Veria Labs

What do they actually do

Veria Labs makes a security tool that plugs into code repositories and CI/CD systems to run continuous offensive-style checks as part of normal developer workflows. It runs on pull requests and builds, generates exploit proof‑of‑concepts for suspected issues, verifies them against staging to reduce false positives, and suggests patches developers can apply directly (verialabs.com).

The team also publishes offensive security research and responsible disclosures, indicating active capability beyond static scanning—for example, their write‑up on RCE vectors in developer AI tools and a related GitHub advisory that names a Veria researcher (blog post, GitHub advisory).

Who are their target customer(s)

• Developers working on pull requests and feature branches: They spend time triaging noisy or vague alerts and waiting for external pentests; they need PR/CI checks that surface verified, fixable issues with patches instead of noise (verialabs.com).
• AppSec/security engineers who own vulnerability triage and prioritization: Manual, periodic pentests and long validation cycles let issues slip; they need continuous findings with exploit PoCs to reduce manual investigation and speed risk decisions (blog post).
• DevOps/CI owners responsible for staging and deployments: Static scans don’t prove exploitability in staging; they want safe exploit runs against staging that can fail builds on truly risky changes (verialabs.com).
• Small engineering teams and startups: They can’t afford frequent human red teams and need automated, continuous testing in their repos so vulnerabilities are caught during development (verialabs.com, YC profile).
• Security/compliance managers at larger organizations: They require audit trails, role controls, reporting, and SLAs to approve new tools and to consider shifting spend from periodic pentests to continuous testing.

How would they acquire their first 10, 50, and 100 customers

• First 10: Offer targeted, no‑cost pilots to YC/startup networks and small teams, integrating into their repos/CI to demonstrate verified PoCs and developer‑ready fixes; convert pilots into case studies and testimonials (verialabs.com, blog post, GitHub advisory).
• First 50: Lean on product‑led motion: simple repo/CI installation (status checks on PRs/CI) and clear ROI stories showing PoC → patch; keep inbound interest warm with research‑based demos and tutorials (verialabs.com, blog post).
• First 100: Layer in a sales + channel motion for mid‑market: run paid pilots with SLAs/compliance, add enterprise reporting/roles, and partner with pentest firms/MSSPs and CI/CD vendors; use public research and talks to build credibility (verialabs.com, YC profile).

What is the rough total addressable market

Top-down context:

Relevant 2024 markets total roughly USD ~12.1B: application security about USD 10.4B (IMARC) plus penetration testing about USD 1.7B (MarketsandMarkets). Both are growing at double‑digit rates.

Bottom-up calculation:

If priced at USD 15k–40k ACV per engineering org, adoption by 100k–250k CI/CD‑using orgs would imply USD ~1.5B–10B in addressable spend; this is a subset of the tens of millions of developers and their teams globally (JetBrains developer population).

Assumptions:

• Typical ACV ranges from USD 15k–40k depending on size, scope, and enterprise features.
• 100k–250k global engineering orgs run CI/CD and buy developer‑integrated security.
• Budgets can shift from periodic pentests and legacy scanners to continuous, exploit‑verified testing.

Who are some of their notable competitors

• GitHub Advanced Security: Built‑in GitHub code and dependency scanning that runs on PRs/CI; primarily static analysis and dependency alerts, not exploit generation/verified PoCs (docs).
• Snyk: Developer‑first platform for code, open‑source, and IaC scanning with PR/CI integrations and remediation guidance; focuses on finding/prioritizing issues rather than running active exploits against staging (PR checks, CI/CD integrations).
• Detectify: Automated external web‑app scanner that probes internet‑facing assets with payload‑based tests; oriented to live surface monitoring, not repo/PR‑integrated exploit generation or code patches (product, docs).
• Pentera: Automated security validation/continuous pentesting for environments (networks, cloud, endpoints); closest to verification but typically infra‑level rather than always‑on, repo‑integrated checks (platform).
• Cobalt (PTaaS): Pentest‑as‑a‑service platform pairing human testers with tooling for continuous programs and remediation tracking; delivers verified PoCs but is human‑led/periodic rather than autonomous inside PRs.