BREAKING ZeroPath named RSAC 2026 Innovation Sandbox Top 10 Finalist 1,000+ organizations secured 200,000+ code scans per month 170 verified bugs found in curl $7M seed round closed Jan 2025 3x ARR growth in 2026 CVE-2025-29927 (Next.js auth bypass) discovered YC S24
BREAKING ZeroPath named RSAC 2026 Innovation Sandbox Top 10 Finalist 1,000+ organizations secured 200,000+ code scans per month 170 verified bugs found in curl $7M seed round closed Jan 2025 3x ARR growth in 2026 CVE-2025-29927 (Next.js auth bypass) discovered YC S24
YesPress Profile • YC S24 • Security

ZeroPath

"The exterminator your codebase never knew it needed."

The AI security platform that doesn't just point at your vulnerabilities - it patches them. Automatically.

Y Combinator S24 RSAC 2026 Finalist San Francisco
ZeroPath Co-Founder
Co-Founder, ZeroPath • San Francisco
1k+
Organizations Protected
200k+
Monthly Code Scans
75%
Fewer False Positives
90%
Faster Remediation
16+
Languages Supported
The Problem

Every security tool is screaming at you. None of them fix anything.

Your SAST scanner just fired 4,000 alerts. Your developers are ignoring them. Your security team is buried. And somewhere in that noise is the one vulnerability that will ruin your quarter.

Traditional static analysis tools were built for a simpler era - they pattern-match code against a rulebook of known bad practices. Fast, cheap, dumb. They catch what they were programmed to catch. They miss everything else. They generate so many false alarms that developers learn to dismiss them entirely, which means the real problems stay hidden in plain sight.

ZeroPath was built to fix that - not philosophically, but mechanically. The platform finds vulnerabilities, verifies they're actually exploitable, and writes the patch. You review it. You merge it. Done.

"From alarm accumulation to executable fixes."

- ZeroPath's thesis, as described at RSAC 2026 Innovation Sandbox

Security Boulevard put it plainly in their RSAC 2026 coverage: ZeroPath isn't trying to build a better alarm. It's trying to make the alarm obsolete. That's a different product category masquerading as a familiar one.

The Team

Four people who have actually broken things before

The ZeroPath founding team is not a group of academics who read about security. They are practitioners - the kind who get listed in hall-of-fame acknowledgments and earn five-figure bug bounties on the side.

D
Dean Valentine
Co-Founder & CEO
Previously co-founded Mevlink, acquired by bloXroute Labs in 2023. Built the operational and go-to-market foundation at ZeroPath.
E
Etienne Lunetta
Co-Founder & COO
Also a Mevlink alumnus. Oversees operations and the systems that keep 200,000+ monthly scans running without catching fire.
R
Raphael Karger
Co-Founder & CTO
Former Google Security Engineer. Former consultant at BishopFox. Earned 12 security researcher hall-of-fame recognitions. The technical architecture of ZeroPath is his.
N
Nathan Hrncirik
Co-Founder & CIO
Former Red Team Security Engineer at Tesla. $100,000+ in bug bounty earnings. Knows exactly what attackers are looking for - because he's been looking for it professionally.

Two came from Mevlink (acquired). One from Google Security. One from Tesla's Red Team. The combination means ZeroPath has both the startup muscle to ship fast and the security depth to not embarrass itself in front of the people it's trying to impress: CISOs, security engineers, and open-source maintainers who can spot nonsense from a mile away.

How It Works

Not pattern-matching. Actually thinking.

Most SAST tools work by pattern recognition. They look for code that resembles known vulnerabilities. This produces two failure modes: false positives (flagging safe code that looks bad) and false negatives (missing real vulnerabilities that don't match any known pattern).

ZeroPath uses large language models combined with Abstract Syntax Tree analysis to read code the way a senior security engineer would - following the actual data flow, understanding what functions do in context, tracing how user input moves through a system. It doesn't just find where a sink exists; it asks whether a real attacker could actually reach it with real input.

The result: 2x more real vulnerabilities found. 75% fewer false positives. Pull request scans return in under 60 seconds. And when a real issue turns up, ZeroPath generates a working patch - not a suggestion, but an actual pull request you can merge.

Capability Traditional SAST ZeroPath
Detection method Pattern matching / rules LLM + AST semantic analysis
False positive rate High (70-80% typical) 75% fewer than traditional tools
Business logic flaws Cannot detect Detects (50%+ of critical findings)
Exploitability verification No Verified before surfacing
Auto-generated patches No Working PR patches
PR scan speed Minutes to hours Under 60 seconds
Setup time Weeks to months 1 minute (GitHub App)
◉ ○ ◉
Proof of Concept

The curl story: 170 bugs the internet had missed

In late 2025, curl maintainer Daniel Stenberg was publicly complaining about AI-generated garbage bug reports flooding his inbox. AI tools were submitting nonsense by the thousands. He was done with AI security claims.

Then ZeroPath submitted 170 bug reports. All valid. All real. Covering HTTP/3, SMTP, IMAP, TFTP, Telnet, and SSH/SFTP. The curl project - running in billions of devices worldwide, maintained by volunteers who have seen everything - accepted them.

The Register covered it. The headline was diplomatic about the rest of the AI security industry: "Curl project, swamped with AI slop, finds not all AI is bad."

The Register, October 2025

"Curl project, swamped with AI slop, finds not all AI is bad."

ZeroPath submitted 170 verified bug reports to curl - one of the most scrutinized open-source projects on the internet - and they were accepted. This was not a demo. This was ZeroPath against the real world, with real maintainers, on code that billions of people depend on daily.

