ZeroPath is an AI-native application security startup (YC S24) selected as a finalist in RSAC 2026 Innovation Sandbox. It aims to replace the fragmented SAST/SCA/Secrets/IaC toolchain with a unified platform that not only detects vulnerabilities but verifies exploitability and generates mergeable PR-level fix suggestions. The core technical approach combines program analysis (AST-based enriched graphs, taint analysis, reachability/exploitability analysis) with LLM assistance for semantic rule generation — similar to the IRIS research framework. Key differentiators include detecting complex business logic flaws like IDOR and broken access control, reducing false-positive noise via AI reachability analysis, and pushing remediation directly into developer workflows. The post also contextualizes ZeroPath against competitors like GitHub Copilot Autofix, Semgrep, Snyk, Endor Labs, and Anthropic's Claude Code Security, noting the industry-wide shift from alarm generation to actionable fixes, while cautioning that ZeroPath's maturity in complex multi-language environments still needs further public validation.
Table of contents
Company ProfileBackgroundZeroPath: Integrate and break through the traditional “four-piece set” of code securityFrom discovering problems to promoting fixes: the new competitive direction of application security toolsTechnical CommentsConclusionReferencesSort: