Joined March 2009
23 Photos and videos
Andrea Michi reposted
.@AlmanaxAI is joining @depthfirstlabs! @mmwtsn and I started the company two years ago because we'd grown tired of seeing weekly multi-million-dollar hacks destroying blockchain companies and stealing people's life savings. We believed the industry needed to move from annual security audits and pentests to continuous ones, and that AI would eventually get us there. We were among the first to see the potential of AI in cyber and build new solutions in this space. When we started, most security teams told us our product wouldn't work, they didn’t need more findings, and they didn't trust AI to be good. But then we saw how the commercial tools our clients were using were missing many of the vulnerabilities we were detecting, while producing an absurd number of false positives. We ended up working with some of the largest blockchain companies: Solana, Stellar, Aptos, Privy and Bridge (now part of Stripe), DFNS, Algorand. When people didn't believe, we showed them results: we found issues in Vitalik's code (arguably one of the best software engineers on Earth), ethically disclosed hundreds of vulnerabilities (to Ripple, Coinbase, Fireblocks), and won security competitions against thousands of researchers. As we progressed, we realized that while crypto companies were among the most vulnerable (exploits directly steal money), the problem was widespread beyond blockchain. The rise of vibe coding created an enormous new attack surface and new models and harnesses were detecting vulnerabilities that had gone unnoticed in software packages for decades, some of which power most of today’s internet. The time between CVE public disclosure and first confirmed in-the-wild exploitation has dropped from 2.3 years in 2018 to eight hours today. This and the release of frontier cyber models shook the industry. So we expanded our product support to languages and tech stacks used widely by enterprises. But the scale of what needs to be done requires more than what any one small team can do alone We believe joining forces with depthfirst will significantly accelerate our shared vision to secure the world’s software. depthfirst is already swinging at the same future we set out to build, with the team and the resources to lead the way. Their bet, and now ours, is that the next major security platform will be in product security. As their investor @arshammem put it, every category eventually gets one company whose name becomes synonymous with it: Palo Alto Networks for the network, CrowdStrike for the endpoint, Wiz for the cloud. Product and application security, notwithstanding many attempts, is still left without a crowned victor. We think depthfirst can be that company. Thanks to our great team, investors, and customers who believed in us and shared our vision of the world. Our ambition is now even bigger and we’re excited to build that future with @qasimmith, @andreamichi, Daniele, and the entire @depthfirstlabs team.
6
9
47
4,892
Welcome to the team @AlmanaxAI - Great to have you onboard
@AlmanaxAI is joining @depthfirstlabs! The window to get AI security right is narrowing. As models get more capable and the attack surface expands, defenders need to move faster than the threat. When we met @francescpicc and team, it was clear they had been working through the same hard problems and shared our view of where security is going. We’re thrilled to welcome them onboard.
1
1
14
735
Due to cybersecurity concerns, @PGE4Me will no longer provide electricity to software engineers
2
1
18
1,244
We launched the Open Defense initiative with the primary goal to help critical open source during this time depthfirst.com/open-defense
Recently, @depthfirstlabs with AI found 21 security issues. Legit, credit where it's due, some of them were serious. Whilst disclosure is nice, and some fixes were even sent out, like with the Mythos-found issues, the best would have been to avoid having the issues altogether.
1
1
9
971
Proud of @depthfirstlabs commitment for securing open source software with scalable state of the art detection
We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up: depthfirst.com/research/21-z…
5
324
Supply Chain attacks will only get worse from here. We want to help
AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this, today we’re launching the depthfirst Dependency Firewall to find and block malware in supply chain dependencies before they’re installed. It uses the same engine that discovered NGINX Rift, now optimized to detect malware in open-source packages. We want companies to move faster with AI, without compromising security. Above all, @depthfirstlabs is a mission driven organization. This is another step towards achieving our mission of securing the world's software, an increasingly urgent need as artificial intelligence accelerates how software is built, deployed and attacked.
4
349
This is the way. Tokenmaxxing is the equivalent of obsessing over working hours. Just focus on the output and the rest will likely be positively correlated.
