dpndncY
About
Application security
you run yourself.

Most application-security tools ask you to send your code, your dependency graph and your build telemetry to a cloud you don’t control, then hand back a dashboard you can’t take with you. dpndncY is built the other way around.

The idea is simple. Security decisions about your software should be made on your infrastructure, and every one of them should come with evidence you can verify without asking anyone’s permission.

So dpndncY scans dependencies, code, IaC, secrets, containers and pipelines; ranks findings by what can actually be exploited; blocks risky packages before they’re installed; watches CI runners at the kernel level; and wraps every decision in a signed, portable attestation. All of it self-hosted. None of it leaves your network.

That makes it a natural fit for the teams that public-cloud AppSec tools can’t serve — regulated industries, air-gapped environments, and anyone who has to prove their supply-chain posture to an auditor, a customer, or a regulator with a document that stands on its own.

dpndncY is early. We’re working with design partners now and building in the open with the security community. If that’s you, we’d like to talk.

What we believe

Four principles the product is built on

Self-hosted by default

The whole platform runs on your infrastructure — from dependency resolution to the runtime agent. Air-gapped isn't a premium tier; it's the baseline the product is designed around.

No telemetry, ever

We don't collect usage data, phone home, or route your dependency graph through a cloud we control. Zero external callbacks is a design constraint, not a setting.

Evidence over trust

Every decision the platform makes — a firewall verdict, a scan result, a runtime trace — is signed and verifiable offline with a public key. You never have to take our word for it.

One engine, not ten tools

SCA, SAST, IaC, secrets, containers, the firewall and the runtime agent share a single exploitability signal stack and a single signing root — so findings are consistent and portable.

Security you host.
Evidence you own.