Ronen Slavin, CTO and Co-founder, Cycode – Interview Series

Ronen Slavin, CTO and Co-founder, Cycode, is a serial entrepreneur and former Unit 8200 officer of the Israel Defense Forces. Before launching Cycode in 2019, he co-founded FileLock, which was acquired by Reason Security in 2018, and served as Head of Research at Reason Cybersecurity. With deep expertise in malware detection, vulnerability research, and exploitation, Slavin has built a career at the intersection of advanced security research and product innovation.

Cycode is an AI-native application security platform that unites security and development teams with actionable context from code to runtime. By converging AST, ASPM, and software supply chain security, it secures both AI- and human-generated code. Powered by its Risk Intelligence Graph (RIG), proprietary scanners, and integrations, Cycode provides instant risk detection, Change Impact Analysis (CIA), and AI-driven fixes—closing visibility gaps, accelerating remediation, and lowering costs from day one.

What motivated you to start Cycode, and what key problem in software security were you aiming to solve from the beginning?

The idea for Cycode originated from something we had observed repeatedly; source code being stolen or inadvertently leaked into the wrong hands. After spending years in cybersecurity and the offensive security space, and leading endpoint protection at Reason, we came to realize just how critical source code is—not just as lines of code, but as one of a company’s most valuable assets. It was not getting the security it warranted.

That eye-opening realization is what inspired me to start Cycode. From the start, our mission was clear: protect source code at every stage, from the moment it’s written to the moment it is shipped, all without hampering developers’ drive and traction. We set out to ensure that security and engineering could work side by side, with security seamlessly integrated into the daily workflow, rather than being a roadblock.

What mattered most was giving teams the visibility, accountability, and collaboration they needed. Developers should not have to sacrifice their productivity for security, and security teams should not have to operate without context or control. Cycode was created to make both possible.

How did your previous experience as a cybersecurity entrepreneur and your service in Israel’s elite intelligence unit, Unit 8200, shape your technical approach at Cycode?

My time in Israel’s cybersecurity ecosystem, especially in elite technical environments, instilled a mindset of precision, adaptability, and relentless curiosity. Whether I was at Unit 8200 or in my early startup days, I learned to think like both an attacker and a defender. That dual perspective has been foundational to how we built Cycode.

As a cybersecurity entrepreneur, I saw firsthand how fragmented and reactive the security landscape had become. Security tools were often bolted on after the fact, leaving developers to navigate a maze of alerts without context. That’s what we set out to change.

At Cycode, we’ve taken a systems-level approach, treating source code as a critical asset and building security into the software development lifecycle from the ground up. My background has taught me that security must be proactive, contextual, and developer-friendly. That’s why we focus so much on automation, visibility, and bridging the gap between security and software development. It’s not just about finding vulnerabilities, it’s about fixing what matters, fast.

Cycode combines multiple layers of protection, including AST (Application Security Testing) and ASPM (Application Security Posture Management). For those unfamiliar, can you explain how these elements work together—and what makes Cycode’s approach unique?

Absolutely. At Cycode, securing modern software requires more than just scanning code; it demands a holistic understanding of how that code is built, deployed, and maintained. Now as an AI-native application security platform, our approach is a differentiator due to the convergence of Application Security Testing (AST), Application Security Posture Management (ASPM), and Software Supply Chain Security (SSCS).

AST tools, such as SAST, DAST, and SCA, are effective at identifying vulnerabilities in code, dependencies, and infrastructure. But they often operate in silos, generating alerts without context. That’s where ASPM comes in. ASPM connects the dots across your entire software development lifecycle. It provides visibility into the application security posture with risk prioritization and actionable remediation, SSCS sandwiches the platform to secure CI/CD pipelines.

What makes Cycode unique is how we unify these layers and set a new enterprise standard. Today in this era of AI, security will need to become smarter. We’ve built on our foundation with AST, ASPM and SSCS with AI agents to help prioritize and fix what matters faster, closing that security gap I mentioned earlier.

How does Cycode integrate with modern DevOps pipelines like GitHub, GitLab, or Azure DevOps to detect risks earlier in the lifecycle?

Cycode was built with modern DevOps in mind. We integrate directly into platforms like GitHub, GitLab, and Azure DevOps to embed security into every phase of the software development lifecycle, without slowing teams down.

Our platform connects to source control and CI/CD systems to continuously monitor code, configurations, and workflows. We scan and pull requests in real-time, so developers receive immediate feedback on vulnerabilities before code is merged. We also analyze commit history and metadata to assign issues to the right owners, reducing friction and speeding up remediation.

In our approach we don’t just surface alerts; we provide full context. This includes the origin of the issue, its potential impact, and the steps to resolve it. And because we integrate with tools like JIRA, we can automatically create and track tickets, keeping security and engineering in sync.

