Supply chain security startup Socket Inc. announced today that it has acquired cloud-based automated code review software startup Coana ApS for an undisclosed sum.

Founded in 2021, Coana is a Danish cybersecurity startup specializing in advanced static analysis and “reachability assessment” for software vulnerabilities. Established by Professor Anders Møller and Ph.D.s Benjamin Barslev and Martin Torp from Aarhus University, Coana was later joined by entrepreneur Anders Søndergaard as chief executive in 2022. The company emerged from academic research focused on securing open-source software applications.

Coana’s offerings include reachability analysis, a method that determines whether identified vulnerabilities in code dependencies are actually exploitable within a specific application. The approach involves constructing detailed call graphs through static control-flow analysis to identify which parts of the code are reachable and which are not, allowing developers to focus on genuine threats.

The startups says its methodology significantly reduces false positives by over 80% compared with traditional software composition analysis tools by filtering out irrelevant alerts to allow security teams to prioritize and remediate critical vulnerabilities more efficiently.

The technology can be easily integrated into existing development workflows and works on-premise without the need for complex configurations, according to the company. The service supports various programming languages, including JavaScript, Python, and JVM languages like Java and Kotlin.

Coana will bring powerful static control flow and call graph analysis to Socket’s platform, allowing teams to prioritize vulnerabilities based on whether they’re actually exploitable in a given codebase.

“For every team buried under thousands of vulnerability alerts, Coana’s reachability analysis offers a better way forward,” said Socket founder and Chief Executive Feross Aboukhadijeh. “They’ve built the most scalable and accurate reachability engine we’ve seen and we’re excited to bring it into Socket to give developers precise, actionable vulnerability insights — without the noise.”

As part of the deal, Coana’s team is also joining Socket. “Joining Socket means we can scale our impact immediately,” said Socket CEO Søndergaard. “Together, we’ll help organizations drastically reduce their vulnerability management burden.”

Coming into its acquisition, Coana had raised a single round of $1.6 million from Sequoia Capital Operations, Essence Venture Capital and a number of individual investors.

Socket is also a venture capital-backed company that has raised $65 million in funding across three rounds, including a round of $40 million in October. Investors in the company include a16z, Abstract Ventures, Unusual Ventures, WndrCo Holdings and various individual investors, notable among them Sierra Technologies Inc. co-founder and OpenAI Chairman Bret Taylor, Phil Venables from Google LLC and Scott Johnston from Docker Inc.

Photo: Coana