Home›
Companies›
Xeol

Xeol

Y Combinator LogoS23
Active
cybersecurity
New York
 
https://www.xeol.io/

Software security from code to deploy

It is pronounced Zee-O-L. We believe that secure software is not only free of known vulnerabilities. It is also built then distributed by known entities. SolarWinds and Codecov has shown that today's security landscape extends beyond your codebase. It includes your build and deployment systems as well. It includes every script, every machine, every human that touched your software. Our mission is to help every customer secure their software from code to deploy.

Jobs at Xeol

View all jobs →
Founding Engineer
New York, NY, US
$140K - $180K
0.50% - 1.00%
3+ years
Apply Now
Xeol
Founded:2023
Team Size:2
Location:New York
   

Active Founders

ShiHan Wan

CEO @ Xeol. Backend Engineer. Previously helped build 2 startups from early to 🦄, now doing that for Xeol.

ShiHan Wan
ShiHan Wan
Xeol
  

Benji Visser

CTO @ Xeol. Ex-Datadog. Ex-Ada. Canadian

Benji Visser
Benji Visser
Xeol
 

Company Launches

🌌 Xeol - Modern platform for software supply chain security

TLDR

Fortune 500 companies use Xeol to connect all their software dependencies into a contextual graph to ask questions like “am I affected by vulnerability X?” and enforce policies like “ensure all my docker images were signed by me?”

We first met 6 years ago as early engineers at Ada leading backend, cloud infrastructure, and security. Right before founding Xeol:

  • Benji was a Sr DevOps Engineer at Datadog leading its service catalog project with a near decade career in DevOps
  • ShiHan was the Director of Engineering helping build 2 startups from early stage to 🦄

We have been in the startup world for many years and are now on our own journey to help AppSec engineers quickly identify, remediate, and enforce security risks.

Problem. A New Attack Vector

Ask anyone on the street to plug in a random USB drive and they will scoff. They know it’s unsafe! But developers do this every day when they use open-source packages as part of their software supply chain. The typical npm package has 86 dependencies and with supply chain attacks up 600% over the past year alone, this attack vector is widening.

What’s not working?

  • Too much noise: tools that show all possible CVEs without contextual runtime information make prioritization near impossible leading to alert fatigue
  • Attacks are more common: generative AI enables malicious actors to easily launch attacks
  • Huge attack surface: many actors involved including OSS maintainers and their code, CI/CD systems, container orchestrators, and in-house developers

Solution. Complete Ontological Visibility

Xeol is an agentless solution that scans your software artifacts at build and runtime then creates a contextual graph of your software supply chain. This contextual graph allows AppSec engineers to:

answer questions like

  • Where am I using package X?
  • Which software are end-of-life?
  • Which packages are missing SLSA attestations?
  • Which software artifacts are produced from repo X?

enforce policies like

  • Ensure all Docker images were built by my org from our CI pipeline
  • Prevent software X, which is end-of-life, from being packaged in our Docker images
  • Ensure sure all packages meet a minimum OSSF score
  • Prevent any dependencies using a GPL license

Our Ask

See Xeol’s graph capabilities in action here

Try our open-source CLI tool to scan for end-of-life software

Follow us on LinkedIn, GitHub, or Twitter to get the latest updates

Company Photo

Company Photo