Nullify is an AI-first application security company that automates finding, triaging, and fixing software vulnerabilities inside developer workflows by acting as a virtual security engineer integrated into tools like GitHub, Jira and Slack[3][4].[3]
High-Level overview
- Summary: Nullify builds autonomous AI agents that detect code, dependency, API, container, secrets and IaC risks, prioritize exploitable issues, and generate merge-ready fixes to insert into developer workflows, aiming to replace multiple AppSec tools and reduce manual security toil[3][4].[3]
For a portfolio company
- What product it builds: An AI-powered “virtual security engineer” offering continuous code-to-merge scanning, exploit and impact triage, and automated fix generation (including campaign-based assignment and PR creation)[3][4].[3]
- Who it serves: Software engineering and security teams at startups and enterprises that use Git-based workflows and need developer-first AppSec automation[3][4].[3]
- What problem it solves: Reduces noise and manual effort in application security by triaging false positives, prioritizing exploitable flaws, and auto-generating fixes so teams can remediate earlier in the SDLC[3][4].[3]
- Growth momentum: Founded in 2022 and operating out of Sydney, Nullify raised a March 2024 seed round of roughly US$3.41M (A$5.2M) led by Two Sigma Ventures and Root Ventures and counts backers including Black Nova and angels from the security/enterprise world, and reports rapid engineering hiring and product traction[1][2][3].[2]
Origin story
- Founding & founders: Nullify was founded in 2022 in Sydney; public reporting lists co‑founders including Shantanu (Shan) Kulkarni along with Tim Thacker and Tony Mao in company materials and press coverage[1][2].[1]
- How the idea emerged: The team positioned Nullify around using generative AI and a long‑term memory (Vault) to encode an organization’s tacit security knowledge so agents can reason like human security engineers and automate repetitive AppSec tasks inside developer flows[3].[3]
- Early traction / pivotal moments: Key early milestones include rapid headcount growth in engineering, inclusion in investor portfolios (Two Sigma Ventures, Root Ventures, Black Nova), a March 2024 seed close, and marketplace availability (AWS Marketplace listing) that highlights GitHub App integration and enterprise orchestration features[2][3][4].[2]
Core differentiators
- Autonomous AI agents and Vault: Nullify emphasizes agent-driven automation with a long‑term memory (“Vault”) that ingests policies, bug bounties, architecture and repo metadata so the system adapts to org‑specific risk posture and suppresses non‑issues over time[3].[3]
- End-to-end developer workflow integration: Operates as a GitHub App and integrates with Jira and Slack to surface fixes at commit/PR time and manage remediation campaigns—reducing context switching for developers[4][3].[4]
- Merge-ready remediation: Generates validated, merge-ready fix PRs and can hold or escalate fixes based on team capacity signals (GitHub/Jira), which aims to increase fix throughput while avoiding overload[3].[3]
- Breadth of coverage: Claims to replace multiple tools by covering code, dependencies, secrets, APIs, containers and IaC with both static and dynamic testing augmented by LLM-enhanced detection and a proprietary vulnerability database[3][4].[4]
- Developer-first UX and metrics: Positions itself as a usage-based, developer-first solution that provides secure SDLC metrics and integrates with observability tooling to measure security debt and team performance[3][4].[3]
Role in the broader tech landscape
- Trend alignment: Nullify rides two converging trends—broad adoption of generative AI/LLMs for developer productivity and a movement to shift security left into the developer workflow—making the timing favorable for AI-driven AppSec automation[3][4].[3]
- Market forces in its favor: Rising supply-chain risks, complexity of modern apps (containers, APIs, IaC), and scarcity of skilled security engineers increase demand for automation that triages and fixes issues earlier in the SDLC[4][3].[4]
- Ecosystem influence: By packaging AppSec as integrated developer tooling (GitHub App, marketplace listings) and promising to reduce dependence on multiple specialist security tools, Nullify could pressure both legacy AppSec vendors and internal SecOps teams to adopt more automated, developer-centric models[3][4].[3]
Quick take & future outlook
- What’s next: Expect continued product expansion across detection modalities, deeper enterprise integrations (SSO, cloud providers), wider marketplace distribution, and additional funding rounds to scale sales and AI research capabilities following the 2024 seed[3][2][4].[3]
- Trends that will shape them: Improvements in safety/accuracy of generative models, regulatory scrutiny of AI in security, and enterprises’ appetite for autonomous remediation will dictate adoption speed and product design (e.g., explainability, human-in-the-loop controls)[3][4].[3]
- Potential impact: If Nullify sustains low false positives and reliable auto-remediation, it could materially reduce AppSec backlog for engineering teams and redefine expectations for how security gets delivered in CI/CD pipelines, while needing to manage trust, governance and compliance concerns as automation scales[3][4].[3]
Quick final note tying back: Nullify’s core claim—to act as a virtual security engineer that not only finds but also triages and fixes vulnerabilities inside developer workflows—captures its product thesis and is the lens through which to watch its technical, commercial, and governance progress[3][4].[3]
