Corgea

TL;DR: Corgea helps companies fix vulnerable source code. It is an AI-powered security platform that writes security patches for engineer approval, saving 80% of the engineering effort needing and $$$. Having Corgea is like having a security engineer on staff constantly focused on making your code more secure.

Hi YC! This is Ahmad, and along with Adam, Pratik and Tamara we’re building Corgea.

🕳️ Unresolved holes in software

Companies scan their code for security vulnerabilities, and are often met with a big pile of findings. On average, companies take 3 months to fix a vulnerability, and 60% of breach victims were aware of the unpatched vulnerability that was exploited.

Why? This is because engineers prioritize revenue-generating work, often leaving security fixes lower in priority. It is also really expensive for companies to fix vulnerabilities, costing them between $400 - $4,000 per fix. Unacceptable in today’s environment of more frequent security breaches and increasingly sophisticated attacks.

Security teams kept complaining to us that all of their hundreds (yes hundreds) of security tools alert them about issues without giving them a way to actually resolve the issues automatically. This leaves security teams hanging high and dry.

🐕 What does Corgea do?

We’re approaching one of the hardest problems in security with an entirely new approach. Unlike other tools that have been vehemently obsessed with just reporting on vulnerabilities, Corgea fixes them.

Corgea connects to your existing SAST (Static application security testing) tools, like Snyk and Semgrep, and automatically writes code fixes for the reported vulnerabilities. Security teams can issue a pull request for the fix with a single click without disrupting any workflows. Engineers get the code fix for review, and well written descriptions helping them understand the changes.

For example, Corgea can rewrite code and issue PRs to fix SQL injection, path traversal, SSRF, or hundreds of other vulnerabilities. Here’s a brief demo to show Corgea’s capabilities.

Fixing Issues using Corgea - Watch Video

✅ Empowering Security and Freeing up Engineering

Security is often perceived as a blocker to engineering, and vice versa. With Corgea, we’re empowering security teams to be able to take action while also accelerating engineering velocity. This fundamentally changes the dynamic between teams.

• 💪 Stronger code: companies can now secure their products and reduce their fix times to hours without taxing engineering. Many prospects we spoke to have tens of thousands of vulnerabilities that now has a fighting chance in reducing them.
• 🚀 Increase engineering velocity: since Corgea is issuing the code fix, we see up to an 80% savings in time engineers spend fixing security issues. Security can now be an enabler to engineering rather than a blocker.
• 💰 Slash Costs: Research shows that a single vulnerability takes about $400 - $4,000 to fix. Corgea reduces these costs by up to 80%. Many enterprises can expect to save at least $10m in direct development costs. This doesn’t account for breach cost savings.

Often, security software lacks a clear return on investment or value proposition. They are frequently bought due to fear, uncertainty, and doubt. At Corgea, our belief is that security software needs to lead first with real value and a clear ROI.

🌟 How is Corgea different than existing solutions?

The current market is flooded with tools that overwhelm security teams with alerts and are not effective at fixing what they’re reporting.

• General code-gen tools do not specialize in security and we’ve seen them inadvertently introduce security issues unbeknownst to the engineer. Additionally, they often do not integrate into a wider ecosystem of tools, preferring to focus solely on their own findings.
• Most SAST & SCA vulnerability scanners do not remediate issues. Many tout this but it’s mostly limited to upgrading packages from one version to another to reduce a CVSS. This often introduces downstream challenges. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Finally, they do not integrate into a wider ecosystem of tools because they want to only serve their own findings.

Enterprises often use multiple scanners like Snyk, Semgrep, Checkmarx, and may have multiple repository tools like Github, Gitlab and Bitbucket for their code. They need a solution that consolidates across their existing tools.

👩🏽‍💻 Who is building Corgea?

Each member of the Corgea team has experienced the challenges of addressing vulnerabilities in both security and engineering. We first hand witnessed the frustration of teams in wanting to deliver on high quality feature-rich secure software. Our goal is to shatter the silos between the teams and empower both of them rather than empower one at the expense of the other.

In our prior roles, we designed, secured and built mission-critical software products at companies like of Coupa, Autodesk, and PlanGrid.

🎉 Want to try it?

We’re really excited to help companies in automating the security of their source code. Use Corgea today for free and without a credit card. Setup takes less than a few minutes. Feel free to reach out to us to chat and get a more in-depth demo.