Ultimately, our goal is to shift security left in a controlled, developer-friendly manner, so risks are identified early, addressed promptly, and don’t become blockers later in the pipeline.

Can you walk us through how Cycode's Risk Intelligence Graph helps teams connect threats across code, containers, infrastructure, and runtime?

Yes, it’s a feature we’re proud to offer. The Risk Intelligence Graph, what we call RIG, is the engine behind Cycode’s ability to correlate and contextualize security data across the entire software supply chain.

Think of RIG as a dynamic map that ties together everything from source code and open-source dependencies to CI/CD pipelines, artifact registries, and runtime environments. It doesn’t just collect data—it understands relationships. So when a vulnerability is found in a container, RIG can trace it back to the exact line of code, the developer who committed it, the pipeline that built it, and the infrastructure it’s running on.

This level of visibility is critical. It enables security teams to prioritize risks based on their actual impact, rather than just severity scores. With AI built inside, it provides developers with actionable insights and full context, allowing them to fix issues faster and more confidently.

It’s important to note that RIG is not just a dashboard; it’s a decision-making tool. It helps teams move from detection to resolution at the speed of DevOps, connecting the dots across fragmented systems and surfacing the risks that truly matter.

How does Cycode detect and manage risk tied to AI-generated code and integrations with services like OpenAI or Hugging Face?

AI-generated code introduces a new layer of complexity and risk, particularly when it originates from external services such as OpenAI or Hugging Face. At Cycode, we’ve built capabilities specifically to address this evolving threat landscape. Most recently, our AI Exploitability Agent and MCP Server to secure AI development and vibe coding workflows.

As for our platform, we provide a centralized Application Asset Inventory that maps out all components in a software ecosystem, including AI models, third-party AI libraries, and integrations with services like OpenAI or Hugging Face. This provides teams with complete visibility into where AI is being used, even if it’s deeply embedded in the stack.

Second, we use proprietary code analysis tools that go beyond keyword matching. These tools can detect AI-generated code patterns and identify libraries or frameworks commonly associated with machine learning, NLP, or generative AI—even if they’re not explicitly labeled as such.

Third, Cycode continuously scans for AI-specific vulnerabilities, things like adversarial attack surfaces, data poisoning risks, and model extraction threats. These are emerging vectors that traditional AST tools often miss. We prioritize these risks based on severity and business impact, and we provide remediation guidance tailored to the AI context.

Finally, we help organizations stay compliant with regulations like the EU AI Act by automating documentation and providing transparency into how AI is used across the application. This includes generating reports on AI components, their purpose, and their potential impact, which is critical for both internal governance and external audits.

In short, Cycode doesn’t just detect AI-related risk; it helps manage it with complete context, accountability, and compliance in mind.

What are the biggest challenges in secret detection across modern SDLC environments, and how is Cycode solving them?

Secret detection is one of the most critical and overlooked challenges in modern software development. Secrets, such as API keys, tokens, and credentials, are often hardcoded into source code, CI/CD pipelines, and configuration files. And with the rise of distributed teams, open-source dependencies, and rapid release cycles, these secrets can easily leak into public repositories or be exploited by attackers.

The challenge is that secrets are no longer just in code. They’re everywhere, in build environments, artifact registries, and even third-party tools. Traditional scanners often miss them or generate excessive noise, making it difficult for teams to take action.

At Cycode, we take a holistic approach to security. Our platform scans the entire SDLC, from code repositories to CI/CD pipelines and runtime environments, to detect exposed secrets in real-time. We correlate findings with context, so teams know not just what was exposed, but where, by whom, and how critical it is.

We also enforce least-privilege access and secure pipeline configurations to prevent secrets from being misused. And because we integrate with issue tracking systems and developer workflows, remediation is fast and frictionless.

Ultimately, secret detection isn’t just about finding the leak but securing the entire software factory. That’s what Cycode’s platform is built to do.

How do you ensure accuracy and reduce false positives when scanning for vulnerabilities or secrets?

Dealing with false positives can be incredibly frustrating for developers. When teams are constantly bombarded with irrelevant alerts, it's easy to start ignoring them, and that's precisely when actual threats can slip through. Through our SAST engine, we help teams identify code weaknesses, achieve accuracy, and focus on true positives to save time and accelerate software delivery. In OWASP benchmark tests, Cycode achieved a false positive rate of 2.1% representing a >94% reduction compared to alternative methods.

First, we focus on contextual correlation. Instead of just flagging a potential issue and moving on, our platform maps it to the bigger picture of an organization’s software supply chain. Therefore, if a secret is discovered in a commit, we associate that finding with the pipeline that built it, the environment in which it was deployed, and the developer who added it. This additional context helps us determine whether something poses a real risk or is merely harmless.

