Checkmarx Purchases Tromzo to Boost AI Security Automation

Checkmarx purchased an artificial intelligence security startup run by Medallia’s former security leader to accelerate the company’s road map toward AI-powered autonomous application security.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

The New York-area application security vendor said its acquisition of Silicon Valley-based Tromzo will dramatically reduce manual workloads and improve the velocity of secure software development, said Checkmarx CEO Sandeep Johri. The deal will bolster Checkmarx’s vision of empowering developers, automating remediation for AppSec teams and taking on vulnerabilities arising from AI and agent usage.

“In an enterprise, you can’t just build a GPT wrapper, throw an LLM on top of something basic and get it to work,” Tromzo co-founder Harshil Parikh told Information Security Media Group. “You need to solve complex problems for complex enterprises. With AI, our architecture really leveraged that context – that business context from all over the enterprise – to solve the problem in a very effective way.”

Tromzo, founded in 2021, employs 10 people and has raised $11.1 million, having most recently completed an $8 million seed round in August 2023 led by Venture Guides, Alumni Ventures and Uncorrelated Ventures. The company has been led since its inception by Harshil Parikh, who spent six-and-a-half years at experience management software firm Medallia, rising to become senior director of security (see: Checkmarx CEO: Evolving Supply Chain Threats Demand Action).

What Makes Tromzo’s Approach to Agentic AI Different

Checkmarx had already envisioned an AI-first future for application security and had plans to build autonomous agents, but Johri said Tromzo’s 18-month head start in building mature agentic solutions allowed the company to accelerate its product roadmap significantly. Checkmarx conducted a proof-of-value comparing Tromzo with other partners or acquisition targets, and Tromzo emerged as the clear leader.

“We ran into Tromzo, heard about them and found that what they were building and had already built was very much in line with what we had planned,” Johri told ISMG. “Our main motivation was to accelerate our product launch and bring in a team that has that AI skill set because they’ve been working on it for 18 months. We had started, but it was only a few months.”

Parikh said Tromzo differentiated itself by deeply integrating AI with a data fabric designed for AppSec posture management, which gives it access to the business context required for accurate decision-making. This helps Tromzo’s agents move beyond identifying vulnerabilities and actually take meaningful action such as writing secure code and submitting GitHub pull requests automatically, he said.

“With AI, everyone uses similar or the same models,” Parikh said. “So, the difference is how much context, how much clean data can you actually feed it to get it to the right outcome?”

Unlike lightweight tools that rely on surface-level integrations or simple wrappers around language models, Tromzo built a data-rich, contextualized architecture grounded in application security posture management, Parikh said. Tromzo’s platform was designed from the ground up to ingest and apply business context to vulnerability management, enabling smarter, more relevant decision-making.

“Most of them don’t have anything for real, and when they have it, they haven’t scaled it for an enterprise,” Parikh said. “Tromzo came out on top. They had the most real technology on it, which is what convinced us.”

How Agents Can Assist With Every Phase of the SDLC

Large enterprises face a backlog of thousands of vulnerabilities, and Parikh said triaging this backlog is a time-consuming, manual task that security teams and developers alike find overwhelming. Tromzo’s agents, now integrated into Checkmarx’s ecosystem, can automatically filter out false positives, prioritize what matters and even remediate issues by generating code fixes, Parikh said.

“Now the agents can go look into the rest of the organization’s setup – like deployment files, CI/CD, how the production is set up – and decide, ‘Okay, this is real, this is not real,'” Parikh said. “And if it is real, automatically write code in GitHub for that organization and create pull requests. So, this short circuits this entire create-remediation loop from many months into a few minutes.”

Parikh outlines a future where agents exist across every phase of the SDLC from architecture design, through code development, to runtime environments, creating continuous security coverage without relying on human intervention at every step. Checkmarx wants to ensure AI-generated code is secure at the time of creation, prioritize and remediate backlog and address new attack surfaces, Johri said.

“We think of agentic and AI-based impact on AppSec in three categories,” Johri said. “One is developers – what can we do for them to ensure any new AI-generated code is secure to begin with? Second is AppSec teams – these agents can prioritize and remediate, sometimes automatically. And the third is securing AI environments themselves, because agents and LLMs become part of the new attack surface.”

Checkmarx had been relatively quiet on the M&A front in recent years since Johri wanted to first focus on profitability, cloud platform maturity and market leadership. Now, with a healthy EBITDA margin and 75% of customers on the cloud-native platform, Checkmarx is ready to return to acquisition mode and is evaluating additional targets, especially those that enhance the company’s innovation lead for large enterprises.

“Tromzo is one,” Johri said. “There will be others. We are very focused on AppSec, but within AppSec, there’s a lot of things that we could be adding. So we are always open, and I think you’ll see some more acquisitions before the end of the year.”