# Corgea

> AI-native application security platform that finds and fixes vulnerabilities in code, dependencies, infrastructure, and containers with developer-ready fixes.

Corgea is an AI-native application security (AppSec) platform built for developers, security engineers, and DevOps teams. Backed by Y Combinator and investors including Shorooq Partners, Decacorn, Unbound Ventures, and Propeller Ventures, Corgea positions itself as a unified security control plane that replaces fragmented point scanners. The platform delivers findings and developer-ready fixes across code, packages, infrastructure, and containers — all from a single interface.

## What It Is

Corgea is a cloud-based AppSec suite that combines AI-powered static analysis (SAST), dependency scanning, secrets detection, container scanning, infrastructure-as-code (IaC) scanning, code quality scanning, attack surface mapping, and autonomous AI pentesting. Unlike traditional SAST tools that generate high volumes of false positives, Corgea's stated design goal is higher-signal detection paired with accurate, review-ready fixes that developers can apply directly in their IDE or pull request workflow.

## Core Product Suite

Corgea's platform spans multiple scanning disciplines under one control plane:

- **AI SAST** — Static analysis that detects business logic flaws, broken authentication, missing authorization checks, and other code-level vulnerabilities, with auto-generated fixes.
- **Dependency Scanning** — Reachability-aware package risk assessment with upgrade guidance.
- **Secrets Scanning** — Detection of leaked credentials before they become incidents.
- **Container Scanning** — Image-level risk prioritization for modern delivery pipelines.
- **IaC Scanning** — Shift-left cloud policy checks for Terraform and other infrastructure-as-code formats.
- **Code Quality Scanning** — Maintainable code standards with developer-friendly feedback.
- **Attack Surface Mapping** — Reachable endpoint mapping tied to real vulnerabilities, tracing paths from public routes to exploitable code and packages.
- **AI Pentest** — Autonomous pentesting with auditor-ready reports (launched during Corgea's Launch Week).
- **Security Design Review** — Design-stage risk review grounded in the repository.
- **Skills Scanning & Registry** — Security review and governed distribution for AI agent skills.

## Developer Workflow Integration

Corgea integrates directly into the tools developers already use. On the source control side, it supports GitHub, GitLab, Azure DevOps, Bitbucket, and Harness. For IDEs, it offers extensions for Visual Studio Code, Cursor, Visual Studio 2022, and IntelliJ. The platform also exposes an MCP server for agent-powered workflows and integrates with AI coding agents including Claude Code, GitHub Copilot, and OpenAI Codex. JIRA, Slack, webhooks, and a REST API round out the integration surface for security and DevOps teams.

## Audience and Use Cases

Corgea targets a broad set of roles across the software delivery lifecycle:

- **CISOs** — Unified reporting, compliance controls (SOC 2 Type II certified), SSO/SCIM, and audit logs.
- **Security Engineers** — Custom and blocking rules, SLA management, RBAC, and team management.
- **Developers** — IDE-native findings, PR scanning, and auto-fix suggestions that reduce context switching.
- **DevOps** — CI/CD pipeline integration, scheduled scans, and container/IaC coverage.
- **AI Agents** — Skills scanning and registry for securing agentic workflows.

Industry verticals called out on the site include Fintech & Financial Services, Enterprise SaaS, Healthcare & Biotech, Energy, Startups, Consumer & Retail, and Hardware & Manufacturing.

## Update: Launch Week — AI Pentest and Skills Scanning

Corgea's most recent product movement, highlighted prominently on the homepage, is "Launch Week Day 4: AI-Pentesting" — the release of an autonomous pentesting product that generates auditor-ready reports. Alongside this, the company launched Security Design Review (design-stage risk analysis grounded in the repo) and Skills Scanning & Registry (security review for AI agent skills). The blog shows a changelog entry dated June 25, 2026, indicating active product development and regular release cadence. The platform also publishes real-time CVE research and security advisories through its research program.

## Features
- AI SAST with auto-fix generation
- Logic flaw and broken auth detection
- Dependency scanning with reachability analysis
- Secrets scanning
- Container scanning
- IaC misconfiguration scanning
- Code quality scanning
- Attack surface mapping
- AI pentesting with auditor-ready reports
- Security design review
- Skills scanning and registry for AI agents
- PR scanning
- Scheduled scans
- Custom and blocking rules
- RBAC and team management
- SLA management
- Reporting and analytics
- JIRA integration
- Slack integration
- REST API and webhooks
- MCP server
- IDE extensions (VS Code, Cursor, Visual Studio, IntelliJ)
- SCM integrations (GitHub, GitLab, Azure DevOps, Bitbucket, Harness)
- SBOM and license enforcement
- SSO and SCIM (Enterprise)
- Single-tenant deployment (Enterprise)
- SOC 2 Type II compliance

## Integrations
GitHub, GitLab, Azure DevOps, Bitbucket, Harness, Visual Studio Code, Cursor, Visual Studio 2022, IntelliJ, Claude Code, GitHub Copilot, OpenAI Codex, JIRA, Slack, Terraform

## Platforms
WINDOWS, WEB, API, VSC_EXTENSION, JETBRAINS_PLUGIN, CLI

## Pricing
Freemium — Free tier available with paid upgrades

## Links
- Website: https://corgea.com
- Documentation: https://docs.corgea.app/
- EveryDev.ai: https://www.everydev.ai/tools/corgea
