ZeroPath

What do they actually do

ZeroPath sells a developer-focused application security platform that runs static code analysis, dependency scanning, secrets and IaC checks, plus a policy engine, PR reviews, and an autofix/patching flow. It’s offered as hosted SaaS with on‑prem/private‑cloud options and integrates directly into Git workflows and CI/CD pipelines (product/docs docs).

Teams connect repositories via GitHub/GitLab/Bitbucket or the CLI. ZeroPath builds code graphs/ASTs to understand applications, endpoints, and data flows, then identifies issues, validates exploitability/reachability, prioritizes results, and for many items generates a patch and opens a PR. PR scans are designed to be fast (ZeroPath cites sub‑60s) so checks can run pre‑merge. Findings can be surfaced in the dashboard, Slack, Jira/Linear, via API/CLI, and through a read‑only MCP server for IDE/chat tools (Quick Start How it works v1 MCP server).

They report use by hundreds of organizations and 125k+ monthly scans (v1 post lists 750+ companies and 125k+ scans/month). Enterprise controls include SSO/SAML, SOC 2 and GDPR controls, RBAC, and multi‑tenant/MSSP features like workspace isolation and reporting (v1 pricing/docs MSSP).

Who are their target customer(s)

• Early-stage engineering teams without a dedicated security hire: They need code and dependency scanning that plugs into Git/CI, runs quickly on PRs, and produces fix PRs so developers don’t context‑switch or hand‑patch issues. ZeroPath supports Git integrations, fast PR checks, and auto‑generated patch PRs (Quick Start How it works).
• Mid-size product teams managing many repos: They’re overwhelmed by noisy alerts and want validated, prioritized findings with automated remediation. ZeroPath emphasizes exploitability validation, prioritization, and autofix PRs to reduce manual triage (v1 How it works).
• Internal AppSec/security teams at larger companies: They need low false positives, proof of exploitability, and enterprise controls (SSO, RBAC, compliance) to delegate fixes and satisfy audits. ZeroPath documents exploitability analysis and lists SSO/SOC 2 and tenant controls (How it works pricing/docs).
• Managed security service providers (MSSPs) and consultancies: They must operate across many clients with tenant isolation, white‑labeling, and multi‑tenant reporting. ZeroPath advertises MSSP features and workspace/tenant controls (MSSP page).
• Platform/DevOps teams owning CI/CD and developer experience: They want non‑blocking, fast checks and results inside developer tools (IDE/chat) to avoid context switching. ZeroPath highlights fast PR checks, CI integrations, and a read‑only MCP server for IDE/chat workflows (v1 MCP server).

How would they acquire their first 10, 50, and 100 customers

• First 10: Target YC/startup communities and dev Slack groups with hands‑on pilots: connect a few repos, run PR scans, and open a fix PR to show validated exploitability and autofix value immediately (Quick Start How it works v1).
• First 50: Convert inbound via self‑serve trials and marketplace listings, supported by technical content (how‑tos, webinars, case studies) proving low noise and prioritization; tie onboarding to Slack/Jira/Linear so teams can accept fixes in‑flow (docs How it works).
• First 100: Layer direct enterprise/MSSP sales with pilot POVs, security/compliance proof (SSO/RBAC, SOC 2), multi‑tenant features, and procurement‑ready contracts; build MSSP/channel partnerships and surface IDE/chat integrations (MCP) to embed ZeroPath in partner offerings (pricing MSSP MCP).

What is the rough total addressable market

Top-down context:

Using a scope aligned to developer‑embedded AppSec/DevSecOps, Grand View Research estimates DevSecOps at about USD 8.84B in 2024, while broader definitions of “application security” from MarketsandMarkets cite ~USD 33.7B in 2024 (GVR DevSecOps MarketsandMarkets AppSec).

Bottom-up calculation:

Approximate global developer population is ~20.8M; assuming an average team size of ~6 yields ~3.5M engineering teams. At ZeroPath’s published Core price of $200/month ($2.4k/year), a 0.1% penetration of those teams would be ≈3,500 customers and ~$8.3M ARR (JetBrains Data Playground Atlassian, small agile teams 5–7 ZeroPath pricing).

Assumptions:

• Focus is on developer‑embedded, CI/PR‑first AppSec (SAM aligned to DevSecOps).
• Average small‑team size ≈6 developers (agile teams commonly 5–7).
• Self‑serve Core pricing ($200/mo) applies to SMB/small teams; penetration rates are illustrative.

Who are some of their notable competitors

• Snyk: Developer‑focused SCA and SAST (Snyk Code) with automated fix PRs for vulnerable dependencies and some code issues. Overlaps on Git/CI integration and auto‑PR remediation; Snyk’s strongest documented surface is dependency fixes plus SAST coverage (Fix PRs Snyk Code).
• GitHub Advanced Security (CodeQL + Dependabot): Native to GitHub. Dependabot opens dependency update PRs; CodeQL provides code scanning in GitHub workflows. Common default for teams on GitHub; ZeroPath differentiates on exploitability validation and broader autofix PR flow (Dependabot Code scanning).
• Semgrep: Fast, rule‑based code scanning with customizable rules and autofix/PR comments; lightweight and developer‑friendly, but typically requires rule writing and doesn’t market automatic exploitability validation like ZeroPath does (Autofix PR comments).
• Qwiet AI (ShiftLeft origin): Known for graph‑based “attacker reachability” to reduce noise by focusing on exploitable paths, directly comparable to ZeroPath’s exploitability emphasis; historically positioned more on deep app‑graph analysis than on auto‑patch PRs (ShiftLeft reachability Qwiet article).
• Checkmarx: Enterprise SAST platform with broad language coverage, governance, on‑prem and cloud options; aimed at large orgs needing scale and reporting—contrasts with ZeroPath’s Git/PR‑first workflow and automated fix PR focus (SAST platform).