Every product manager or software engineer knows this disaster scenario. They’ve been building a product for months, leapt through every hoop of organizational sign-off, conducted endless user interviews and A/B tests, and the day before launch an email shows up in their inbox: “IMPORTANT!! Product security: Concerns with feature release.” Uh oh… Did no one get sign-off from the security team?
Scale is excited to be leading Prime Security’s Series A, bringing automated product security reviews to every software release. Prime’s platform ingests project context, starting with a PRD or planned engineering tickets, and performs a comprehensive product security review, identifying security, privacy, and compliance risks. After presenting these findings, Prime makes suggestions on how development should proceed to minimize security risk.
Product security teams act as the liaison between security and engineering and ensure that products are designed, built, shipped, and maintained in a secure manner. They can be pulled into product development as early as the design phase to consult on system architectures and implementation best practices. Typical tasks for a product security team include architectural design reviews, privacy reviews, supply chain analysis, and threat modeling, among others.
Although product security is critical, the process of reviewing product specifications prior to development has been historically taxing and difficult to automate. Product security orgs have long been handicapped by an imbalanced ratio between security engineers and software engineers (we’ve heard numbers as low as 1:30!). This has meant that in most organizations, product security teams spend their time only chasing down the highest-impact projects—85% don’t go through a formal review. It also makes product security a common bottleneck on the path to release. Engineers often wait weeks before product security approves a design so they can proceed with building. Or, worse, they start building without a review and later have to overhaul their code after product security catches wind of the feature and flags a fundamental architectural issue.
Product security has long been a workflow, but only with Prime has it become a software category. When people think about secure deployment, they often think of application security: the finding, managing, and remediating of vulnerabilities in code. While application security centers on maintaining security during PR reviews or post-deployment, product security focuses on the earlier phases of software development, ensuring that the team building a product incorporates security considerations from the start. Application security relies on one key piece of context: code. Product security, by contrast, relies on unstructured elements such as product requirement documents, technical specifications, and tribal knowledge about organizational priorities and risk tolerance.
Historically, there have not been software solutions to this problem in no small part due to its unstructured nature. LLMs and graph-based architectures now make product security an addressable software category. LLMs can interpret unstructured context across specs, tickets, and documents, while graph architectures map the relationships between systems, features, and dependencies. This enables scalable, context-aware reviews that previously required human expertise.
There are two entry points for users on the Prime platform. Users can initiate a proactive review by uploading their PRD, or Prime can sit on top of a customer’s ticket management system and stitch together tickets related to a specific product or feature. In both cases, Prime collects context from other unstructured sources such as previous reviews, design docs, and system diagrams, automates the review process, and suggests actionable changes to engineers. Not only does Prime allow security engineers to conduct more thorough reviews, it also surfaces high-risk tickets to the security team that may otherwise have been missed. Teams are already using Prime to reduce review time of complex products from several days to just one hour and conducting fully automated reviews of those features that were previously left unaddressed.
As code generation increases the velocity of new code being checked into codebases, the surface area that security teams need to cover is expanding just as fast. We’ve long believed that security at the developer level must evolve from a gating function to an integrated part of the build process. With Prime, security teams are finally equipped with tools that help them keep up with fast-moving development, reducing the number of “IMPORTANT!!” emails that have to go out.
It has been a pleasure to get to know Michael and co-founders Dimitry, Danny, and Matan who share this vision with us. They bring to the table a rare mix of deep product security experience and a keen sense for what is needed to carve out a formidable market position in an evolving space. We couldn’t be more excited to partner with them as they scale across New York and Tel Aviv and bring product security into the modern software-development era.
