The application security company that would rather fix your code than hand you another list of things that are broken.
Formerly WhiteSource · Boston & Tel Aviv · Founded 2011
In 2011, three engineers - Rami Sass, Azi Cohen, and Ron Rymon - started a company around a problem that did not yet have a market. Software teams were pulling more and more open source code into their products, often without knowing exactly what they were shipping or whether it was safe. There was no tidy industry label for the work of tracking those dependencies and their vulnerabilities. The category, software composition analysis, would be named later. WhiteSource got there first.
More than a decade on, that company is called Mend.io. The rename, announced in May 2022, was not a coat of paint. It came bundled with a product philosophy the founders summed up in three words: "You Code, We Cure." The idea is deceptively simple. Most security tools are very good at telling you what is wrong - producing dashboards, severity scores, and long queues of alerts. Mend.io's bet is that developers do not want a report. They want the problem to go away.
Mend.io sells software that scans the code a company ships and then helps fix the security holes it finds. That code comes in three flavors, and Mend.io increasingly wants to cover all of them. There is open source code - the third-party libraries and dependencies that make up the bulk of most modern applications. There is proprietary or custom code, the parts a company's own engineers write. And, more recently, there is AI-generated code and the machine-learning models teams are embedding directly into their products.
For open source, Mend SCA identifies known vulnerabilities and license-compliance issues across a project's dependency tree, then uses techniques like reachability analysis to work out which flaws are actually exploitable rather than merely present. For custom code, Mend SAST runs static analysis to catch weaknesses before they ship. Mend Renovate - a widely used dependency-update tool the company maintains - keeps libraries current automatically, chipping away at the security debt that piles up when projects fall behind. Dynamic testing (DAST) and API security round out the runtime side.
The core problem is not detection. Detection, in application security, has become close to a commodity - plenty of tools can flag a vulnerable package. The harder problem is what comes after: the wall of alerts, the triage, the guessing about which of 500 findings actually matters, and the slow, manual work of researching and applying a fix without breaking the build. That backlog has a name in the industry - alert fatigue - and it trains developers to tune security out.
Mend.io's answer is automated remediation. Rather than stopping at "here is a vulnerability," the platform aims to produce the exact fix - a specific version bump or code change - and deliver it inside the developer's own environment, often as a pull request. The company says this approach can cut remediation time by as much as 80 percent. Whether the figure holds in every environment, the direction is the differentiator: fewer, truer signals, each attached to an action.
Mend.io's customer base skews enterprise. The company reports more than 1,000 organizations and over a quarter of the Fortune 100, with named users including Microsoft, IBM, Comcast, Philips, Siemens, and Vodafone. These are companies with sprawling codebases, heavy open source usage, and security teams badly outnumbered by developers - exactly the setting where automating the fix, not just the finding, pays off.
The application security field is crowded. Snyk is the most frequently cited comparison, having built a strong developer-first brand; Sonatype and Black Duck (now under Synopsys) are long-standing forces in open source governance; Checkmarx and Veracode anchor the static-testing side; and GitHub Advanced Security folds scanning directly into the world's largest code host. Against that field, Mend.io's positioning leans on two things: depth in open source security dating back to before the category existed, and a remediation-first posture that tries to make security a background process rather than a gate.
The newest front is AI. As tools like code assistants generate an ever-larger share of what ships, the attack surface shifts. Code that no human wrote still needs to be secured; models embedded in an app carry their own risks. Mend.io's response has been to extend its supply-chain thinking rather than bolt on a separate scanner. Mend AI, introduced in 2025, aims to cover the full lifecycle of AI-generated code, machine-learning models, and embedded AI components - including red teaming and governance. The company reported roughly 15 percent adoption of Mend AI across its installed base shortly after launch, and followed with Mend AI Premium and, in mid-2025, Mend Forge, described as an AI-native engine for building the next generation of its tooling.
Software composition analysis for open source risk - vulnerabilities, license compliance, and reachability-based prioritization.
Static analysis of proprietary code, tuned for fast, low-noise results developers will actually act on.
Automated dependency updates across ecosystems, reducing security debt before it accumulates.
Unified platform with automated remediation - exact fixes delivered in the developer's native environment.
Dynamic testing and API coverage to catch runtime and interface-level risk.
Lifecycle security for AI-generated code, ML models, and embedded AI components, with red teaming and governance.
Mend.io is a B2B SaaS business. It licenses its application and AI security platform to enterprise development and security teams, typically priced by seat or contributor and by the modules a customer turns on - SCA, SAST, DAST, and AI - with premium tiers such as Mend AI Premium. Revenue is subscription-based and recurring.
Backers: M12 (Microsoft), Susquehanna, Pitango, 83North, Peregrine Ventures.
Rami Sass, Azi Cohen, and Ron Rymon set out to automate open source security and licensing.
Susquehanna Growth Equity leads, with 83North, M12, and Peregrine, to mainstream open source security management.
Funding from M12, Pitango, 83North, and Susquehanna backs a prevention-centric product vision.
WhiteSource becomes Mend and launches its platform with industry-first automated remediation.
Mend AI Premium and Mend Forge extend supply-chain security to AI-generated code and models.
Co-founder Azi Cohen becomes CEO; Rami Sass takes over as GM of Mend AI after a year of record growth.
Co-founder, now Chief Executive Officer. Cohen stepped into the CEO role in 2026 following a year of record growth, as the company doubled down on enterprise AI security.
Co-founder and former CEO, now General Manager of Mend AI - a move that puts a founder's full attention on securing AI-generated code and embedded models.
The third co-founder, Ron Rymon, helped start the company in 2011. That a founder was reassigned to run the AI unit rather than an outside hire says something about where Mend.io believes its future sits: not in a side product, but at the center of the roadmap.
Mend.io is an application security company that helps teams detect, prioritize, and automatically remediate vulnerabilities in open source dependencies, custom code, and AI-generated code.
Yes. WhiteSource rebranded as Mend (mend.io) in May 2022, alongside the launch of its remediation-focused application security platform.
It was founded in 2011 by Rami Sass, Azi Cohen, and Ron Rymon. As of 2026, co-founder Azi Cohen serves as CEO.
Core products include Mend SCA, Mend SAST, Mend Renovate, Mend DAST and API Security, and Mend AI, unified in the Mend Application Security Platform.
The company has raised roughly $122M across multiple rounds, including a $75M Series D in 2021, from investors such as M12, Susquehanna, Pitango, and 83North.