My opinion on tokenmaxxing is companies shouldn’t mandate/constrain any tools at all and then evaluate software developers by output / (salary token use)
1
9
433
Andrea Michi reposted
Cybersecurity is a perfect example. Recent advancements are enabling solutions that actually solve problems in this market.
Sometimes they're a good reason to work on something. When people say a market is "crowded," what that often means is that there's a real problem and none of the solutions are good enough yet.
13
25
441
802,305
Andrea Michi reposted
learned this quote from 2023 is making rounds -- i actually don't think this is true anymore in 2026! The model should be invisible. i expect us to flip back to ux in the form of agent behavior continual learning loops; and the alpha is in making models feel natural and as invisible as possible.
26
21
413
126,453
Andrea Michi reposted
This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed forbes.com/sites/thomasbrews… (Photo: Depthfirst)
9
16
72
124,641
depthfirst ♥️ OSS
Using the same system, we found NGINX RCE, Linux LPE, Chrome RCE, FFmpeg RCE and a lot of other critical Vulnerabilities, feel free to try it out! We are trying our best to help secure OSS!
8
466
Andrea Michi reposted
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift
23
293
1,079
207,275
👀
Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?
2
364
Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. We’ve been investing heavily in the entire agentic security technology stack: a harness that allows models to efficiently reason through code the way a security engineer would, the context understanding to validate exploitability and produce ready-to-merge fixes, and recently, post-trained models optimized for vulnerability discovery. Today we shared a datapoint that highlights the value of that approach. depthfirst autonomously identified 12 vulnerabilities in @FFmpeg , after Anthropic did several hundred runs with Mythos, for 1/10th of the compute cost reported by Anthropic. As a former @GoogleDeepMind researcher, I am grateful to foundation labs for pushing the boundaries of what AI can do, as every advance there gives us a stronger base to build on. But running general purpose models without the proper harness can be too expensive to be economically viable. That's what makes today's launch possible. The efficiency we've built lets us put frontier-level security in the hands of the maintainers who need it most, before open source models catch up and bad actors wield these capabilities without filters or guardrails. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.
3
8
49
10,536
Securing open source software has been part of our original mission from the start and I'm proud of our increased effort in this direction
Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in widely-reviewed codebases. Open source models will catch up soon, and when they do, bad actors will have unfiltered access to these capabilities. We have a narrow window to harden critical software before that happens. This is the time to act, but until today frontier-level security, like what Mythos offers, has been reserved for a handful of large companies who are required to pay a lot for access. depthfirst is not only comparable in performance but also goes significantly beyond surface level findings, highlighting real, exploitable vulnerabilities due to its understanding of the system’s context and ability to verify like an attacker would. depthfirst found vulnerabilities in FFmpeg that Mythos missed, at a tenth of Anthropic's self reported spend. We want every defender to have these capabilities, starting with the open source projects the world runs on. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.
3
306
Andrea Michi reposted
“I don’t want any non-deterministic solutions in my cybersecurity stack” brother the next few years are going to be very rough for you
34
17
233
26,947
Andrea Michi reposted
In my estimation, defenders (of organizations) have roughly 1 year before attackers have 10-100x'd their capabilities at vulnerability discovery and exploitation. While top-tier projects such as Linux, Chrome, Firefox can remediate this volume of vulnerabilities, not all can.
So Mythos was, indeed, not marketing hype. Remember this is a general purpose model that just happens to be good at finding exploits because good models are good at lots of things. Expect similar from OpenAI & Google. And from open models in 8 months. hacks.mozilla.org/2026/05/be…
7
20
72
25,453
I'm reading a classic novel and it gives me joy knowing that the author actually meant to use the em dash
1
3
200
"LLMs will discover entire new classes of attacks"
9
644
Securing systems is a necessary step to enable more powerful AI models. Security is a bottleneck. It shouldn't be.
Thank you @johncoogan and @jordihays at @tbpn for hosting our CEO and co-founder @quantumcastaway to talk about depthfirst and discuss the importance of cybersecurity in the age of AI.
3
12
1,318