Security teams cannot keep up with the scope and pace of product development. Code velocity continues to rise, and AI-assisted development is pushing it even faster. I joined DryRun Security because the company is tackling that reality head-on, with a product and a team I trust.
Hi, I’m Justin Collins. I previously served as CISO at Gusto, worked in the application security trenches at SurveyMonkey and Twitter, and now I’ve joined DryRun Security as a Principal AI Security Researcher. I also created and maintain Brakeman, a free static analysis security scanner for Ruby on Rails. I had the opportunity to use DryRun Security at Gusto as a customer, and it’s exciting to be able to join the team!
The problem I keep running into
Most AppSec teams are small, but the development org they support is not. That gap shows up every day as an unending stream of pull requests, new features, new dependencies, new technologies, and… of course new attack paths and systemic risk.
Traditional tooling can help, but it often asks security teams to become full-time toolsmiths. Building useful automation usually means writing and maintaining custom rules, tuning language-specific configurations, and constantly fighting false positives. In the real world, teams get the basics running, then move on. They do not have time to build deep, custom coverage for every language and framework.
AI is making that gap worse. Developers now ship code in languages and frameworks they have never used before. That is powerful, and it changes the risk profile. Security teams cannot hire fast enough or build expertise fast enough to keep up with that output.
Why DryRun Security
DryRun is taking a practical approach to scaling AppSec. Instead of forcing every guardrail into brittle pattern matching, it lets teams express intent in natural language and enforce it in code review through Natural Language Code Policies, powered by its proprietary Contextual Security Analysis engine. If I can say, “Here’s the problem I’m seeing,” I want the system to find it, explain it, and help stop risky changes before they land.
Most organizations also need a two-tier security workflow. First, fast automated blocking or feedback for clear vulnerabilities. Second, high-signal notifications for the architectural and strategic issues that still need human judgment.
That balance is what I believe AppSec needs right now. Enable velocity, and focus human time where conversations and guidance actually reduce risk.
I also joined because of the founders. If anyone is going to get this right, these are the people I trust to get it done. Ken and James are building from a problem-first mindset. They deeply understand and care about the pain AppSec teams live with, not just the market category.
That reminds me a lot of the leadership team at Gusto who brought passion for small business problems to work every day. The best products I have seen come from teams who start with lived experience and build to solve those problems for their customers.
What I will focus on
As Principal AI Security Researcher, I will focus on how AI changes software risk and how we help teams with insights move faster. We’re delivering Code Security Intelligence so that AppSec teams see and prevent risk and development teams ship code without fear. That means improving how we identify what should be automated, when a human should be in the loop, and how we empower people with the information they need.
If you are facing the same tension between shipping faster and staying secure, I would love to compare notes. We’re all on the AI journey, and DryRun Security is in an excellent position to enable it.
Learn more about DryRun Security.
Ready to see it in action on your code? Get a demo.
