GitHub PR walkthrough with real agent-generated changes (Claude, Cursor, Devin) and the logic flaws that almost shipped. 🗓️ Join us: Feb 25, 1 PM EST Register at dryrun.security/webinar/securi…

Roses are red, violets are blue, 🌹 SAST gets noisy, your backlog too. 💔 DryRun adds real context, clear and true, ❤️ Close the laptop, go be IRL with your boo. 💘 This Valentine’s Day, DryRun Security is gifting a free security scan of your repo. Our DeepScan Agent runs a full-repo assessment, filters the junk, and returns a focused report your team can act on fast. That means fewer false positives and more time with someone who matters. 🍷 👩‍❤️‍👨 Comment “DeepScan,” DM us, or book here: dryrun.security/lp/ai-security…

Want to see how AI-first teams review PRs without drowning in noise? Jonathan (Mallory) + Ken (DryRun Security) are doing Security Reviews, IRL: a live GitHub PR walkthrough with real agent-generated changes (Claude, Cursor, Devin) and the logic flaws that almost shipped. Feb 25, 1 PM ET. Check it out: dryrun.security/webinar/securi…

⚡️New Feature⚡️Announcing Risk Register: one place to see and act on risk across your org. With Risk Register you can: 👀 See a unified view of findings from PR scans & DeepScans 💡 Filter by repo, severity, status, date, and agent 🚨 Sort by Risk and work Critical/High first See more details 👉 dryrun.security/blog/introduci…

Introducing DeepScan Agent 🚀 Expert full-repo security reviews in hours Most AppSec programs are still trying to “catch up” with periodic full-repo reviews and a steady stream of traditional SAST alerts. That approach breaks when code volume keeps climbing. Today we’re announcing the DryRun Security DeepScan Agent. It reasons about your code like a senior security engineer and produces a prioritized report of the issues that matter, without drowning teams in noise. DeepScan Agent is built to: 🔎 Reason across the full repo - trace identity, data flow, and trust boundaries end-to-end 🎯 Reduce noise by design - fewer findings, higher confidence, real application context 🧠 Prioritize like a human - risk-ranked issues with impact and clear remediation guidance DeepScan surfaces classes of risk scanners struggle to reason about, including complex authorization failures, tricky IDORs, business logic flaws, and secrets exposure. The DeepScan Agent is available today for DryRun Security customers and trial users. Read the launch post: dryrun.security/blog/announcin…

Developers are already using AI in production, but most AppSec programs were not designed to see or control what happens inside LLM workflows causing blind spots across prompts, generated code, and tool calls. Join this live fireside chat "Code Velocity in an AI-era: How AppSec Teams Can Stay Ahead" with Adam Dyche, @wickett, @cktricky, and Zac F. They will explore how real teams are applying existing AppSec fundamentals to secure AI powered applications without rebuilding their entire stack. 🗓️ Feb 4 | 1:00 PM ET Save your spot and join the conversation 👉 lnkd.in/gpxEBNA9

AI did not create entirely new AppSec problems. It changed where they show up. Prompts. Generated code. Tool calls. Model integrations. The risks are familiar. The workflows are not. Join our live fireside chat, Code Velocity in an AI-era: How AppSec Teams Can Stay Ahead, with Adam Dyche with @poweredbyCMRC, @wickett , @cktricky, and Zac Fowler with DryRun Security. They'll unpack how real teams are securing LLM-powered applications without rebuilding their entire AppSec stack. 🗓️ Feb 4 | 1PM ET Register 👉 na2.hubs.ly/H037Qhw0

AI is racing into dev workflows but trust is lagging behind. Our very own @wickett discusses why AI changes the risk model for AppSec with @ashimmy in this @TechstrongTV episode. In this convo, James digs into: ➡️ Why legacy threat models crack under LLMs and agents ➡️ The real dev pain with today’s security tools ➡️ How to define AI risks, and ship with reference architectures + best practices that evolve as fast as AI does Listen/read here 👉 securityboulevard.com/2026/01/why-ai… #AppSec #AISecurity #LLM

SAST was built for human-written code. In 2026, that’s not the world we’re in. DryRun Security is nearly one year out of stealth, and adoption is accelerating fast. Teams now run 250,000+ code reviews every month on DryRun Security, more than any other AI-native code security intelligence provider. That’s what it looks like when a category shifts. We’re building the security layer for agentic development, where autonomous agents and vibe coding are quickly becoming standard operating procedure. Recent milestones: ◾ 250,000+ code reviews per month running on DryRun Security ◾ Breakthrough releases powered by our Contextual Security Analysis engine: ▫️ Natural Language Code Policies: write security intent in plain English, enforced in every pull request ▫️ Custom Policy Agent: automated guardrails with real-time, actionable PR feedback ▫️ Code Insights MCP: connect to MCP-compatible assistants for natural language repo insights and trend reporting ◾New research: “Building Secure AI Applications” shows 80% of OWASP Top 10 of vulnerabilities in LLM-enabled apps go undetected by traditional SAST, and a reference architecture to safeguard LLMs in applications. More details in today’s announcement: na2.hubs.ly/H02VDSb0

“Zero rule violations” isn’t the win you think it is. When static checks become the target, teams optimize around the meter, not the risk. In this post, DryRun Security CEO & Co-founder @wickett Wickett unpacks how rules decay in living systems, why developer experience accelerates or slows that decay, and what to do instead. Read the blog for the playbook at na2.hubs.ly/H02LYVK0