Connect with us

Interviews

Neatsun Ziv, Co-Founder and CEO of OX Security – Interview Series

mm
Published
OX Security Co-founder and CPO Lior Arzi (left) and Co-founder and CEO Neatsun Ziv (right)

Neatsun Ziv, Co-Founder and CEO of OX Secuity, is at the forefront of redefining software supply chain security for the DevSecOps era. Before founding OX, he served as VP of Cyber Security at Check Point, leading global initiatives and orchestrating rapid responses to high-profile threats such as SolarWinds and NotPetya. His work often put him in direct collaboration with Interpol, national CERTs, and other enforcement agencies during some of the most critical cyber incidents of the past decade.

OX Security is an application security platform designed to cut through the noise, helping organizations focus on the small percentage of risks that truly matter. Leveraging analysis of exploitability, reachability, and business impact, the platform delivers evidence-based prioritization across the entire software development lifecycle. With full code-to-cloud coverage, 100+ integrations, and no-code workflows, OX embeds guided remediation directly into developer workflows, ensuring security measures are both effective and frictionless.

Before co-founding OX Security, you led major incident responses at Check Point. What made you decide it was time to start your own company, and what gap did you see in the application security space?

Working at Check Point, I experienced firsthand the “Corporate Velocity Gap” – traditional security enterprise moves at a slower pace. I also saw how security teams were quite inefficient in various ways, especially when it came to prioritizing risks correctly.

At the same time, I recognized that generative AI (at the time underdeveloped) represented the future of how security tooling needed to evolve, and indeed, it moved at great speed. Several critical shifts were happening simultaneously:

Threat Actor Acceleration: Attackers were rapidly adopting new technologies and techniques, moving faster than security solutions could keep up with.

The “Vibe Coding” Phenomenon: The term didn't exist at the time, but I saw developers increasingly relying on AI-assisted coding tools like Copilot, fundamentally changing how software gets built and introducing entirely new security considerations.

Supply Chain Attack Evolution: The acceleration of software supply chain attacks created an urgent need for new approaches to application security that existing tools simply weren't addressing.

Incremental improvements within existing corporate structures wouldn't be sufficient to address these rapidly evolving challenges.

My final realization was that threats were moving fast into the code – and security needed to follow. We needed to break from the known frameworks and start running in a new fast race.

OX's core mission is to help developers focus on the 5% of vulnerabilities that actually matter. When did that insight crystallize for you, and how does it shape product decisions today?

Having managed fairly large operations of development teams, I witnessed how overwhelming the sheer volume of security-related issues can be. You need to understand what's important and what isn't. Going through endless lists doesn't advance the company toward risk reduction. Instead it creates frustration and even gets companies away from reducing risk as it simply consumes so much time and so many resources.

This taught us that we need to help developers focus on what truly matters – and then explain to them why it matters. After that, we need to show them how to solve it easily, or better yet – solve it for them – which is now possible through tools like Agent OX.

This insight became the foundation upon which we built the company, and it's what guides all of our product decisions today. Every feature, every capability we develop starts with the question: “Does this help developers focus on what actually matters? Does this reduce risk?”

The platform is centered on “Code Projection” to map risk across the SDLC. Can you explain how this technology works and what makes it different from other vulnerability management tools?

Code Projection is fundamentally a technology that sees a problem in code and knows in advance how it will behave when that code reaches the cloud. This allows you to solve problems long before they're running in production – when the risk is already exposed.

It works by understanding that every piece of code has a process that builds it and brings it to the cloud – CI/CD. We can read the code and interpret what it means. To give a blunt example – what gets exposed to the internet obviously has different implications than what doesn't.

The key difference from other products is that most tools end their work with a long list of problems. Without being able to focus on the 5% or even less of truly significant risks, filtering through these – you end up with timeframes that are almost irrelevant. You also don't know which developer to assign the issue to.

Our approach changes that entirely – we don't just identify problems, we provide context, prioritization, and clear ownership.

