winfunc

What do they actually do

Winfunc, branded as Asterisk, runs an automated “hacking agent” that scans a team’s codebase and related assets, then produces reproducible exploit proof‑of‑concepts and suggested fixes. It can open remediation pull requests so engineers can patch issues directly in their normal workflows (homepage/features | YC listing with demo reports).

Teams connect their repositories, Asterisk performs a deep audit, and findings arrive with context like sink‑to‑source traces, business‑logic impact, and executable PoCs. The system combines tree‑sitter queries, language servers (LSP), and LLM analysis to understand code across languages, and it supports continuous scanning of new commits with automated PRs for fixes (homepage/features/FAQ). A practical differentiator is the focus on a small set of validated, exploitable bugs rather than long alert lists; the company positions this as aiming for “zero false positives” by generating working PoCs and formal checks (features).

Who are their target customer(s)

• Early-stage startup engineering teams without dedicated security: They need fast, concrete vulnerability findings that are reproducible and fixable without spending cycles triaging noisy alerts.
• Small in‑house security/AppSec teams: They’re stretched across many apps and need validated PoCs and ready-to-merge fixes they can hand to engineering instead of sifting through large volumes of tool output.
• Engineering managers and CTOs: They want to reduce developer time spent on security triage and prevent regressions with continuous checks that fit CI/PR workflows.
• DevOps/platform engineers: They need security tooling that plugs into CI/CD, reliably opens PRs, and scans commits without adding operational overhead.
• Security consultants and red‑teamers: They want to speed audits with reproducible PoCs and suggested patches to reduce back‑and‑forth and shorten remediation cycles.

How would they acquire their first 10, 50, and 100 customers

• First 10: Run high‑touch, white‑glove POCs with YC network leads: connect to a live repo, deliver a validated exploit PoC, and open a remediation PR to prove value quickly (YC company page | site).
• First 50: Productize the POC with a lightweight GitHub/CI integration and a one‑click demo audit, while doing targeted outreach to accelerators/VCs and security consultancies; use short technical walkthroughs of real demo reports to convert.
• First 100: Scale content (case studies, reproducible PoC writeups), sponsor focused dev/security events, run narrow paid campaigns to EM/DevOps buyers, and enable reseller/consultancy partnerships while hardening onboarding and docs for lower‑touch adoption.

What is the rough total addressable market

Top-down context:

Application security is a multi‑billion‑dollar market; 2024 estimates range roughly from ~$10.4B to ~$33.7B, with developer‑facing testing tools (SAST/DAST/IAST) representing a large, multi‑billion subset (IMARC | MarketsandMarkets | Mordor Intelligence).

Bottom-up calculation:

Using ~27M professional developers globally as an anchor, if there’s roughly one buying engineering org per 50 developers (~540k orgs), and 10% fall into the startup/SMB segment likely to buy a developer‑first security tool, that’s ~54k potential customers. At ~$20k–$40k ARPA, the SAM is roughly ~$1.1B–$2.2B (Evans Data 2024).

Assumptions:

• Average of ~50 developers per purchasing engineering org.
• ~10% of engineering orgs are in the startup/SMB segment and are likely buyers of developer‑first security tools.
• Average contract value of ~$20k–$40k per year for continuous scanning and remediation PRs.

Who are some of their notable competitors

• Snyk: Developer‑first SAST/SCA that scans code and dependencies and can open fix PRs; strong for known vulnerable libraries and many code patterns, but it’s not an autonomous exploit generator producing deterministic PoCs across a repo (Snyk Code | fix PRs).
• GitHub Advanced Security (CodeQL + Dependabot): GitHub’s code scanning (CodeQL) and dependency automation surface semantic findings and upgrade PRs; it’s a platform of analyzers and automation rather than an agent that autonomously crafts validated exploit chains (CodeQL | GHAS docs).
• Semgrep: Fast, rule‑based SAST with repo/CI/IDE integration and autofix/PR comments; excels at customizable pattern checks but relies on explicit rules versus autonomously finding multi‑step, verified exploit chains (overview | autofix).
• Contrast Security: IAST/runtime instrumentation that generates precise, traceable findings with developer‑friendly guidance; emphasizes runtime evidence and low false positives, but is instrumentation‑first rather than offline autonomous exploit generation (Contrast Assess | architecture).
• Mayhem (ForAllSecure): Autonomous fuzzing and symbolic execution that finds crashes and can synthesize PoCs; closest precedent to automated exploitation, though focused on binaries/fuzz testing versus repo‑wide, language‑agnostic source reasoning (Mayhem | IEEE writeup).