By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Frequently Asked Questions

Answers to Your Most Common Questions.If we didn't get your question covered, reach out to us at hello@dryrunsecurity.com

How is DryRun Security priced?

Pricing is aligned with the size of your engineering and security teams. It focuses on the number of developers using the Code Review Agent and the number of owners requiring codebase visibility.

What deployment and compliance options exist?

DryRun is delivered as SaaS with strict data handling. It supports SOC 2, ISO 27001, PCI, and HIPAA by generating artifacts of SDLC controls.

How does DryRun conduct code reviews?

Reviews are based on the COVER model :

  • Context: Understanding the language, environment, and business logic.
  • Orchestration: Managing agents and integrating with CI/CD.
  • Verification: Rigorously confirming flaws to eliminate false positives.
  • Exploitability: Assessing if an attacker could actually leverage a flaw.
  • Reporting: Providing actionable technical details and leadership summaries.
How are vulnerabilities prioritized?

They are ranked by impact and likelihood using SLIDE signals and asset context. Dashboards highlight the most critical areas for teams to address first.

How does DryRun reduce false positives?

It uses multi-signal context, policy tuning, and suppression of known-safe patterns. Developer feedback is also used to continually sharpen the signal.

How fast is the analysis?

It is optimized for speed; typical checks complete within seconds to minutes.

Do you provide fix suggestions?

Yes. Findings include plain-language explanations, suggested remediations, and, where appropriate, concrete code changes.

Can DryRun block a pull request or merge based on risk?

Yes. You can set risk thresholds that fail checks and enforce branch protection, with configurable approvals per team or repository.

What is the Custom Policy Agent?

This agent uses an AI assistant to turn your existing documentation into Natural Language Code Policies (NLCPs) without requiring custom scripts or brittle rules. It enforces these policies on every PR and identifies violations across the existing codebase.

What programming languages and frameworks are supported?

Support includes Python, Ruby, TypeScript, JavaScript, Java, Golang, C#, PHP, HTML, Elixir, Kotlin, and Swift. It analyzes common languages and config files used across web, backend, and cloud stacks.

What are the Code Review Agent analyzers?

These specialized sub-agents include :• GSA: A comprehensive sentinel for web security best practices .

  • XSS Analyzer: Detects unescaped user input in HTML .
  • IDOR Analyzer: Identifies authorization flaws in object references .
  • Mass Assignment Analyzer: Prevents unauthorized data manipulation in object fields .
  • Secrets Analyzer: Scans for hard-coded API keys or passwords .• SSRF Analyzer: Prevents manipulation of server-side requests .• SQLi Analyzer: Detects unsafe user input in SQL queries.
How is DryRun different from SAST, DAST, and SCA tools?

Traditional tools rely on brittle regex and manual rules that lack context. DryRun goes beyond these by adding change context, developer intent, and environment signals to score actual risk and guide fixes.

What are the security agents and how do they work together?

The agents create a comprehensive security team :• DeepScan Agent: Establishes a baseline by securing code at rest with rapid full-repo testing .• Code Review Agent: Acts as an AppSec engineer on every PR to prevent risky changes from merging .• Custom Policy Agent: Operationalizes your rules and policies across the workflow .• Codebase Insight Agent: Provides executive-level visibility and ROI analysis.

Can DryRun help me spend less time preparing for audits?

Yes. It automatically summarizes security-relevant changes and provides audit-ready reporting. Using the Code Insights MCP, customers can validate controls and capture evidence in minutes.

Do you support running our private LLMs or models?

Yes, DryRun can support private LLMs in many instances. You can contact them for specific details.

Do I have to use GitHub or GitLab?

DryRun Security currently supports code repositories on GitHub.com (personal, organization, and Enterprise Cloud accounts) and GitLab SaaS (gitlab.com). For custom instances or different source code managers (SCM), please contact DryRun for focused support options.

How do I test out DryRun Security? Is there a free trial?

Yes. Installation takes less than five minutes, followed by a quick call with an AppSec expert to tailor the instance to your environment.

How does DryRun Security integrate with GitHub Actions and GitLab CI/CD?

You connect DryRun to your organization with least-privilege permissions and add the GitHub Application or GitLab CI template. Every pull request (PR) then runs a contextual check with results posted directly on the PR.

How do you keep my code safe?

DryRun employs several safety measures:• Private Models: Foundation models are private; data is NOT sent to public AI systems .

  • Ephemeral Workloads: Isolated microservices do NOT persist code or artifacts after analysis unless needed for future context .
  • No Retention: Repositories are NOT cloned or retained; only minimal metadata and findings are stored .
  • No Sharing: Data is NOT shared with other customers or used to train third-party models .
  • Security Audits: Infrastructure undergoes quarterly third-party assessments.
What signals go into the SLIDE model?

The SLIDE model combines five key areas :• Surface: exposure and entry points .

  • Language: framework and language-specific risks .
  • Intent: what the change is attempting to do .
  • Detections: findings from heuristics and scanners .
  • Environment: secrets, reachability, infrastructure, and blast radius .These combine into transparent risk ratings for both developers and AppSec teams.
What is Contextual Security Analysis (CSA) and how does it work?

DryRun Security gathers security context from your code repository at rest and on every code change. This context is evaluated across the SLIDE model to provide a comprehensive view of real risk rather than a single data point.