By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Watch Now

Code Velocity In An AI-era:
How AppSec Teams Can Stay Ahead

AI is not creating entirely new AppSec threats. It’s multiplying code changes and pushing familiar risks into new places like agent workflows, model calls, and AI service usage.

In this fireside chat, DryRun Security and Commerce share real stories from teams shipping LLM and agentic features in production. We’ll cover what broke first, what mattered most, and how AppSec teams are adapting without becoming the team that slows shipping.

You’ll learn:
What changes when developers ship 2 to 4x more code with AI, and why manual review coverage collapses
High-impact failure modes like unbounded consumption, runaway loops, and logic flaws at high velocity
Where guardrails work best: tool calls, data access, permissions, and outputs
How to maintain continuous visibility and prioritization as AI-assisted development becomes normal

James Wickett

CEO and Co-Founder At DryRun Security

Ken Johnson

CTO and Co-Founder At DryRun Security

Adam Dyche

Manager Application Security Engineering At Commerce

Zac Fowler

Sr. AppSec Engineer At DryRun Security

DryRun isn't your normal SAST, it's your dedicated secure code review agent who is never too busy for a security review. DryRun enables busy security professionals by screening out the noise, providing direct feedback to engineers where they work, and working as a force multiplier for AppSec teams.

Kyle Rippee

Product Security Engineer

,

Tines

"At Commerce, we’re building AI-driven shopping experiences, and agentic checkouts are changing everything. We chose DryRun because OWASP LLM app risks are all about context, and we wanted to build security in from day one. DryRun outperformed every other tool we tested by far, and its contextual security analysis actually understands our code the way our engineers do.”

Adam Dyche

Manager

,

Application Security Engineering, Commerce

“As we lean harder into AI-generated code and highly customized delivery environments for our customers, we need more than a traditional code scanner. DryRun Security lets us continuously understand and explain the security posture of what we’re building, internally and for Fortune 50 clients, in a way that actually maps to how modern engineering teams work. The combination of real-time, context-aware analysis and MCP capabilities gives us a path to turn raw findings into customer-ready artifacts and ongoing assurance. For us, DryRun Security is less ‘AI code review’ and more a core piece of how we’re building an AI-first security program going into 2026 and beyond.”

Patrick McKinney

Vice President Security

,

Invisible Technologies

With DryRun Security, it feels like we’ve more than doubled our AppSec team. We can focus on the pull requests that truly matter, thanks to Code Insights. What’s more, our developers get instant, actionable guidance on writing secure code — it’s like having a security coach in every pull request. The tool has transformed how we approach application security, scaling our efforts without adding headcount or slowing development.

Sean Holcroft

Application Security Architect

,

BrightHR

It's hard to imagine writing code at startup speed without it now.

Jonathan Cran

Founder

,

Stealth

With DryRun Security, we’ve transformed how we manage application security across our global development team. The GitHub integration ensures that our developers get precise and instant feedback directly in their workflow, enabling them to fix security issues without skipping a beat. The tool has not only helped us catch risks like hardcoded credentials early but has also fostered a culture of security among our developers. DryRun Security is an indispensable part of our AppSec toolkit.

Gary Gonzalez

CTO

,

PlanetArt

As the Director of Operations and Security of a successful tech startup, I wear many hats. With DryRun Security's out-of-the-box analyzers, I’ve found I no longer have to read through 40 PRs a day to find the two that are doing something unexpected. This is how I was able to identify sub-domain registration code that was going to allow a non-compliant domain, which would have taken down our DNS database for our whole customer base.

Todd Bradfute

,

SimpleRose

I love seeing how their contextual analysis upends a lot of assumptions I had burned into my brain about the limits of automation. There are whole classes of vulnerabilities I used to dogmatically say required humans to detect that they are able to identify and that’s super-cool. It is rare that I’m so happy to be wrong.

Dan Cornell

CTO

,

Denim Group

We've been using the DryRun Security app for months, and we highly recommend it! It automatically evaluates every GitHub pull request, so we know the solutions we're delivering to our clients are covered, plus the results are wicked fast and fit our development team’s needs.

John Poulin

CTO

,

Cloud Security Partners

We’re a leading open-source application security team with lots of community support, and because of that growth, sometimes code reviews can get complicated. Using DryRun Security, I've found the allowed authors feature helpful as it flags sensitive file changes in pull requests submitted by the committers who aren't approved to change certain parts of the codebase. One of the other things I love about it is how we could quickly get up and running in just a couple of minutes.

Matt Tesauro

CTO

,

Defect Dojo

FAQs

Answers to Your Most Common Questions.
If we didn't get your question covered, reach out to us at hello@dryrunsecurity.com
View All
When should I use a DeepScan Agent review instead of a PR review?

Use it when you need broader coverage, for example onboarding a repo, preparing for an audit, after major refactors, before a release, orwhen developers introduce a new language.

Many teams run DeepScan on a cadence per production repo (monthly/quarterly), at key release checkpoints, or when risk changes, for example after big dependency updates or major architectural changes.

What is the DeepScan Agent?

The DeepScan Agent is DryRun Security’s agent for running a deeper, repository-wide security analysis, not just a single pull request. It’s designed to surface risks that hide across files, modules, and historical code paths, then return prioritized findings your team or agents can act on. It behaves like an expert security engineer, reviewing code for exploitable flaws and delivering prioritized, actionable guidance.

How is DryRun Security priced?

Pricing is aligned with the size of your engineering and security teams. It focuses on the number of developers and security team members using DryRun Security and owners requiring codebase visibility.

What deployment and compliance options exist?

DryRun is delivered as SaaS with strict data handling. It supports SOC 2, ISO 27001, PCI, and HIPAA by generating artifacts of SDLC controls.

How does DryRun conduct code reviews?

Reviews are based on the COVER model:

  • Context: Understanding the language, environment, and business logic.
  • Orchestration: Managing agents and integrating with CI/CD.
  • Verification: Rigorously confirming flaws to eliminate false positives.
  • Exploitability: Assessing if an attacker could actually leverage a flaw.
  • Reporting: Providing actionable technical details and leadership summaries.