Gecko Security

What do they actually do

Gecko Security offers a hosted web app that scans source code repositories and flags exploitable vulnerabilities with evidence. Teams connect their repos or CI, and Gecko analyzes the codebase to surface validated issues with proof‑of‑concept exploits and suggested fixes. It integrates into pull requests and CI via a GitHub bot. There’s a free tier, a Pro plan at $99/month, and an Enterprise tier with deeper automation and controls (site).

They publish confirmed findings from scans, including responsible disclosures with assigned CVEs, to demonstrate real‑world coverage and accuracy (research page). Early users span startups and a handful of larger enterprises, according to their YC profile (YC).

Who are their target customer(s)

• Small engineering-led startups building web services: They lack dedicated security staff and get overwhelmed by noisy scanners. They need high‑confidence, actionable findings that appear in PRs/CI so developers can fix issues without manual triage (site).
• Mid-size SaaS companies with a lean security team: Basic scanners miss logic-level or multi-step issues. They need validated PoCs to prioritize real risks and reduce false positives (site; research).
• Large enterprises and compliance-focused security teams: They must keep code and security data private and meet audit requirements. They need self-hosting, SSO/RBAC, audit logs, and custom integrations to satisfy internal controls (site).
• Open-source maintainers and community security volunteers: They have limited bandwidth for triage. They need automated, responsible findings with PoCs and help producing fixes, not noisy reports (research).
• DevOps and CI owners: Security checks can be slow or noisy and block merges. They want lightweight automated checks that surface only exploitable, prioritized issues in the PR flow and support safe fix automation (site).

How would they acquire their first 10, 50, and 100 customers

• First 10: Direct outreach to developer-led startups and OSS maintainers with a low-friction install of the free tier and PR bot so validated findings show up in existing workflows within days; reference public CVEs to build trust (site; research).
• First 50: Tighten the product-led funnel (easy GitHub/CI install, clear onboarding, short Pro trial) and run targeted outreach to small/mid SaaS and DevOps owners; publish short case studies and demos showing PoCs and fixes to reduce adoption risk (site).
• First 100: Offer paid pilots for mid-market and early enterprise with self-host/SSO/RBAC and API integrations to clear procurement; use pilot outcomes as case studies while a small sales team and consulting partners help close larger deals (site; research).

What is the rough total addressable market

Top-down context:

The developer-facing application security market that includes SAST/DAST and related tooling is commonly estimated in the ~$4–9B range today and growing, with broader DevSecOps/security testing forecast to reach tens of billions over the next few years (Statista; Grand View Research; MarketsandMarkets).

Bottom-up calculation:

At the public Pro price of $99/month ($1,188/year), ~842 Pro customers imply ~$1M ARR; ~8,418 imply ~$10M; ~84,176 imply ~$100M, excluding Enterprise revenue (pricing).

Assumptions:

• Uses public Pro pricing ($99/month) as a proxy for average revenue per paying Pro account.
• Ignores Enterprise deals, seat variability, discounts, and churn (conservative for larger customers).
• Assumes steady per-account pricing without usage-based overages.

Who are some of their notable competitors

• Snyk: Developer-focused platform bundling code scanning (SAST), dependency scanning (SCA), and CI/IDE/PR integrations so issues and fixes appear in developer workflows (docs).
• Semgrep: Open-source rule-based scanner and commercial AppSec platform emphasizing fast PR checks, editable rules, and AI-assisted triage/autofix to cut noise (site).
• GitHub Advanced Security / CodeQL: Semantic query engine integrated with GitHub that finds complex code patterns and shows results and autofix suggestions directly in pull requests (docs).
• Contrast Security: IAST/runtime instrumentation to detect exploitable issues and attacks from inside running applications, often used for higher-fidelity, low-noise findings (platform).
• Veracode: Enterprise AppSec platform (SAST, SCA, DAST) with managed scanning, binary analysis, and centralized reporting for compliance-heavy organizations (product).