TL;DR: Static analysis tools flood teams with false positives and miss the vulnerabilities that matter. We use LLMs to find the complex business logic flaws that traditional scanners can't detect.

The Problem

Companies scan their code for security vulnerabilities and are often met with a big pile of findings. 80% of these findings are false positives and not exploitable vulnerabilities. Even among the true positives, these scanners still miss issues like privilege escalation and authentication bypasses. These are the most important issues that only surface later during manual code review or penetration testing.

Security teams have to deal with this by spending hours tuning scanners and rules or hiring headcount to triage through the false positives. This translates into delayed releases, overtime costs, and compliance risks when critical flaws slip through undetected.

The Solution

Traditional SAST (Static Application Security Testing) tools have two fundamental limitations. First, they parse code into simplistic models like ASTs or call graphs, which lose context and can't resolve complex call chains. Second, they rely on pattern matching against predefined rules, which works for basic vulnerabilities like XSS and SQLi but fails completely for custom business logic flaws.

Gecko solves both problems. We built a custom, compiler-accurate indexer that preserves semantic information and allows us to precisely navigate code like an IDE. This gives us the ground truth of how your code actually works.

With that foundation, we use LLMs to perform threat modeling. The LLM analyzes your code's business logic, data flows, and trust boundaries to generate targeted attack scenarios. We then systematically validate each potential attack path, using the indexer to reconstruct full call chains from source to sink and determine real-world exploitability before flagging it as a vulnerability.

This approach finds the complex, multi-step business logic vulnerabilities that have been invisible to traditional tools.

Ask

We've got a handful of Fortune 500 companies and startups alike excited about this, because it addresses key pain points they couldn’t address with traditional scanners. Customers are seeing 50% fewer false positives on the same codebases, and are finding issues using the scanner that would only appear in pentests and manual code reviews.

We’ve used it to find 30+ CVEs in projects like Ollama, Gradio, and Ragflow (https://www.gecko.security/research). You can try it on any OSS repo at or get a demo.

Team

JJ and Artemiy met four years ago while studying in London. Since then, they have traveled the world competing in CTFs and hackathons, earning over $100,000 in prizes.

JJ, CEO and Co-founder, previously worked for the UK Intelligence Service, as a teenager building automated tooling to defend critical infrastructure. He also worked at Binance in China leading security tool development for the Red Team.

Artemiy, CTO and Co-founder, served in the Austrian Cyberforces and built threat intelligence platforms used by Interpol and national governments. A scholar of Imperial College London, he’s spent his career developing systems that detect and respond to complex cyber threats