depthfirst Platform is an application security platform that uses multiple large language models (LLMs) running in parallel to analyze codebases and identify vulnerabilities. It builds a structural model of an application by mapping data flows, cross-service relationships, and dependency trees across repositories into a component graph. The platform operates across four stages: - Find: Reasons through application code to identify real attack paths, including business logic flaws and chained vulnerabilities that span multiple services. - Validate: Evaluates exploitation conditions and runs dynamic tests against the running application to confirm whether a vulnerability can actually be triggered. - Fix: Generates pull requests for confirmed vulnerabilities, written to match the existing codebase and coding conventions. - Verify: Replays the original attack after a fix is merged to confirm the vulnerability is no longer exploitable in the running application. Core capabilities include: - Code security: Traces business logic, data flows, and cross-service interactions to find vulnerabilities. - Supply chain security: Traces risk through dependency trees and surfaces only vulnerabilities with a real execution path. - Secrets detection: Detects and validates credentials across codebases, CI/CD pipelines, and runtime environments. - Dynamic testing: Confirms exploitability by testing running applications with real attack paths. The platform supports business context configuration in plain language, natural language detection rules, and an API for programmatic integration. It learns from developer feedback over time and provides security analytics including vulnerability tracking by repository, severity, burn-down monitoring, and time-to-remediate metrics. The platform is SOC 2 Type II certified.