Kodem Security Inc., a company that focuses on application security, today launched with $25 million in funding to expand its platform globally that works by using runtime intelligence to determine if applications are vulnerable and warn security teams.

The funding comes from two separate rounds, including $18 million in a Series A led by Greylock and $7 million co-led by Greylock and TPY Capital and Greylock.

According to the company, the current software supply chain is filled with vulnerabilities and this can be extremely problematic for security across both development and operations because every package pulled in can generate issues. Traditional scanning techniques for applications are therefore “noisy” meaning that traditional security posture alerts on every vulnerability scanned no matter if it’s exploitable or not.

“We started Kodem in response to the inefficiency of the application security process. With traditional tools, it’s difficult for developers to see whether vulnerabilities are exploitable,” said Aviv Mussinger, chief executive and co-founder of Kodem. “After years of researching the problem, we found that the key to clarifying actual risk is to observe application behavior during runtime.”

By using specialized intelligence into running applications, Kodem’s platform can understand the context of what’s in use, Mussinger explained. This lowers the total alerts down to exactly what’s exploitable. It does this by watching data moving within and between applications and the risk that’s created.

By understanding application behavior in runtime, Kodem can help identify exploitable vulnerabilities and reduce false positives and highlight critical risks. As a result, development and operations can zero in on critical vulnerabilities that will affect them now and fix them as quickly as possible and reduce the total noise, Kodem contends.

“Based on testing we have done with customers and prospects, we have found that over 90% of the alerts these traditional tools generate are just false positives,” said Mussinger. “That’s 90% percent of the application security team’s time, energy, money, and resources wasted.”

According to the company, its early testing revealed that just over 10% of customer code is used in runtime and that less than 5% of runtime code was actually vulnerable – although that would probably differ depending on the customer in question.

The platform itself provides what it calls “full coverage” for discovered vulnerabilities from code tracking to the cloud, which provides a narrative for remediating the issue. Once a problem is alerted on, security and development teams can quickly discover the package that is vulnerable, and determine how and who needs to fix the code by integrating their favorite tools.

The company’s name itself “Kodem” is a Hebrew word meaning “first” or “early.” Mussinger said that the company hopes to provide software teams with clear visibility to prioritize their security and fix exploitable vulnerabilities early.

Image: Goldcastle7/Getty images