Varun Badhwar, Founder & CEO of Endor Labs – Interview Series

Varun Badhwar, Founder & CEO of Endor Labs, is a cybersecurity entrepreneur recognized for building and leading companies at the forefront of cloud and application security. Since 2021, he has headed Endor Labs, which focuses on securing AI-driven software development. Previously, he was SVP & GM of Prisma Cloud at Palo Alto Networks and founder of RedLock, a cloud security startup acquired by Palo Alto Networks.

Endor Labs is an application security platform built for the AI era, designed to help engineering and security teams balance speed and safety in software development. The platform integrates features like reachability-based software composition analysis, SAST, container scanning, secret detection, and CI/CD pipeline protection into a unified view, helping teams identify which vulnerabilities truly matter and prioritize fixes. It also includes AI agents that analyze pull requests for architectural changes and detect risks in AI-generated code early in the development lifecycle.

You previously built and scaled major security ventures — how did those experiences lead to founding Endor Labs, and what problem were you most determined to solve at the outset?

Back in 2021, I was at Palo Alto Networks when the SolarWinds breach hit. It was massive. Every customer using their software was affected, and we were no exception. When I dug into how we were managing our own software, I realized we had 450 engineers and 68,000 security vulnerabilities, yet engineers were mostly ignoring them. The reason? A whopping 80–90% of alerts were false positives, and traditional tools didn’t understand how developers actually work.

That’s when it clicked: modern software development is more like assembly than creation. We’re shipping code that’s mostly third-party libraries, with no guarantees about quality or security. I saw the disconnect between security teams and engineers, the adversarial dynamics, and the political friction. I knew we needed to rethink application security from the ground up, which led to founding Endor Labs.

Endor Labs now protects millions of applications for organizations ranging from fintech to SaaS platforms. What kinds of use cases are you seeing most often, and why are customers turning to you?

Our customers come to us to secure their software supply chains and developer pipelines. They want to verify open source dependencies before production, automatically flag high-risk AI-generated code, and ultimately integrate security directly into developer workflows.

Most scanners just throw vulnerabilities at developers and walk away, creating noise that engineers inevitably ignore. And with vibe coding now mainstream that approach simply doesn’t work. At Endor, we provide context-aware analysis and actionable insights, so security and engineering teams can actually trust each other again.

Developers often face tension between moving fast and staying secure. How does your platform help reconcile that challenge?

Speed versus safety is the oldest dilemma in software development. Vibe coding has only made that tradeoff more pronounced. Forty-five percent of developers are using AI assistants daily, which accelerates velocity but also introduces insecure code.

At Endor Labs, we embed security directly into the workflows developers already use. Think IDEs, pull requests, Git pipelines. Our philosophy is simple: security is just another class of bug. Treat it like any other software bug, and it becomes part of the natural development process instead of an afterthought. By reducing noise and providing clear guidance, we enable developers to move quickly while still ensuring the software they ship is safe.

False positives are one of the biggest pain points in security. How are you approaching that problem differently?

False positives are huge. I’ve seen engineers ignore significant swatches alerts because they’re meaningless. That’s dangerous in a world where third-party attacks are growing in the double digits and adversaries are exploiting side doors in developer pipelines.

Our approach is to prioritize context. Instead of matching every Common Vulnerability and Exposure (CVE) to a dependency, we analyze the code path, business logic, and even AI-generated design changes. We also developed the Endor Labs Model Context Protocol (MCP) Server, which lets AI agents call into backend tools for precise fixes rather than hallucinated ones. Other tools can’t offer this level of precision because they lack the application context. They don’t know what your code does, how your services talk to each other, or what a safe fix looks like. The result is fewer meaningless alerts and more pragmatic guidance developers can actually act on.

The software supply chain is now seen as one of the most urgent risks for enterprises. Why is this issue so critical today?

Open source now dominates enterprise software, and software development has transformed to software assembly. Roughly 90% of components in modern applications are external, and AI coding assistants are introducing even more dependencies automatically. That means a single vulnerability can ripple across millions of applications.

The stakes are high: regulators now frame open source as a national security issue. And attacks like the recent Shai-Hulud npm exploit show how adversaries are actively targeting these weak points. Without the right guardrails, enterprises are exposed at a massive scale.

AI is transforming how software is built. What kinds of new risks does this create for application security?

AI assistants are like hiring thousands of interns at once — they can boost productivity but also introduce chaos when left unmanaged. Studies show 62% of AI-generated code has security, quality, or architecture issues. Beyond known CVEs, these include logic flaws, new API endpoints, or cryptographic mistakes that legacy tools were never designed to catch.

The new challenge is scaling secure code review. Relying on overburdened senior engineers to manually check every pull request doesn’t work. You need automated systems that can review, prioritize, and guide developers at the same speed AI is generating code.

Some argue AI introduces more vulnerabilities than it prevents. Do you see it as a net risk or a net benefit at this stage?

It can be both. AI is fantastic for prototyping and experimentation, but inexperienced developers relying on AI can create a blind leading the blind scenario. The way to flip that equation is by pairing AI with security guardrails. With the right review systems and MCP-driven fixes in place, you can turn AI from a net risk into a net benefit. Without them, the risks outweigh the gains.

With AI-generated code becoming more common, what safeguards should organizations put in place to ensure trust in what they deploy?

Treat AI-generated code like any other third-party dependency. That means continuous monitoring, automated verification, and guardrails at every stage of the pipeline. You also need to ensure your AI review tools are trained on high-quality, secure code — not just random GitHub repositories.

And then move beyond detection. When a risky dependency is flagged, your tools should recommend the upgrade path that avoids breaking your app. That’s the difference between chaos and control. I like to think of it as bumper lanes in bowling: the ball still moves fast, but it stays on track.

Transparency is central to your leadership style. How does sharing both wins and setbacks affect culture and performance?

We aim for radical transparency at Endor Labs. That means sharing both the good and the bad – and not just company performance, but also things like stock plans and strategic risks. Employees are adults. Our team can handle reality. Being open builds trust, engagement, and ownership, and it helps people make better decisions.

You often empower rising leaders early in their careers. What guidance do you give first-time managers taking on big responsibilities?

I like to give promising team members big roles early and trust them to grow into the position. With mentorship and support, they learn quickly. My advice: embrace responsibility, learn from failures, and build credibility through action. People often surprise you with what they can achieve when you give them the space.

Looking ahead five years, what do you see as the biggest opportunities and challenges in securing the software supply chain?

With AI coding assistants and citizen developers reshaping workflows, we’ll need systems that act like a “security pair programmer” that are reviewing every pull request in real-time, scaling secure code reviews, and giving developers context they can trust. That’s why at Endor Labs we built our MCP server and multi-agent architecture, which are already helping customers keep pace with AI-native development.

The challenge is that the supply chain itself is only getting more complex. Today, code is largely assembled from external components, and every new AI tool introduces another layer of dependency. Companies that don’t rethink their models will find themselves exposed.

We’re seeing this urgency play out in real time — Endor Labs is now protecting over 7 million applications, scanning 1.6 million pull requests a month, and reducing noise by more than 90% for engineering teams. Five years from now, the organizations that come out on top are the ones that treat secure coding as a core part of developer productivity.

Thank you for the great interview, readers who wish to learn more should visit Endor Labs.