How does Corgea work?
December 13, 2023
We’re thrilled to publicly launch, Corgea, a platform that automatically secures your vulnerable source code. Corgea leverages AI to reduce development effort by 80%, enabling security teams to issue pull requests for source code fixes for engineering approval. This is an exciting leap forward in automated code hardening for security and engineering teams that anyone can try out today.
Unresolved holes in software
Currently, security teams struggle to fix code vulnerabilities. They often have to negotiate with engineers to prioritize security work. It takes years for companies to drive down their vulnerability count, leaving them exposed for too long.
On average, it takes companies 3 months to fix a vulnerability, and 60% of breach victims knew about the unpatched vulnerability that was exploited. Why? This is because engineers prioritize revenue-generating work, often leaving security fixes lower in priority. It’s also really expensive for companies to fix vulnerabilities, costing them between $400 - $4,000 per fix. This is an unacceptable standard in today’s environment of more frequent security breaches and increasingly sophisticated attacks.
Security teams kept complaining to us that all of their hundreds (yes hundreds) of security tools alert them about vulnerabilities and what’s going wrong without giving them a way to actually resolve the issues. This leaves security teams hanging high and dry.
What does Corgea do?
We’re approaching one of the hardest problems in security with an entirely new approach. Unlike other tools that have been vehemently obsessed with just reporting on vulnerabilities., Corgea fixes them.
Corgea connects to your existing SAST & SCA tools, and automatically writes code fixes for the reported vulnerabilities. Security teams can issue a pull request for the fix with a single click without disrupting any workflows. Engineers get the code fix for review, well written issue descriptions, and AI-generated fix explanations helping them understand the changes.
For example, Corgea can rewrite code and issue PR’s to fix SQL injection, path traversal, SSRF or dozens of vulnerabilities and languages found by existing tools. Here’s a brief demo to show Corgea’s capabilities.
Our vision is to create a white-box AI hacker. It will find and fix AppSec issues, combating emerging malicious AI hackers.
Empowering Security and Freeing up Engineering
Security is often seen as a blocker to engineering, and engineering a blocker to security. With Corgea, we’re empowering security teams to be able to take action while also accelerating engineering velocity. This fundamentally changes the dynamic between teams.
💪 Stronger code: companies can now secure their products and reduce their fix times to hours without taxing engineering. Many prospects we spoke to tens of thousands of vulnerabilities that now has a fighting chance in reducing them.
🚀 Increase engineering velocity: since Corgea is writing the code fix, we see an 80% savings in time engineers spend fixing security issues. Security can now be an enabler to engineering rather than a blocker.
💰 Slash Costs: Research shows that a single vulnerability takes about $400 - $4,000 to fix. Corgea slashes 90% of the cost of doing this. An enterprise should expect to save at least $10m in direct development costs. This doesn’t account for breach cost savings.
Often, security software lacks a clear return on investment or value proposition. They are frequently bought due to fear, uncertainty, and doubt. At Corgea, our belief is that security software needs to lead first with real value and a clear ROI.
How is Corgea different than existing solutions?
The current market is flooded with tools that overwhelm security teams with alerts and are not effective at fixing what they’re reporting.
General coding agents do not specialize in security solutions and often have an extremely low (10% - 35%) success rate in prompt acceptance. Additionally they do not integrate into existing scanning tools that companies are using to resolve those issues, and clear security backlogs.
Most SAST & SCA vulnerability scanners do not remediate issues, and if they do it’s primitive remediation capabilities; they’re mostly limited to upgrading packages from one version to another to reduce a CVSS. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Additionally, they do not integrate into a wider ecosystem of tools because they want to only serve their own findings.
Enterprises often use multiple scanners like Snyk, Semgrep, Checkmarx, and may have multiple repository tools like Github, Gitlab and Bitbucket for their code. They need a solution that consolidates across their existing tools. Corgea leverages the latest in LLM technology, deep security expertise and a developing integration ecosystem to deliver value for customers.
Who is building Corgea?
Every member of the Corgea team has struggled with the friction of driving down vulnerabilities on both fronts of security and engineering. We first hand witnessed the frustration of teams in wanting to deliver on high quality feature-rich secure software. Our goal is to shatter the silos between the teams and empower both of them rather than empower one at the expense of the other.
In our prior roles, we designed, secured and built mission-critical software products at companies like of Coupa, Autodesk, and PlanGrid.
Want to try it?
We’re really excited to help companies automate securing their source code. Use Corgea today for free and without a credit card here. Setup takes less than 30 seconds. Feel free to reach out to us to chat and get a more in-depth demo.