ZeroPath

My friends and I do hackathons, and we often ship something that uses LLMs in some capacity. Every time a new model is released with a shiny new size and capabilities, we are the ones to get excited, majorly because it opens the door for even more project ideas. What's interesting though is the performance improvement. Does it really make a difference if I use sonnet-2.7 or o3-mini? For our use case, not really. We can achieve the same output with both models and in fact majority of people can. So, whoever is building something for a hackathon or personal project, I guess don't sweat on the models. Just choose a decent one and move ahead. Don't fall for the perfect tooling hell. But I understand that our use case is very basic, and it may actually matter for startups or bigger projects. So, I wanted to see what others think about this, and it pretty much follows. Found a very insightful blog by Dean Valentine – linking in the comments. Hackathon vlogs coming out soon! 👀

Since 3.5-sonnet, we have been monitoring AI model announcements, and trying pretty much every major new release that claims some sort of improvement. Unexpectedly by me, aside from a minor bump with 3.6 in October, literally none of the new models we've tried have made a significant difference on either our internal benchmarks or in our developers' ability to find new bugs. This includes the new test-time OpenAI models. At first, I was nervous to report this publicly because I thought it might reflect badly on us as a team. Our scanner has improved a lot since August, but because of regular engineering, not model improvements. It could've been a problem with the architecture that we had designed, that we weren't getting more milage as the SWE-Bench scores went up. But in recent months I've spoken to other YC founders doing AI application startups and most of them have had the same anecdotal experiences: 1. o99-pro-ultra announced, 2. Benchmarks look good, 3. Evaluated performance mediocre. This is despite the fact that we work in different industries, on different problem sets. Sometimes the founder will apply a cope to the narrative ("We just don't have any PhD level questions to ask"), but the narrative is there. [Link to post in comments]

These are not checkbox reviews. We actually find heinous problems.

Traditional security scans can flood you with false positives, and manual reviews slow you down. But what if you had a security tool that could issue pull requests with fixes, not just generate vulnerability reports? ZeroPath automatically scans, detects, and fixes security flaws before they reach production, finding bugs that traditional scanners often overlook. Don't drown your team with ticket backlogs -- generate precise patches without slowing development. Learn more at https://zeropath.com/ to see how you can become secure by default. #devops #security #securecode #cyber

ZeroPath (YC S24) is an AI security platform that scans your code for security issues like a pentester, from auth issues to exposed secrets. Once issues are found, it provides patches with natural language problem descriptions to engineers. It integrates seamlessly with GitHub, GitLab, and Bitbucket, providing automated security reviews and one-click patch generation in your workflow. https://lnkd.in/grae26rn

As AI advances, finding vulnerabilities in your code base and fixing them is more important than ever. ZeroPath (SurgePoint Capital backed) is building the next generation security code reviewer. Dean Valentine Etienne Lunetta Raphael Karger Nathan H. have built an incredible product!

🚀 Excited to announce the public launch of ZeroPath on ProductHunt. We’re bringing effortless application security to every engineering team. By combining advanced static analysis with AI workflows, we’re able to find vulnerabilities other scanners completely miss for the 90+ companies using the platform. As part of our public efforts to secure open source, our approach has allowed us to scalably find dozens of public zero-days in major enterprise codebases, including repos at Netflix, Hulu, and Salesforce. In addition to our deep AI-powered program analysis, we’ve shipped improvements to traditional vulnerability scanning workflows, including automatic remediation and intelligent engineer assignment. Support our launch on Product Hunt here and let us know what you think: https://lnkd.in/gKPB5uKa If you’re ready to become secure by default today, you can start scanning your first repository for free at zeropath.com. #ApplicationSecurity #CyberSecurity #AIinTech #DeveloperTools #ProductHunt

ZeroPath (YC S24) is an AI AppSec engineer that detects, verifies, and fixes web application security vulnerabilities at scale. The founders, Nathan H., Raphael K., Dean Valentine, and Etienne Lunetta—experienced bug bounty hunters and red teamers— have already used ZeroPath to find public RCE and LFI bugs in open-core companies and GitHub repositories with 5k+ stars. Standard SAST (Static Application Security Testing) tools like Semgrep or VeraCode require engineers to spend large amounts of time sifting through potential findings, which, despite marketing, generally turn out to be false positives. Scanning large amounts of code with these tools is either impractical or requires so much filtering that their surface area diminishes to the point of irrelevance. ZeroPath's approach to scanning heavily leverages modern LLMs to determine if your SAST findings (from your tools or theirs) are both exploitable and of security interest. This saves security teams or auditors enormous amounts of time, and extends their ability to search for bugs. Congrats to the team on the launch! 🚀 https://lnkd.in/gDfQ2WPb

Check out our new blog post on our methodology for leveraging LLMs for 0-day discovery, which has resulted in 18+ vulnerabilities, including in repositories owned by Netflix, Hulu, and Salesforce. https://lnkd.in/dFPYEb-K #zeropath #security #ai #vulnerabilities #Netflix #Hulu #Salesforce

Excited to kickoff our ZeroPath security blog with a bang! Today, we're releasing 𝗳𝗼𝘂𝗿 𝗽𝗿𝗼𝗼𝗳 𝗼𝗳 𝗰𝗼𝗻𝗰𝗲𝗽𝘁 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝘀 for popular open-source GitHub projects. 1. 𝗥𝗲𝗺𝗼𝘁𝗲 𝗖𝗼𝗱𝗲 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻 in UpTrain (2.1k stars) 2. 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗜𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 in clone-voice (7k stars) 3. 𝗟𝗼𝗰𝗮𝗹 𝗙𝗶𝗹𝗲 𝗜𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻 in Fonoster (6.3k stars) 4. 𝗔𝗿𝗯𝗶𝘁𝗿𝗮𝗿𝘆 𝗙𝗶𝗹𝗲 𝗨𝗽𝗹𝗼𝗮𝗱 in LibrePhotos (6.8k stars) We found all of these vulnerabilities using our beta version of ZeroPath, which does traditional static analysis and uses LLMs to filter out false positives, only surfacing the alerts that are worth looking into. This significantly sped up the research process while searching for these vulnerabilities. More results coming soon! My personal favorite is the command injection, not because the project is the most popular, but because we crafted and showcase a novel technique that transforms a highly restricted command set into unrestricted execution. If you're curious and want to dive into the details, you can find all the posts here: https://zeropath.com/blog #InfoSec #Cybersecurity #AppSec #ZeroPath #AI