Next, our proprietary scanning algorithms do much more than basic pattern matching. Our secret detection engine analyzes patterns, entropy, and the way the string is used, allowing us to distinguish between genuine secrets and similar-looking entities, such as test data or placeholder text.

We also integrate with issue tracking systems and developer workflows to keep everything connected. When a vulnerability or secret is confirmed and fixed, that feedback helps us make our models smarter. By assigning issues based on code ownership, we help ensure that problems are directed to the right people without unnecessary duplication.

Ultimately, our goal is straightforward. We aim to make security something teams can rely on: fewer false alarms, more accurate findings, and quicker resolutions. That way, teams can focus on solving the real problems that matter most.

What’s the value of “developer-first” security tools, and how does Cycode avoid disrupting workflows?

At its core, developer-first security is about making protection quick, relevant, and only as visible as necessary. That is how we keep development moving forward while maintaining software safety.

If security tools slow developers down or overwhelm them with too many alerts, those tools risk being ignored. That is why Cycode was designed to help developers rather than hinder them.

The real value comes from bringing security directly into the developer’s everyday workflow. With Cycode, security checks happen instantly, right where developers write and review code, such as in the IDE or during pull requests. This means developers get feedback the moment they need it, making it easy to catch issues early and build secure coding habits without extra hassle.

Context is also key. Instead of sending out vague alerts, Cycode gives developers precise details: what the vulnerability is, where it originated, who is responsible, and how to resolve it. This type of information helps reduce confusion and enables teams to resolve problems more efficiently.

By integrating with popular CI/CD tools and issue trackers like JIRA, Cycode ensures that security becomes an integral part of the software development process, rather than something separate or disconnected. Developers can stay on task, and security teams get the oversight they need.

What kinds of attacks or vulnerabilities do you expect to increase as more companies adopt AI in their development workflows?

As AI becomes an increasingly integral part of everyday development work, we’re likely to encounter a new set of vulnerabilities. These won’t just be technical challenges—some will come from the way people and teams interact with these tools.

One of the most significant risks is that developers may become overly reliant on AI-generated code. While AI can help speed up the process, it is not perfect. If developers assume every AI suggestion is correct, they might accidentally introduce hidden bugs or security issues. Since the lines of responsibility can become blurry when code originates from a machine, these problems may slip through unnoticed.

There is also a growing concern about supply chain attacks that specifically target AI models and APIs. For example, if trusted services like OpenAI or Hugging Face are compromised, or if someone sneaks a malicious model into a workflow, attackers could change outputs or steal sensitive information.

Another emerging threat is data poisoning. In this scenario, attackers make subtle, strategic modifications to the training data that can later impact how the AI model behaves. This type of attack is particularly hazardous in areas such as fraud detection or access control, where security is crucial.

On top of that, companies will face mounting pressure around explainability and compliance. New regulations, such as the EU AI Act, will require organizations to explain how their AI systems make decisions and the basis for these decisions. This can be very challenging if models are black boxes or if teams are using third-party tools that lack transparency.

At Cycode, we are developing tools that help teams identify AI-specific risks, such as adversarial vulnerabilities, model misuse, and insecure integrations. We also want to ensure that developers remain responsible for the code they ship, whether it is written by a person or generated autonomously.

Looking five years ahead, how do you see the role of AI evolving in securing software supply chains?

AI is already transforming how we approach application security, but its full influence on the software supply chain is only just beginning. Over the next five years, I believe AI will become an integral part of how we identify, prioritize, and address risks throughout the entire development process.

To start, AI will help bring security and development teams closer together. Currently, there is often tension, as security tools can interrupt workflows or lack essential context. AI has the potential to smooth those edges by transforming security findings into actionable insights, recommending fixes automatically, and even generating secure code solutions tailored to each team's workflow.

AI will also become increasingly important in understanding what’s happening in real-time. It will monitor build environments, containers, and APIs, identifying unusual activity as it occurs. This real-time monitoring will be essential as supply chain attacks become increasingly sophisticated and harder to detect with traditional scanning alone.

Additionally, AI will help companies navigate the growing maze of regulations. As governments introduce more rules about how AI should be used, organizations will need tools that can explain the reasoning behind each AI decision, track where models come from and hold people accountable. I see AI stepping in to create documentation, map out dependencies, and help enforce policies across complex systems.

Still, with all these advances, human oversight will remain critical. AI is not here to replace people, but rather to empower them. Developers and security teams will always need to take responsibility, mainly when AI-generated code could introduce new risks. That’s a big reason why we are dedicated to building tools that make AI as transparent, understandable, and accountable as possible.

In the end, AI will become the connective thread that makes software supply chains safer, but only if we use it thoughtfully and keep people involved every step of the way.

Thank you for the great interview, readers who wish to learn more should visit Cycode.