Each role on your team has a different question to answer. The platform doesn’t change for them — the view of the evidence does. Same signing root, same policy surface, same scan engines.
Five roles. One source of truth.
No duplicate engines, no separate licenses, no cross-tool reconciliation. The decision an AppSec engineer accepts is the same decision a CISO can show their auditor.
Developers
“Don't put findings in my queue I can't act on.”
The first job of a security tool is to not waste developer time. Findings appear inline in VS Code with the actual upgrade path attached. Auto-fix PRs come with pre-flight breaking-change analysis in the body. Vulnerable packages never reach node_modules — the firewall blocks the install upstream.
- → VS Code extension with one-click upgrade fix
- → Auto-fix PRs include breaking-change diff
- → Firewall rejects bad installs before lockfile updates
- → Findings ranked by reachability, not raw severity
- → Every finding includes the exact upgrade target + breaking-change risk
- → Zero false-positive noise from non-reachable transitive vulns
AppSec teams
“I need one source of truth, and I need to defend every decision.”
Stop reconciling outputs from three scanners. SCA, SAST, IaC, secrets, container, runtime — one engine, one policy, one evidence trail. The exploitability fusion engine (KEV + EPSS + ExploitDB + reachability + attack-path) demotes findings with no real exploit signal before they reach your triage queue.
- → Unified results view across every engine and every project
- → Policy-as-code; tenant-scoped
- → Every decision carries the signal stack that produced it
- → Signed evidence chain you can hand to a regulator
- → You can prove which signal fired which decision, for every finding
- → One license, one server, one keypair
DevOps / Platform
“Don't break my builds. And don't add a SaaS dependency.”
Three-mode rollout (observe → soak → enforce) for both the firewall and the runtime agent — you ship policy on a curve, never a cliff. The runtime agent is a single static binary; the K8s DaemonSet sees every container's syscalls from the host, so you avoid per-pod sidecar overhead.
- → GitHub Action wrapper drops into any workflow in two lines
- → K8s DaemonSet under Helm or raw manifest
- → systemd unit for self-hosted runners
- → linux/amd64 + linux/arm64 binaries
- → No telemetry — the agent reports to your dpndncY server, not ours
- → Air-gapped clusters supported out of the box
CISO / Security leaders
“Show me the evidence I can hand to an auditor — or a customer.”
The audit trail isn't a log claim — it's cryptographically bound evidence. Every firewall verdict, every policy decision, every CI run ships as a signed JWS that anyone with the public key can verify offline. Your data stays on your infrastructure; we don't see any of it.
- → Portfolio-level trend snapshots across every project and severity
- → Signed JWS evidence per decision, verifiable offline
- → Regulatory coverage maps signals to SOC 2 / ISO 27001 / PCI / EU CRA
- → One platform consolidates 3–5 legacy AppSec tools
- → One platform consolidates three to five legacy AppSec tools
- → Evidence portable, vendor-independent
Compliance
“Build the evidence once. Reuse it across every audit.”
CycloneDX 1.5 + SPDX SBOM on every scan, diff from last known. Every scan and every firewall decision emits a signed JWS. The regulatory coverage engine maps signals to SOC 2, ISO 27001, PCI DSS, and EU CRA requirements so the same evidence underpins every framework.
- → Continuous SBOM with diff-from-last-known on every scan
- → Signed attestation bundles per scan + per firewall decision + per CI run
- → Regulatory coverage: SOC 2, ISO 27001, PCI DSS, EU CRA
- → Offline verifier — no portal lock-in five years from now
- → Evidence verifies offline — no portal lock-in five years from now
- → Same signed bundle satisfies multiple frameworks
Five scenarios the platform handles natively.
Each scenario is a different combination of the same engines — not a separate product to license, install, or monitor.
Zero-day response
The advisory drops at 03:00 UTC. Re-scan every monitored project against it; auto-fix PRs land on GitHub and GitLab in a single batch (with breaking-change analysis in the PR body); the Dependency Firewall rejects any new install of the vulnerable version while the PRs are reviewed. Detection, remediation, and prevention in one tool — not three.
CI/CD pipeline trust
Drop the runtime agent (GitHub Action, K8s DaemonSet, or systemd unit) into your pipeline. Every connect, exec, file open, and DNS lookup is captured at the kernel level, correlated to the workflow step that caused it, policy-evaluated, and emitted as a DSSE-signed SLSA in-toto Statement at run end — verifiable offline. In enforce mode, cgroup-BPF actively denies non-allowlisted egress.
SBOM & compliance evidence
CycloneDX 1.5 + SPDX SBOM on every scan. The change set between scans surfaces as an SBOM diff with vulnerability deltas. The signed attestation bundle (firewall decisions + scan evidence + runtime trace) goes to your customer or auditor as a portable proof — not a URL into a vendor's portal.
AI code risk
The AI-risk module attributes the proportion of code in any file likely produced by an AI assistant (multi-signal: explicit markers + structural deviation + commit-burst patterns) and amplifies any security finding whose location overlaps a high-AI-concentration region. Reviewer attention concentrates where the risk is highest.
Open-source supply chain
Multi-signal decisioning at install time: KEV + EPSS + ExploitDB + reachability + attack-path + license + trust score. Trust-delta gating flags any package whose trust score has dropped vs. the last approved version — catching typosquats, takeovers, and maintainer rotations that absolute thresholds miss. Bypass requires a signed waiver.
Run dpndncY on your infrastructure.
Read its decisions. Verify them offline.
Self-hosted, fully air-gappable, no telemetry. Every decision the platform makes is signed and verifiable with a public key.