170 verified bugs

ZeroPath also filed 36 sudo bug fixes - including a previously unpublished RCE targeting sudo's optional log server that was later independently rediscovered by Qualys as part of their CrackArmor vulnerability research. Being ahead of Qualys on a sudo CVE is the kind of credential that speaks for itself in security circles.

Notable CVEs Discovered

The vulnerabilities everyone was running

ZeroPath Security Disclosures
A partial list of publicly disclosed vulnerabilities discovered by ZeroPath's platform and team
CVE-2025-29927
Next.js Middleware Authorization Bypass - allowed attackers to bypass authentication middleware, affecting a massive portion of the modern web stack.
CVE-2025-49826
Next.js Cache Poisoning - permitted cache manipulation attacks on Next.js applications.
CVE-2026-32604
Spinnaker Remote Code Execution - critical RCE vulnerability in the widely-used continuous delivery platform.
CVE-2026-32613
Spinnaker RCE (second) - a companion critical RCE in Spinnaker, discovered in the same research effort.
sudo RCE (unpublished)
A previously unpublished remote code execution targeting sudo's optional log server, later independently confirmed by Qualys in their CrackArmor research.
curl (170 bugs)
Across HTTP/3, SMTP, IMAP, TFTP, Telnet, SSH/SFTP. Accepted by the curl maintainers and covered by The Register.
Customer Story

Aptos Labs: 8x faster across a million lines of Rust

Case Study • Blockchain Infrastructure

Aptos Labs scaled application security across 1M+ lines of Rust with 70 engineers - and went from setup to production in under 2 days.

Semgrep missed it. Checkmarx missed it. Snyk missed it. ZeroPath found a subtle Rust replay-attack vulnerability in Aptos Labs' codebase that all three established tools had overlooked. The Aptos team also created 15 custom rules for application-specific logic - replay protection, transaction validation - without needing to write a single regex pattern.

8x
Faster Vulnerability Discovery
2 days
Setup to Production
15
Custom Security Rules Created
1M+
Lines of Rust Covered
Products

One platform. Every layer of your stack.

ZeroPath is designed to replace multiple security tools, not slot in alongside them. The platform covers the attack surface from application code to cloud configuration to open-source dependencies.

AI-Native SAST
LLM-powered static analysis using Abstract Syntax Trees. Finds 2x more real vulnerabilities with 75% fewer false positives across 16+ languages.
🔄
Software Composition Analysis
Open-source dependency and supply chain vulnerability detection. Know what's hiding in your node_modules and pip packages.
IaC Security
Cloud infrastructure scanning. Catch misconfigurations in Terraform, CloudFormation, and other IaC templates before they become incidents.
🔑
Secrets Detection
Automated scanning for API keys, credentials, and tokens accidentally committed to code repositories.
Auto Patch Generation
Working pull request patches for discovered vulnerabilities. Review and merge - no manual remediation research required.
🤖
AI-Generated Code Security
Purpose-built for vibe-coded and AI-assisted codebases. Security for the way software is actually being written in 2025-2026.
Funding & Milestones

From YC to RSAC in under two years

$500K
Pre-Seed • September 2024
Y Combinator, Mergus Ventures
$7M
Seed • January 2025
SurgePoint Capital, Y Combinator, Paul Graham (angel), HOF Capital, Olive Tree Capital, Orange Collective, Crosspoint Capital
July 2024
Y Combinator S24 Accepted
ZeroPath joins the most selective startup program in the world's S24 cohort.
September 2024
$500K Pre-Seed Closed
YC and Mergus Ventures back the first round.
January 2025
Public Launch + $7M Seed
Platform opens to the public. 90+ companies onboard immediately. Seed round led by SurgePoint Capital with Paul Graham as an angel.
October 2025
The curl Moment
170 valid bug reports submitted to and accepted by the curl project. Covered by The Register.
March 2026
RSAC 2026 Innovation Sandbox Top 10
Named a finalist in cybersecurity's premier startup competition. Presents at RSA Conference in San Francisco on March 23.
March 2026
1,000+ Orgs, 200K+ Monthly Scans, 3x ARR
Scale announcement confirms ZeroPath has become a real business, not just a compelling demo.
The Bigger Picture

Vibe coding broke AppSec. ZeroPath is the fix.

There's a new reality in software development: AI writes the first draft. GitHub Copilot, Cursor, Claude - developers are shipping more code, faster, with less manual review than at any previous point in history. That code contains bugs. Some of those bugs are security vulnerabilities. And traditional tools, designed for code written by humans at human speed, weren't built for this.

ZeroPath launched a specific product category for AI-generated code security. Not as a marketing afterthought - as a core use case from day one. The platform is designed to handle the volume and variety of code that AI-assisted development produces, at the velocity modern teams require.

They also publish an open-source MCP server that lets AI assistants - Claude, Cursor, Windsurf - query ZeroPath security findings directly. Which is the kind of strategic move that makes sense when you think about where developer workflows are heading: AI tools talking to AI security tools, with humans reviewing the results rather than doing the scanning themselves.

"50% of critical findings are business logic flaws - the kind traditional scanners couldn't detect even in principle."

- ZeroPath platform data, March 2026

Business logic flaws are the hardest category of vulnerability to detect because they require understanding what the code is supposed to do. A scanner that only knows syntax can't reason about whether a financial transaction is missing authorization checks. ZeroPath's semantic approach does. That's the gap worth paying attention to.

Find ZeroPath

Explore, connect, secure your code.

🌎
Website
zeropath.com
🐝
GitHub
github.com/ZeroPathAI
𝕏
Twitter / X
@ZeroPathAI
👤
LinkedIn
linkedin.com/company/zeropathai
Y Combinator
YC S24 Profile
📝
Blog
zeropath.com/blog
🐱
Product Hunt
producthunt.com
📰
RSAC 2026 Coverage
Security Boulevard