Breaking
WhiteSource is now Mend.io - "You Code, We Cure" 1,000+ customers, 25% of the Fortune 100 Series D: $75M raised in 2021 Mend AI secures AI-generated code & models Co-founder Azi Cohen named CEO Mend Forge: AI-native AppSec engine launched Automated remediation cuts fix time up to 80% WhiteSource is now Mend.io - "You Code, We Cure" 1,000+ customers, 25% of the Fortune 100 Series D: $75M raised in 2021 Mend AI secures AI-generated code & models Co-founder Azi Cohen named CEO Mend Forge: AI-native AppSec engine launched Automated remediation cuts fix time up to 80%
Company Profile · Application & AI Security

Mend.io

The application security company that would rather fix your code than hand you another list of things that are broken.

Formerly WhiteSource · Boston & Tel Aviv · Founded 2011

Founded 2011
HQ Boston, MA
Raised ~$122M
Customers 1,000+
Mend.io company logo
MEND.IO, THE COMPANY FORMERLY KNOWN AS WHITESOURCE, PHOTOGRAPHED IN ITS BRAND COLORS. THE 2022 REBRAND TRADED A NAME FOR A THESIS: STOP FINDING BUGS, START CURING THEM.
The Dispatch

You Code, They Cure

In 2011, three engineers - Rami Sass, Azi Cohen, and Ron Rymon - started a company around a problem that did not yet have a market. Software teams were pulling more and more open source code into their products, often without knowing exactly what they were shipping or whether it was safe. There was no tidy industry label for the work of tracking those dependencies and their vulnerabilities. The category, software composition analysis, would be named later. WhiteSource got there first.

More than a decade on, that company is called Mend.io. The rename, announced in May 2022, was not a coat of paint. It came bundled with a product philosophy the founders summed up in three words: "You Code, We Cure." The idea is deceptively simple. Most security tools are very good at telling you what is wrong - producing dashboards, severity scores, and long queues of alerts. Mend.io's bet is that developers do not want a report. They want the problem to go away.

"Harden the logic. Secure the code. Automate the rest."Mend.io company tagline

What the company actually does

Mend.io sells software that scans the code a company ships and then helps fix the security holes it finds. That code comes in three flavors, and Mend.io increasingly wants to cover all of them. There is open source code - the third-party libraries and dependencies that make up the bulk of most modern applications. There is proprietary or custom code, the parts a company's own engineers write. And, more recently, there is AI-generated code and the machine-learning models teams are embedding directly into their products.

For open source, Mend SCA identifies known vulnerabilities and license-compliance issues across a project's dependency tree, then uses techniques like reachability analysis to work out which flaws are actually exploitable rather than merely present. For custom code, Mend SAST runs static analysis to catch weaknesses before they ship. Mend Renovate - a widely used dependency-update tool the company maintains - keeps libraries current automatically, chipping away at the security debt that piles up when projects fall behind. Dynamic testing (DAST) and API security round out the runtime side.

The problem it is trying to solve

The core problem is not detection. Detection, in application security, has become close to a commodity - plenty of tools can flag a vulnerable package. The harder problem is what comes after: the wall of alerts, the triage, the guessing about which of 500 findings actually matters, and the slow, manual work of researching and applying a fix without breaking the build. That backlog has a name in the industry - alert fatigue - and it trains developers to tune security out.

Mend.io's answer is automated remediation. Rather than stopping at "here is a vulnerability," the platform aims to produce the exact fix - a specific version bump or code change - and deliver it inside the developer's own environment, often as a pull request. The company says this approach can cut remediation time by as much as 80 percent. Whether the figure holds in every environment, the direction is the differentiator: fewer, truer signals, each attached to an action.

By the Numbers
2011Founded as WhiteSource
1,000+Customers worldwide
~$122MTotal funding raised
25%Of the Fortune 100
The Market

Who Uses It, and Why It Is Different

Mend.io's customer base skews enterprise. The company reports more than 1,000 organizations and over a quarter of the Fortune 100, with named users including Microsoft, IBM, Comcast, Philips, Siemens, and Vodafone. These are companies with sprawling codebases, heavy open source usage, and security teams badly outnumbered by developers - exactly the setting where automating the fix, not just the finding, pays off.

The application security field is crowded. Snyk is the most frequently cited comparison, having built a strong developer-first brand; Sonatype and Black Duck (now under Synopsys) are long-standing forces in open source governance; Checkmarx and Veracode anchor the static-testing side; and GitHub Advanced Security folds scanning directly into the world's largest code host. Against that field, Mend.io's positioning leans on two things: depth in open source security dating back to before the category existed, and a remediation-first posture that tries to make security a background process rather than a gate.

