Cycode: rebuilding AppSec [OTS teams]

Picture this:

You’re deep in the codebase. Everything is on track, and the feature the team’s been waiting for is almost ready to ship.
And then — bam. Security alerts: a vulnerable dependency, license issues, a misconfigured setting, maybe even a hardcoded secret.
You’re not sure how serious it all is, but it’s now your job to fix it.

That never happens, right? Until it does.

The average organization throws alerts from nearly 50 different tools at their developers. As a result, 81% of dev teams report “alert fatigue and vulnerability noise”.

Now add GenAI-generated code into the mix. The attack surface has exploded, but security tools haven’t evolved. Development velocity is up, security processes are stuck, and no one’s quite sure who’s supposed to fix what.

And here we are. Sitting right here in Warsaw, building a tool to deal with all this. For ourselves and for other developers who’ve experienced the same mess.

What we do: AppSec Platform

We’re the R&D team behind Cycode’s AI Native Application Security Platform. That term describes a modern security platform combining the best of AST, ASPM, and SSCS to stop software risks.

Understanding Cycode’s anatomy

At its core, our platform has two parts:

1. Unified intelligence layer

Cycode connects to the security tools your company already uses, like scanners, linters, and code quality checkers. Instead of receiving alerts from dozens of sources, you have a single interface where all notifications are collected and organized.

2. Purpose-built native scanners

We’ve also built our own scanners from scratch. They were designed with modern development realities in mind: monorepos, ephemeral environments, GitOps workflows, containerized applications, and GenAI-generated code.

Alerts come with context, so you know exactly what the issue is and where it’s coming from.

Funny enough, we didn’t start with a grand plan to build an all-in-one platform. It grew layer by layer.

What will it turn into next? Nobody can say for sure, but that's the reality of startup life.

‍

The brain: Risk Intelligence Graph

In 2024, we rolled out the Risk Intelligence Graph — RIG, for short. It helps with:

    • Meaningful prioritization

Getting every theoretical vulnerability in your dependency tree is frustrating, so the AI-powered prioritization focuses attention on the small percentage of issues that could actually affect your application. You can be sure that when an alert shows up, it’s worth your time.

    • Practical remediation

‍

Exactly. Because RIG makes alerts actionable by providing context and prioritization, the platform can then generate ready-to-merge pull requests with the appropriate fix already applied. We moved from “here’s a problem — good luck”  to “here’s a problem and here’s exactly how to fix it”.

All of this fits naturally into existing workflows. Security guidance shows up in your IDE, PR reviews come with automated checks, and CI/CD pipelines run scans without slowing anything down.

‍

Open-source ecosystem & free tools to try

To get a feel for how we think and build things, you can check out the open-source tools we maintain as part of the CyGives initiative. They’re also great if you want to secure your own project — for free:

   • Bearer CLI

A production-grade code scanner supporting multiple languages that helps catch vulnerabilities early. Works as a CLI tool you can run locally or integrate into your CI/CD pipelines.

   • Raven

A Neo4j-powered analyzer for auditing package dependencies and GitHub Actions workflows. Loved for deep dives into supply chain security.

   • Cimon

An eBPF-powered, real-time monitor for GitHub Actions. No setup needed, just add it to your workflow and it starts catching supply chain attacks immediately.

All these tools can be found at cycode.com/cygives/.

How we build Cycode in Warsaw

In Poland, Cycode is represented by On The Spot, a company helping startups build and grow offshore R&D teams.

At the moment, we have 20+ people in Warsaw working on Cycode across nine distributed teams. "Distributed" here means our engineers in Poland work closely with product managers, team leads, designers and other developers in Israel.

Each team owns its area: integrations, the Bearer engine for code analysis, scanning features, and more. In practice, our developers in Warsaw contribute to almost the entire platform, with our frontend specialists building most of the UI.

The relationship between Cycode and On The Spot means that those of us working from Warsaw are as involved in the product as our teammates in Israel. We’re in tight contact, working as one engineering department across locations.

We own features end to end and have a chance to shape what gets built and how it’s done.

Feel our vibe

Even though we’ve picked up a couple of Gartner recognitions^{1 2}, we’re still very much in startup mode.

We don’t know what we’ll be doing in the next quarter, let alone one, two years from now. It’s not because we are wondering what to do, it’s because we have tons of things to do… It’s a competitive industry, so we need to deliver a lot of features and do it quickly.

– Dor Atias

We look for people who are comfortable with ambiguity, take initiative, and move fast.

I always tell candidates: think of yourself like a stock. From the moment you join until the moment you leave (if you ever do), your value will have increased significantly. I see it all the time — people come in already experienced but after a few years they are much more professional, not afraid of challenges, and really know how to get the job done.

– Dor Atias

Because we’re still a startup, decision-making is transparent and quick.

If the pre-sales team lands a customer who needs a new feature, it will be live within a week or even a few days.

– Artem Fedorov

In October 2023, we moved from fully remote to hybrid work format. That works for us — we know each other face to face, there’s no barriers asking questions or discussing things, even if it's someone on another team. 

Small talk emerges, and culture develops beyond just work. You can have a "holy war" over code quality and code style in person — that's a typical favorite. The atmosphere is very friendly and relaxed.

– Artem Fedorov

Open positions

Right now, On The Spot is growing Cycode's R&D team in Warsaw.

We’re looking for:

   • Middle+/Senior Backend Engineer to improve and maintain Cycode’s Rust-based SAST engine, making sure it runs fast and reliably

   • Senior .NET Engineer to drive end‑to‑end backend development, shaping architecture and technology decisions

‍

We also invite you to connect with Artem, Dor, and Guillaume on LinkedIn — get to know them better and stay connected for upcoming opportunities.

More openings, including roles at our other customers’ teams, on the Careers page.