Apiiro

One-liner — A “deep code analysis” ASPM platform that builds a Risk Graph from design through runtime, so AppSec teams can see, prioritize, and auto-fix application risk across the whole SDLC — not just scanner findings.

Categoriessoftware-supply-chain (primary)

What it does

Apiiro is an Application Security Posture Management (ASPM) platform. Its core technology is Deep Code Analysis (DCA) feeding a Risk Graph that connects findings from code to runtime with context (who owns it, what data it touches, whether it’s internet-facing). Distinctively, it starts at the design phase — analyzing feature requests/user stories to flag risky features before code is written — and runs through develop (code-to-runtime fixing, AutoFix agents) and deliver (SCM/CI-CD protection). It includes native scanners (secrets, open source, supply chain), an extended SBOM (XBOM), unified risk/vuln management across third-party scanners, and a policy/governance engine. Recent positioning leans “agentic” with automated remediation agents.

Where it sits in the stack

software-supply-chain at the foundation layer, but Apiiro’s scope is broader than pure SCA — it’s an orchestration/posture layer over the SDLC. It screens untrusted input entering the build (third-party + AI-generated code/dependencies) and helps protect sensitive data (the Risk Graph flags code paths touching sensitive data / PII). For AI-generated code, the relevance is its risk-graph context and design-phase analysis: it aims to govern the materiality of changes (including AI-authored ones) rather than just scan diffs.

Deployment & architecture

SaaS, integrating via API into SCMs (GitHub/GitLab/Bitbucket/Azure DevOps), CI/CD, ticketing, and existing scanners whose output it normalizes into the Risk Graph. Not an inline runtime control — it’s an analysis/posture plane over the dev pipeline.

Positioning & differentiators

Apiiro’s wedge is deep code analysis + risk graph context and design-time risk detection, versus tools that start from scanner findings. Against legit-security — its closest ASPM neighbor — Apiiro markets deeper native code analysis and materiality/Risk-Graph context, while Legit historically emphasized SDLC/pipeline posture and code-to-cloud traceability (the two have converged). Against endor-labs it is broader-but-shallower on the specific dependency-reachability problem (Endor goes deeper on SCA reachability; Apiiro spans the whole SDLC). Versus snyk it is posture/orchestration-led rather than a developer-scanner suite; versus semgrep/socket it sits a layer up, consuming rather than being a single scanner. aikido-security competes at the SMB/all-in-one end.

Ownership, funding & M&A

Independent, venture-backed. Founded 2019 by Idan Plotnik (CEO) and Yonatan Eldar; HQ Tel Aviv with New York presence. $35M Series A (2021) and a $100M Series B (2022-11-03, led by General Catalyst with Greylock and Kleiner Perkins); ~$135M total. No acquisition found; independent as of 2026-06-28. Confidence: high on funding/independence (primary press + vendor); founding year 2019 widely cited (one aggregator says 2018) — minor uncertainty noted.

CTO / hedge-fund lens

Day-1 if shipping AI-generated code at enterprise scale; otherwise Day-2. Apiiro is built for large AppSec organizations with many repos, many scanners, and a need to prioritize across them — its customer logos (BlackRock, JPMorgan, USAA) are big regulated shops. A 50-person fund will likely find it heavier than needed and may prefer a focused tool (endor-labs, semgrep, aikido-security). For a larger asset manager with a real internal dev org shipping AI-assisted code, the design-time risk and risk-graph prioritization map well to model-risk/change-governance expectations. hedge_fund_fit: medium — high for large in-house dev shops, low for small/buy-not-build funds.

Competitors / alternatives

legit-security, endor-labs, snyk, semgrep, socket, aikido-security

Open questions / to verify

  • Founding year: 2019 (most sources) vs 2018 (one aggregator) — confirm against incorporation/primary.
  • Any funding after the 2022 Series B (Series C?) — none confirmed as of 2026-06-28.
  • Maturity/independence of the marketed “agentic” AutoFix agents vs roadmap.

Sources

  • Apiiro pulls in $100M Series B (TechCrunch) — fetched 2026-06-28 — supports: Series B $100M/Nov 2022, General Catalyst/Greylock/Kleiner, CEO Idan Plotnik, $135M total, design-phase analysis; confidence: high
  • Apiiro vendor site — fetched 2026-06-28 — supports: ASPM/Deep Code Analysis/Risk Graph/AutoFix positioning, enterprise customers; confidence: medium (marketing)
  • Apiiro — Crunchbase profile — fetched 2026-06-28 — supports: ~$135M total funding, Tel Aviv/NY HQ, founders; confidence: medium (aggregator)

History

  • [2026-06-28] Stub created from seed registry.
  • [2026-06-28] Researched; established Tel Aviv/NY HQ, founded ~2019, ~$135M total ($100M Series B Nov 2022, General Catalyst), independent. Positioned as deep-code-analysis ASPM with Risk Graph. ownership_confidence raised to high.