Investment
Investments
Knocknoc: Opening the Door with Dynamic Access Control
Read more
We are excited to announce our investment in Pixee, which revolutionizes code security for the age of AI-powered developers. With the emergence of AI coding tools like Cursor, Windsurf and Github Copilot, developers have achieved unprecedented velocity. However, this creates an impossible burden for Application Security teams who are stuck with traditional workflows and tools that generate overwhelming alerts without resolution. Pixee transforms security teams by automating the last mile of application security with an AI-powered platform that delivers trusted, production-ready fixes directly into developer workflows. Leveraging agentic systems, deterministic codemods, and deep security expertise, Pixee delivers trusted automation that developers and security teams can rely on.
Pixee was founded by Surag Patel and Arshan Dabirsiaghi. Surag previously was the Chief Strategy Officer at Contrast Security and VP of Product & Marketing at 41st Parameter (acquired by Experian) while Arshan co-founded Contrast Security, a leader in the application security space currently valued at $1.3B and served as its Chief Scientist. We talked to Surag and Arshan about their vision for Pixee in our founder Q&A:
Surag: I’m a Bay Area native, through and through. However, I first got interested in entrepreneurship, when I was living in a small town in Kansas during my high school years. My family moved out there and I lived there for four years when my Dad bought a business in Kansas. That was where I got introduced to startups.
My parents wanted me to get a job when I was in high school and start making some money. Instead of doing that, I figured I would rather start a business so I didn’t have to go work for someone else.
My friends and I bought computer components and put them together. Our first client was our own high school and over a few months, we ended up building computers that powered the entire video editing lab. By the end of my senior year, our business had flourished and we became the prime suppliers of computers to my high school and were expanding to the entire town. As I went off to college, my friends continued the business and became the regional high-speed internet provider for our high school, then our town, then their city, and then a few other states.
Eventually, they sold the business for a good chunk of change to a local ISP. That taught me about being smart about startups as one summer prior to the sale, I had sold my stake in the business for a six-pack.
Since then, I’ve been somewhat of a startup junkie. I’ve joined companies below 50 employees and seen successful acquisitions, exits, IPOs – you name it. On my journey I was fortunate to gain my footing in cybersecurity across various great companies like ComScore (NASDAQ: SCOR), 41st Parameter (acquired by Experian) and eventually Contrast Security.
Arshan: I was born and raised in Baltimore. At about age 10, I had a 486 DX 33 megahertz computer that could barely play games like Wolfenstein. That’s where I eventually taught myself QBasic.After diving into BBS and then learning you could hack into stuff through BBSs, I was hooked. For a teenager looking for rebellion, it was a perfect fit. I know many of the well-dressed and well-respected security industry leaders you see now felt the same things.
When I got to college, I started working for Aspect Security, a boutique software security consulting group. I started as an intern, but within a few years I became the Director of Research. I was super passionate about the subject material. I was hacking for a paycheck! We were constantly working on open source security tools, and trying to leverage the existing automation for our customers, but after a while, I felt I wasn’t really helping them scale great security practices.
I loved the human connection with customers, but the problem they had was scaling software security. I’d find five vulnerabilities at a customer’s site, come back the next year and they’d have fixed two of those vulnerabilities but added three more.
So Jeff Williams, the founder of the agency I was working at at the time, and I decided to found Contrast Security, which was really geared towards hyper accuracy in the application security field.
Arshan: Well, while Jeff and I were still working at the agency, we had built a runtime analysis tool and really didn’t know what to do with it – it’d eventually become Contrast.
The idea of finding vulnerabilities accurately just by exercising your app was a very new idea, and a core differentiator. When we found a vulnerability we were very confident handing it to you and saying it was an issue because we “saw it happen”, meaning we traced the execution of the vulnerability. It wasn’t just looking at your code and saying, “this might be a vulnerability.”
When we landed our first customer, the feeling was unreal. I had built open source software, but never software someone had paid for. That first sale was an inspiration for a lifetime. That client, who was just spending $6k, went on to renew their contract for years and I will forever be grateful for him believing in us during those early days. Lots of people were interested, and we quickly realized that we needed help scaling the business.
Surag: In 2016, I jumped on board Contrast to help Jeff and Arshan make the customer voice central to our GTM & product as the Chief Strategy Officer. The Monday before I started, on Sunday night, I took a red-eye into Baltimore from the Bay Area to meet the team. The first thing we did was to head out to lunch and margaritas to get me initiated. We drank margaritas on a Monday at lunch, out of a hubcap, as was tradition in the restaurant and in the team, before diving into the product. And then Arshan and I dove in, we talked about the product, the pricing, what our customers loved and what they didn’t. Over the course of the next 7 years I would work closely together with Arshan dealing with an assortment of issues from pricing, rebrands, product launches and scaling the company. In that time, we became not just a great team but even closer friends.
