Previously, there were entire classes of business logic and multi-step vulnerabilities that have long been invisible to SAST. Today, that changes.
Application Security is Collapsing
Modern development has outpaced traditional SAST capabilities. Software is becoming more complex, distributed, and increasingly generated by AI, and our current SAST tools are limited to pattern-based scanning, forcing teams to fall behind. Anyone who's used SAST tools knows the issues of high false positives while missing entire classes of vulnerabilities like AuthN/Z bypasses or privilege escalations. For many security teams, the challenges are all too familiar. Every day, defenders waste hours tuning brittle rules, manually reviewing false positives, only to still miss the vulnerabilities that actually matter. This wasted effort isn't just a headache; it translates directly into delayed releases, overtime costs, and risk of compliance fines when critical flaws slip through.
This limitation is a result of their core architecture. By design, SAST tools parse code into a simplistic model like an AST or call graph, which quickly loses context in dynamically typed languages or across microservice boundaries, and limits coverage to only resolving basic call chains. When detecting vulnerabilities they rely on pattern matching with Regex or YAML rules, which can be effective for basic technical classes like (XSS, SQLi) but inadequate for logic flaws that don't conform to well-known shapes and need long sequences of dependent operations to reach an exploitable state.
Taking on an industry problem
Our team at Gecko saw these limitations throughout our careers in national intelligence and military cyber forces, where we built automated tooling to defend critical infrastructure. We realised that LLMs, with the right architecture, could finally solve them.
To achieve this, we first had to solve the code parsing problem. Our solution was to build a custom, compiler-accurate indexer to precisely navigate code, like an IDE. We build on the LSIF approach combining language‑specific tools to parse and type‑check code, that record a symbol’s position, definition, and reference information, preserving the semantic relationships and context that traditional tools lose. This gives us an accurate picture of how your application actually works and reason across full stack architectures that tie, infrastructure code and documentation together.
Vulnerabilities are contextual. What's exploitable depends entirely on each application's security model. With this foundation, we realized accurate detection requires understanding what's supposed to be protected and why breaking it matters. This meant embedding threat modeling directly into our analysis, not treating it as an afterthought. We perform threat modeling directly on your codebase. Rather than looking for known vulnerability patterns, we analyze your application's business logic, data flows, and security boundaries to identify potential attack scenarios specific to your code. Each scenario is systematically validated to determine if it represents a real, exploitable vulnerability.
For readers interested in the 30+ CVEs found in OSS projects like Ollama, Gradio and Ragflow using this approach see the list here.
Artificial Intelligence vs Actual Intelligence
In just 8 months Gecko has gone from its first line of code, to surfacing over 30 previously unknown 0-Day vulnerabilities that were impossible to find using pattern matching tools. Using this approach, we discovered vulnerabilities like CVE-2025-51479 in ONYX (an OSS enterprise search platform) where Curators could modify any group instead of just their assigned ones. The user-group API had a user parameter that should check permissions but never used it. Gecko inferred developers intended to restrict Curator access because both the UI and similar API functions properly validated this permission. This established "curators have limited scope" as a security invariant that this specific API violated. Traditional SAST can't detect this. Any rule to flag unused user parameters would drown you in false positives since many functions legitimately keep unused parameters. And more importantly, detecting this requires knowing which functions handle authorization, understanding ONYX's Curator permission model, and recognizing the validation pattern across multiple files - contextual reasoning that SAST simply cannot do.
It’s an approach that our early customers, from Fortune 500 companies and startups alike, are excited about, because it addresses key pain points, like streamlining their triage flow and eliminating endless false positives, that they haven’t been able to solve with other solutions.
Security teams report 50% fewer false positives while discovering vulnerabilities that previously only showed up in manual penetration tests, giving them deeper insight into their code's security posture than traditional tools provide.
Our Team
CEO and Co-founder, Jeevan Jutla began his career protecting the UK’s national infrastructure as a teenager, working with the Intelligence Service and building automated tooling to defend critical systems. He also worked at Binance in China leading security tool development for the Red Team.
CTO and Co-founder, Artemiy served in the Austrian Cyberforces and built threat intelligence platforms used by Interpol and national governments. A scholar of Imperial College London, he’s spent his career developing systems that detect and respond to complex cyber threats.
Gecko has an ambitious mission, and we understand the stakes are high. To fuel it, we partnered with top tier investors out of silicon valley to raise our Seed funding backed by Y Combinator, Liquid 2, Rebel Fund, Garage VC, Chris Howard (Ritual Capital), EWOR, and Z Fellows.
There is an opportunity to restart: to give AppSec the independence it needs to enable the business so it can innovate, to stop relying on the insufficient tooling that exists today, and to address the problem from a different angle.
Advice for Security Leaders
When evaluating security tools, ask:
- Can it explain why a finding matters in your environment?
- Does it detect complex business logic vulnerabilities like IDOR, AuthN/AuthZ bypass, or privilege escalation?
- Can it scale across teams and automate both the triage process across detection and remediation?
Questions like these aren't solved by reading feature lists alone. See what Gecko can uncover in your code, or schedule a customized demo.
Come and meet the Gecko team at BlackHat and DEFCON 33 in Las Vegas.