Hopper Security emerges from stealth to fix open-source security problems

Hopper Security emerges from stealth to fix open-source security problems

Modern software relies on open-source. As open-source software (OSS) scaled, accelerated by AI, legacy security tools failed to keep pace, introducing undesired cost, complexity, and drag on developer productivity. Gartner cites false positives, alert fatigue, and the lack of exploitability context such as function-level reachability as key barriers to effective application security.

Hopper Security has launched out of stealth with a clear goal: to change how companies manage OSS risk. They raised $7.6 million in seed funding. Investors include Meron Capital, New Era, the Sequoia Scout Fund, M-Fund, and other tech leaders behind major exits to Intel, Oracle, Google, AWS, and more.

The growing gap in open-source security

Software depends heavily on open-source code. But as open-source use grew, helped by AI, security tools did not keep up. Old tools added cost, complexity, and slowed down developers. According to Gartner, problems like false positives, alert fatigue, and missing information about how vulnerabilities are actually used in code make application security hard to manage.

Most Software Composition Analysis (SCA) tools flood teams with alerts. They miss real threats and frustrate developers. Hopper offers a new approach. It gives teams function-level reachability, automatic asset discovery, hidden vulnerability detection, and support for complex web frameworks — all without needing agents or changes to CI/CD pipelines.

Big companies, including Fortune 500s and fast-growing tech firms, already use Hopper. Their teams have replaced old SCA tools to better protect their code. Before Hopper, some companies said they spent up to 8% of their development time just managing security alerts. Hopper helps fix this by improving how fast teams respond to issues, cutting mean time to repair (MTTR), and making developers more productive. In turn, Hopper becomes a cost-saving tool for businesses.

“We didn’t start Hopper because the world needed another SCA tool,” said Roy Gottlieb, Co-founder and CEO. “We started it because existing solutions overwhelm teams and slow down development. Hopper is built to cut through the clutter, surface real risks, and make open-source security fast, accurate, and developer-friendly.”

A better way to find real threats

Most vulnerability databases like NVD, OSV.dev, and GitHub do not show where problems exist in the code. The CVE system leaves out these details to avoid helping attackers. But this also makes fixing problems harder.

Take Log4J as an example. It has more than 60,000 lines of code and 7,000 functions. Yet only one function — a lookup function in the JndiManager class — was vulnerable. Hopper solves this problem with its own database that maps vulnerable functions across open-source projects.

“Hopper doesn’t just tell you there’s a problem,” said a Fortune 100 CISO under NDA. “It shows you the exact line of code, the function, and the proof. That’s what gets developers to fix it.”

Built for modern security and engineering teams

Where legacy SCAs inventory manifest files, Hopper simulates how applications are built and executed, providing deep visibility without agents or CI/CD integration, delivering:

  • Function-level reachability across direct, transitive, and internal dependencies
  • Full SBOM and VEX export, aligned with compliance workflows
  • Agentless deployment, via read-only Git access
  • Contextual remediation evidence, linked directly to source
  • Automatic asset discovery, including internal and shadow dependencies


Source link