How AngelList Built an AI-Native Security Program with Depthfirst

AngelList: Connecting Founders, Operators and Investors at Scale

AngelList is a household name in the tech industry, connecting founders, operators and investors. Because they handle highly sensitive financial and business data, their standards for security are exceptionally high. At the forefront of this are Alberto Martinez, Head of Security, and Utkarsh Kher, Product Security Engineer, whom we’ve had the pleasure to collaborate closely with over the last few months.

‍

The Challenge: Building a Modern Security Program with AI

Six years earlier at his previous company, Alberto had grown the security organization to a 20-person team, including eight product security engineers. In that time, the company expanded from 70 to 1,000 engineers and from 5 to 15 products, all of which his team needed to secure.

He built a highly technical, offensive security program. Engineers used a rule-based static analysis engine and dynamic testing to break the app, trace issues back to their root causes, and partner with product teams on fixes. The model scaled with the team, but it was still fundamentally human driven. Leaving the company, Alberto set himself a personal goal: to build another security program from the ground up, with AI at its core.

At AngelList, Alberto set out to recreate the same level of security rigor he had built previously, this time with AI at the center. His first move was to bring over Utkarsh, a key contributor to that earlier security program. Together, they implemented a rule-based static analysis engine for structured, repeatable detection across the codebase, and layered on Claude Code. This allowed them to uncover nuanced issues such as authorization bugs and logic flaws that are hard to capture in pattern-based rules.

In practice, a core problem quickly emerged: LLMs are probabilistic. Running the same LLM-powered scanner multiple times on the same code did not always yield the same results, which made it difficult to treat AI findings as a stable, dependable backbone for the security program.

‍

The Evaluation

That inconsistency led Alberto and Utkarsh to evaluate depthfirst’s General Security Intelligence, an AI-native security platform that builds an understanding of an organization’s codebase, infrastructure and business logic to find real vulnerabilities and minimize false positives.

They ran a proof of concept by connecting a single repository and running General Security Intelligence for two weeks. The goal was to evaluate whether the AI-native security platform could deliver consistent, high-quality signal on real production code.

AngelList saw value from day one, with General Security Intelligence surfacing 15 vulnerabilities and no false positives. Some issues were already known to Utkarsh, which confirmed that it covered the basics. More importantly, it found completely new vulnerabilities that previous efforts had missed.

The limited test on one repository quickly expanded. As they added more repositories, the pattern held: depthfirst consistently found real issues, avoided noisy non-problems and maintained consistency from run to run. That combination of new signal, low noise and stable behavior convinced the team it was the solution they had been looking for. AngelList chose depthfirst as the foundation for its AI-native product security program.

‍

The Solution: Depthfirst’s General Security Intelligence

On a weekly cadence, General Security Intelligence scans AngelList’s repositories, analyzes application code and dependencies, surfaces vulnerabilities and presents them as clear, actionable findings for the security team. This gives Alberto and Utkarsh an AI-powered view of risk across the codebase and removes the need to maintain a library of custom rules.

General Security Intelligence also acts as a security engineer reviewing pull requests. It reads the changes, understands how they relate to existing code and business logic, and flags security and code-quality issues before merges. When it finds something, it does more than raise a vague alert, because it provides specific remediation suggestions and concrete code changes developers can apply directly in the pull request.

A key strength of General Security Intelligence is the way it presents issues. For each potential vulnerability, it checks whether clear exploit criteria are actually met in AngelList’s environment and explains its reasoning. When something turns out to be a low severity, the platform includes why it is not exploitable, which builds confidence in the overall signal. When it finds a real vulnerability, it shows the full attack path so engineers can see how an attacker could move through the system and why the issue needs to be fixed.

‍

The Results: Stronger Security, Higher Leverage

Even before DepthFirst, AngelList’s security team was already working with a rule-based static code scanner, creating custom rules for security issues discovered and triaging findings, and supplementing this with targeted AI-based checks using Claude via GitHub Actions. The company had run multiple penetration tests and maintained a bug bounty program.

With depthfirst, AngelList has been able to:

• Uncover more vulnerabilities, faster. Despite that foundation, depthfirst’s General Security Intelligence quickly surfaced complex vulnerabilities that none of those efforts had identified and that would have taken an engineer multiple days to figure out. As the platform improved over time (also thanks to Utkarsh’s feature requests and feedback), it kept identifying new, relevant vulnerabilities without re-reporting duplicates or dragging the team back through resolved work.
• Establish a single source of truth for code risks. Over time, General Security Intelligence has become the source of truth for security issues in AngelList’s codebase. The knowledge that used to be scattered across Linear tickets, historical notes and team members’ memory is now consolidated, maintained, and leveraged by General Security Intelligence.
• >2x the efficiency of the security team. Previously, when vulnerabilities were found, the team had to translate those patterns into new scanner checks, maintain an increasingly complex rule set and deal with the noise that each new rule introduced. Today, the security team can focus on the issues surfaced and spend more time on higher-level security work, such as secure framework-level changes, threat modeling, and designing safer AI architecture, rather than writing and tuning detection logic.

By putting General Security Intelligence at the center of its program, AngelList has freed its small security team to focus on higher-level work and keep security tightly integrated into fast-moving development workflows. AI is no longer an experimental add-on; it is the backbone of how AngelList secures its systems.