An important line just shifted in the software security market with the Series A announcement from depthfirst, an applied AI lab positioning itself not as another scanning tool, but as an autonomous layer of defense designed for a world where code is no longer written at human speed. The $40 million round, led by Accel with participation from Alt Capital, BoxGroup, Liquid 2 Ventures, Mantis VC, SV Angel and a notably technical bench of angel investors, lands at a moment when the asymmetry between attackers and defenders is widening fast. AI-generated code is flooding repositories, infrastructure is mutating continuously, and traditional security tooling is still largely built around static snapshots and alert-heavy workflows that assume a human on the other end can keep up. That assumption no longer holds, and the market is finally starting to price that reality in.
What depthfirst is selling, under the deliberately broad banner of “General Security Intelligence,” is not just better detection but a different operational model. Instead of treating vulnerabilities as isolated findings, the platform builds a living understanding of a company’s codebase, infrastructure, and business logic, then deploys agents that reason across those layers the way a senior security engineer would—only continuously, and without fatigue. The numbers they’re putting forward are aggressive but telling: uncovering eight times more true-positive vulnerabilities than static analysis tools while cutting false positives by eighty-five percent, and achieving a ninety percent performance jump on CyberGym benchmarks. Those metrics matter less as marketing claims and more as signals that the system is learning context, not just patterns, which is where most legacy tools quietly fall apart.
The customer list reinforces that reading. Companies like AngelList, Supabase, and Moveworks are not buying novelty; they are buying leverage. When Alberto Martinez at AngelList describes depthfirst as effectively adding an autonomous senior product-security engineer to the team, that’s a very specific framing, and not accidental. Security teams today are stretched thin not because they lack alerts, but because they lack prioritization, continuity, and fixes that developers actually want to merge. The platform’s emphasis on ready-to-merge remediation, rather than just detection, hints at where this category is going: security as an active participant in the development lifecycle, not an external critic shouting from the sidelines.
Stepping back, the strategic bet here is larger than one company. The rise of autonomous, always-on attackers means defense can no longer be reactive or purely human-mediated. If offense is becoming agentic, defense has to follow, and fast. depthfirst’s framing—hardening the global software stack as a prerequisite for safe and controllable AI—connects software security directly to the broader AI safety conversation, which is a smart and, frankly, overdue linkage. Software is still the substrate everything else runs on, and its fragility is increasingly the weakest link in otherwise sophisticated systems.
Founded in 2024 by a team with roots in Google DeepMind, Databricks, and Faire, depthfirst is clearly positioning itself as an AI-native security company rather than a security company that bolted AI on later. The fresh capital will go into research, go-to-market, and hiring, but the more interesting question is whether this “general intelligence” approach can scale across wildly different environments without collapsing under its own ambition. If it does, the implications are significant: fewer noisy dashboards, fewer ignored alerts, and a shift toward security systems that actually keep pace with the software they’re meant to protect. Not a small promise, admittedly—but in this phase of the market, incremental improvements are starting to feel like the real risk.
Leave a Reply