Socket, a software supply chain security provider, has acquired Coana, a static analysis and reachability engine built by security researchers from Aarhus University.
Coana brings static control-flow and call graph analysis to Socket’s platform, allowing teams to prioritize vulnerabilities based on whether they’re actually exploitable in a given codebase. Flooding developers with endless security alerts can often subject security teams to “alert fatigue”, meaning real issues don’t get addressed, a common phenomenon with traditional vulnerability scanners. Key to managing this workload is reachability analysis, which enables security teams to prioritize vulnerabilities that need to be addressed rapidly above those that cannot be practically exploited.
Socket said Coana’s reachability analysis engine solves this problem, eliminating up to 80% of false positives, allowing application security teams to cut through the noise and dramatically accelerating time to remediation for the most critical vulnerabilities.
“For every team buried under thousands of vulnerability alerts, Coana’s reachability analysis offers a better way forward,” said Feross Aboukhadijeh, CEO and founder of Socket. “They’ve built the most scalable and accurate reachability engine we’ve seen, and we’re excited to bring it into Socket to give developers precise, actionable vulnerability insights — without the noise. Joining forces with Coana turbocharges our ability to deliver actionable, noise-free security alerts. This is a big win for our customers.”
Static analysis experts from Aarhus University founded Coana. Led by Professor Anders Møller, a world-renowned pioneer in JavaScript analysis, Martin Torp, Benjamin Barslev, and CEO Anders Søndergaard, the team has spent years advancing the state of the art in static and control-flow analysis.
Coana CEO Søndergaard said, “Joining Socket means we can scale our impact immediately. Together, we’ll help organizations drastically reduce their vulnerability management burden.”
“We founded Coana to give developers a tool that finds 100 critical issues, not 10,000 trivial ones,” CPO Torp added. “Joining (them) enables us to take that vision to the next level. Socket has led the charge on supply chain security, and now together we’ll deliver reachability analysis at a scale and impact that we could only dream of as a standalone product.”
Socket said it protects more than 8,500 organizations and 50,000-plus code repositories, scanning every commit in real time. It detects and blocks more than 500 software supply chain attacks per week, and has identified north of 100,000 malicious artifacts across open source ecosystems like npm, PyPI, Maven, and Go.
With the news following Socket’s $40M Series B funding led by Abstract Ventures, Elad Gil and a16z, Zane Lackey, general partner at a16z, said “Socket’s approach to open source security is simply better — it’s proactive, precise, and built for how modern teams work. The combination of Socket and Coana is the nail in the coffin for legacy SCA. This is the new standard for application security.”
“Great technology is built by great people,” said Aboukhadijeh. “The Coana team shares our values and brings world-class engineering talent to Socket. Together, we’re going to redefine what secure software development looks like.”