Gecko will be at Black Hat and DEFCON in Las Vegas

How Gecko Discovered 30 0-Day Vulnerabilities No AppSec Tool Found

Previously, there were entire classes of business logic and multi-step vulnerabilities that have long been invisible to SAST. Today, that changes.

Jeevan Jutla
5 minute read
7/31/2025
How Gecko Discovered 30 0-Day Vulnerabilities No AppSec Tool Found

Previously, there were entire classes of business logic and multi-step vulnerabilities that have long been invisible to SAST. Today, that changes.

Application Security is Collapsing

Modern development has outpaced traditional SAST capabilities. As software becomes more complex, distributed, and increasingly generated by AI, our current static analysis solutions are limited to pattern-based scanning, forcing teams to fall behind. They produce noise instead of results, miss critical business-specific vulnerabilities, and struggle to adapt to the architecture of the systems they're supposed to protect.

For many security teams, the challenges are all too familiar. Teams need to understand the code their business produces to protect it, but are forced to use a mashup of solutions that are incapable. Every day, defenders waste hours tuning brittle rules, manually reviewing false positives, only to still miss the vulnerabilities that actually matter. This wasted effort isn't just a headache; it translates directly into delayed releases, overtime costs, and risk of compliance fines when critical flaws slip through.

There is an opportunity to restart: to give AppSec the independence it needs to enable the business so it can innovate, to stop relying on the insufficient tooling that exists today, and to address the problem from a different angle.

Taking on an industry problem

Legacy SAST tools face two core limitations. They parse code into overly simplified representations like ASTs and call graphs, which lose important context, especially across complex architectures. And they detect vulnerabilities through pattern matching against predefined rules, which works for common issues like XSS and SQLi but completely misses business logic flaws unique to each application that requires tracking sequences of operations and business context.

Gecko takes a fundamentally different approach. We built a compiler-accurate indexer that understands code the way a developer's IDE does, preserving the semantic relationships and context that traditional tools lose. This gives us an accurate picture of how your application actually works and reason across full stack architectures that tie, infrastructure code and documentation together.

With this foundation, we perform threat modeling directly on your codebase. Rather than looking for known vulnerability patterns, we analyze your application's business logic, data flows, and security boundaries to identify potential attack scenarios specific to your code. Each scenario is systematically validated to determine if it represents a real, exploitable vulnerability.

For readers interested in the technical details and vulnerabilities found, read our breakdown here.

Artificial Intelligence vs Actual Intelligence

In just 8 months Gecko has gone from its first line of code, to surfacing over 30 previously unknown 0-Day vulnerabilities that were impossible to find using pattern matching tools.

It's an approach that our early customers, from Fortune 500 companies and startups alike ,are excited about, because it addresses key pain points, like streamlining their triage flow and eliminating endless false positives, that they haven't been able to solve with other solutions.

Security teams report 50% fewer false positives while discovering vulnerabilities that previously only showed up in manual penetration tests, giving them deeper insight into their code's security posture than traditional tools provide.

Our Team

CEO and Co-founder Jeevan Jutla began his career protecting the UK's national infrastructure as a teenager, working with the Intelligence Service and building automated tooling to defend critical systems. He also worked at Binance in China leading security tool development for the Red Team.

CTO and Co-founder, Artemiy served in the Austrian Cyberforces and built threat intelligence platforms used by Interpol and national governments. A scholar of Imperial College London, he's spent his career developing systems that detect and respond to complex cyber threats.

Gecko has an ambitious mission, and we understand the stakes are high. To fuel it, we partnered with top tier investors out of silicon valley to raise our Seed funding backed by Y Combinator, Liquid 2, Rebel Fund, Garage VC, Chris Howard (Ritual Capital), EWOR, and Z Fellows.

Advice for Security Leaders

When evaluating security tools, ask:

  1. Can it explain why a finding matters in your environment?
  2. Does it detect complex business logic vulnerabilities like IDOR, AuthN/AuthZ bypass, or privilege escalation?
  3. Can it scale across teams and automate both the triage process across detection and remediation?

Questions like these aren't solved by reading feature lists alone. See what Gecko can uncover in your code, or schedule a customised demo.

Come and meet the Gecko team at BlackHat and DEFCON 33 in Las Vegas.