You offer full integration across scanning tools, secrets management, SBOM, SaaS discovery, and more. What were some of the hardest technical challenges in unifying all of these into a seamless developer experience?

The hardest problem is transforming data into insights. Data is all the things you've just mentioned. But developers need clarity, bullet points, and reasoning. Focused communication. How to transform mountains of data into actionable insights – that's the biggest challenge in the industry.

Synthesizing that information in a way that tells a coherent story and provides clear, prioritized actions that developers can actually execute on – this was the biggest challenge.

PBOM (Pipeline Bill of Materials) is an OX innovation. How is it different from SBOM, and why is it essential for securing modern software supply chains?

PBOM is the ability to look at everything that happens to software from the moment it's written until it's in production. SBOM is a component within that – it looks at all the software packages that are inside an application.

To answer the previous question – PBOM is actually the foundation that enables us to transform data into insights, because it looks at a much broader picture – all the data. It captures the entire journey and transformation of code, not just the final components.

This comprehensive view is essential because traditional security tools only see the end result, missing critical attack vectors like compromised build tools, malicious commits, or pipeline manipulation that happen during development and deployment.

OX just unveiled Agent OX—a new multi-agent architecture where each AI model is focused on specific vulnerability types and programming languages. What drove this design decision, and how do you ensure that the fixes it proposes are both explainable and trustworthy in practice?

We created this multi-agent approach by looking at how humans develop expertise and applying that same principle to AI. To be an expert at something, a developer needs to be an expert in the language, the specific architecture, and the specific organization. A single developer can't fix all problems, and by the same logic a single AI agent also can't reach that level of expertise. Additionally, you want an agent who can handle quality assurance.

So each agent develops deep expertise in its specific domain, just like human specialists do.

For trustworthiness and explainability, each agent not only proposes fixes but explains its reasoning, shows its work, and allows developers to understand exactly why a particular solution was chosen.

What led you to focus on one-click remediation directly inside developer workflows? And how do you ensure that developers maintain control and don't encounter unintended side effects?

The main idea is to reduce friction and enhance security fixes. We give developers full control to review and validate the proposed fix before accepting it.

The key is that “one-click” doesn't mean “automatic” – it means streamlined. Developers can see exactly what will be changed, understand why, review the proposed solution, and then choose to apply it with a single action. The control and decision-making remain entirely in their hands, but we eliminate the tedious manual work of researching and implementing the fix.

You count Microsoft, IBM, and SoFi among your customers. How do these enterprise relationships shape your roadmap and feedback process for tools like Agent OX?

We work with hundreds of customers, and dozens of them openly share with us the challenges they encounter. These deep discussions about roadmap and design patterns are the cornerstone of our ability to fine-tune the proposed solution. We highly value the relationships we have with our customers and see them as top priority for us as a company, and which guides us as we understand real-world needs and create solutions to solve them.

As AI security tools become more mainstream, how do you balance automation with developer trust and control? Where do you draw the line between assistive and autonomous?

As we've seen in previous revolutions, those who don't jump on the wagon don't survive. We are beginning to see organizations we work with that have shifted all of their resources to AI adoption because they understand that we are witnessing a revolution.

These are actually our most collaborative customers because they're facing a new uncharted tension: their developers need to move fast with AI tools, but they're concerned about losing control. They are even willing to accept the risk and temporary loss of control in order to gain a competitive edge, but they need us to help them regain trust. Our job is to allow them the speed they need, while rebuilding confidence in the process.

You recently closed a $60M Series B. How will this funding accelerate OX's next phase of growth—whether on the tech, go-to-market, or international expansion side?

The new funding is fundamentally about expansion, and will also help us enhance our capabilities in identifying risks derived from AI-generated code, which we are now starting to see with the launch of Agent OX.

We're already analyzing over 100 million lines of code daily for more than 200 paying customers. This funding positions us to scale that impact globally while maintaining our focus on the core questions that have always guided us: “Does this help developers focus on what matters? Does this reduce risk?”

Thank you for the great interview, readers who wish to learn more should visit OX Security.

Related Topics:
mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.