Arshan: The company eventually grew to 350 employees, 200 enterprise customers, like Allstate, BMW, Intuit, and more, and with a valuation of about $1.3B. We had gone through 4 rounds of funding and been at the forefront of DevSecOps – we had grown so much. Even though we both loved working at Contrast and to this day have lots of close friends there, the company was maturing and, Surag and I both were eager to try something new. So, things turned from jokes like, “If I’m going to build something, it’d be with you,” to, “Okay. Let’s do this.”
Surag: When Arshan and I looked at the application security landscape, we saw a dramatic imbalance. Developer teams have experienced an exponential productivity leap thanks to GenAI tools like Cursor, Claude Code, and GitHub Copilot. But Application Security teams are still stuck with traditional workflows and tools that generate overwhelming noise without resolution.
The pain is clear - AppSec teams face an impossible burden. While developers ship code faster than ever before, security teams struggle with scanners that flood them with endless alerts that don't translate into action. These understaffed and under-resourced teams simply can't keep pace with developer velocity, creating a growing security gap. Ask anyone today and they will tell you their “DevSecOps” dreams never materialized.
Arshan: Developers simply spend too much time on security, recent research from IDC pointing to about 1 day per week! We tell developers not to write their own cryptographic code. Unless you have a PhD in it, you probably shouldn’t be doing that. But, we don’t follow the same lesson for other extremely nuanced security challenges. We simply say, “Hey, here’s an issue, here’s a result, figure it out.” We’ve wasted so many cycles trying to help developers, it’s time we just do it for them.
Surag: Even before the GenAI coding boom, Enterprises have accumulated massive backlogs of security debt. We talk to enterprises daily who have hundreds, thousands, even millions of KNOWN vulnerabilities in their code bases, but are unable to get these remediated at scale. When you layer on top of this their developers will now produce 50% more code with AI, this is a perfect storm of risk.
Enterprises can’t afford to slow down innovation and hope to address their code vulnerabilities with their understaffed, poorly tooled Application Security teams. The only path forward is to re-imagine how we empower these teams to 10X their productivity.
Arshan: When we had monolithic applications, it was easier to find vulnerabilities. Everything was in the same codebase. But now, with the cloud, we’ve taken that app and we’ve chopped it into a million pieces and it’s all over the place. So for you to confidently reason that there’s a vulnerability on one application path – no tool can do that for you today. Everyone analyzes little bits and hopes that they get results. But, it’s still a guessing game. So, automated remediation is the only approach that gives you guarantees today. We harden each piece of code distributed throughout the cloud. Finding places where code is definitively exploitable simply isn’t reasonable any more. This challenge becomes completely untenable when AI is writing all the code. It’s imperative we weave in security by design and re-write code to fix vulnerabilities automatically.
Arshan: We have gotten used to IDEs and tools like Copilot writing code for us. And more are coming. The models are trained on human code which means they have the same faults. They are prone to vulnerabilities, as academic studies have already shown. Pixee makes sure that all code that’s written by AI, or by a human, is written securely Pixee automates the two most time consuming tasks for enterprises - triaging vulnerabilities that come from their code scanners and re-writing source code to fix vulnerabilities.
Surag: Pixee is not here to help you find new vulnerabilities. Enterprises already have these tools in place. We have very strongly held beliefs, that have been validated by users, that the software + security teams need more resolution, not findings. We are the leading platform to take your noisy application security program and turn it into success metrics for all teams involved - development, security & compliance teams.
Arshan: Pixee has been built with the latest technologies that other teams are just learning about. We use a combination of deterministic techniques, AI agents and hybrid workflows to build trusted fixes that enterprises & developers accept at unprecedented rates. We are constantly worrying about the latest models, techniques and AI frontiers so our customers don’t have to. Our customers can focus on the outcomes they want (e.g. burning down their security backlog, with minimal developer overhead) and we will obfuscate all the complexity of using the latest techniques to achieve these results.
Surag: I see a near future where Pixee will transform how enterprises approach code security. The challenge of understaffed and under-resourced security teams will be a thing of the past, as we enable these teams to achieve a 10X productivity leap to match genAI-enabled developer velocity. Instead of endless scanner noise, Pixee delivers automated mass resolution, empowering security teams to confidently keep pace with development and ensure secure code at unprecedented velocity.
Arshan: We also have big ideas on where we will re-imagine how application security specialists spend their time. There are so many places where they waste time today on important but repetitive tasks, that we can automate with the latest AI techniques. We will make all code, human, or AI generated, automatically secure through Pixee and provide Application Security teams the aircover they need to work on strategic projects.