"Whitesource is now Mend. You Code, We Cure."Mend.io, on its 2022 rebrand

The AI turn

The newest front is AI. As tools like code assistants generate an ever-larger share of what ships, the attack surface shifts. Code that no human wrote still needs to be secured; models embedded in an app carry their own risks. Mend.io's response has been to extend its supply-chain thinking rather than bolt on a separate scanner. Mend AI, introduced in 2025, aims to cover the full lifecycle of AI-generated code, machine-learning models, and embedded AI components - including red teaming and governance. The company reported roughly 15 percent adoption of Mend AI across its installed base shortly after launch, and followed with Mend AI Premium and, in mid-2025, Mend Forge, described as an AI-native engine for building the next generation of its tooling.

Products & Services

The Toolkit

SINCE 2011

Mend SCA

Software composition analysis for open source risk - vulnerabilities, license compliance, and reachability-based prioritization.

2022

Mend SAST

Static analysis of proprietary code, tuned for fast, low-noise results developers will actually act on.

RENOVATE

Mend Renovate

Automated dependency updates across ecosystems, reducing security debt before it accumulates.

2022

AppSec Platform

Unified platform with automated remediation - exact fixes delivered in the developer's native environment.

2024

DAST & API Security

Dynamic testing and API coverage to catch runtime and interface-level risk.

2025

Mend AI

Lifecycle security for AI-generated code, ML models, and embedded AI components, with red teaming and governance.

▶ Watch product demos & interviews on YouTube
Business & Backing

How the Money Works

The Model

Mend.io is a B2B SaaS business. It licenses its application and AI security platform to enterprise development and security teams, typically priced by seat or contributor and by the modules a customer turns on - SCA, SAST, DAST, and AI - with premium tiers such as Mend AI Premium. Revenue is subscription-based and recurring.

  • CategoryAppSec / AI security SaaS
  • BuyersDev & security teams
  • Est. Revenue~$28M+ (approx.)
  • Growth~20% YoY (reported)

Funding Rounds

2019 · Growth$35M
2021 · Series D$75M
Total raised~$122M

Backers: M12 (Microsoft), Susquehanna, Pitango, 83North, Peregrine Ventures.

The Record

Milestones

2011

WhiteSource founded

Rami Sass, Azi Cohen, and Ron Rymon set out to automate open source security and licensing.

2019

$35M growth round

Susquehanna Growth Equity leads, with 83North, M12, and Peregrine, to mainstream open source security management.

2021

$75M Series D

Funding from M12, Pitango, 83North, and Susquehanna backs a prevention-centric product vision.

2022

Rebrand to Mend.io

WhiteSource becomes Mend and launches its platform with industry-first automated remediation.

2025

The AI push

Mend AI Premium and Mend Forge extend supply-chain security to AI-generated code and models.

2026

Leadership realignment

Co-founder Azi Cohen becomes CEO; Rami Sass takes over as GM of Mend AI after a year of record growth.

The People

Founders & Leadership

Azi Cohen

Co-founder, now Chief Executive Officer. Cohen stepped into the CEO role in 2026 following a year of record growth, as the company doubled down on enterprise AI security.

Rami Sass

Co-founder and former CEO, now General Manager of Mend AI - a move that puts a founder's full attention on securing AI-generated code and embedded models.

The third co-founder, Ron Rymon, helped start the company in 2011. That a founder was reassigned to run the AI unit rather than an outside hire says something about where Mend.io believes its future sits: not in a side product, but at the center of the roadmap.

Questions

Frequently Asked

What does Mend.io do?

Mend.io is an application security company that helps teams detect, prioritize, and automatically remediate vulnerabilities in open source dependencies, custom code, and AI-generated code.

Is Mend.io the same as WhiteSource?

Yes. WhiteSource rebranded as Mend (mend.io) in May 2022, alongside the launch of its remediation-focused application security platform.

Who founded Mend.io and when?

It was founded in 2011 by Rami Sass, Azi Cohen, and Ron Rymon. As of 2026, co-founder Azi Cohen serves as CEO.

What are Mend.io's main products?

Core products include Mend SCA, Mend SAST, Mend Renovate, Mend DAST and API Security, and Mend AI, unified in the Mend Application Security Platform.

How much funding has Mend.io raised?

The company has raised roughly $122M across multiple rounds, including a $75M Series D in 2021, from investors such as M12, Susquehanna, Pitango, and 83North.