Most application-security tools ask you to send your code, your dependency graph and your build telemetry to a cloud you don’t control, then hand back a dashboard you can’t take with you. dpndncY is built the other way around.
The idea is simple. Security decisions about your software should be made on your infrastructure, and every one of them should come with evidence you can verify without asking anyone’s permission.
So dpndncY scans dependencies, code, IaC, secrets, containers and pipelines; ranks findings by what can actually be exploited; blocks risky packages before they’re installed; watches CI runners at the kernel level; and wraps every decision in a signed, portable attestation. All of it self-hosted. None of it leaves your network.
That makes it a natural fit for the teams that public-cloud AppSec tools can’t serve — regulated industries, air-gapped environments, and anyone who has to prove their supply-chain posture to an auditor, a customer, or a regulator with a document that stands on its own.
dpndncY is early. We’re working with design partners now and building in the open with the security community. If that’s you, we’d like to talk.
Four principles the product is built on
Self-hosted by default
The whole platform runs on your infrastructure — from dependency resolution to the runtime agent. Air-gapped isn't a premium tier; it's the baseline the product is designed around.
No telemetry, ever
We don't collect usage data, phone home, or route your dependency graph through a cloud we control. Zero external callbacks is a design constraint, not a setting.
Evidence over trust
Every decision the platform makes — a firewall verdict, a scan result, a runtime trace — is signed and verifiable offline with a public key. You never have to take our word for it.
One engine, not ten tools
SCA, SAST, IaC, secrets, containers, the firewall and the runtime agent share a single exploitability signal stack and a single signing root — so findings are consistent and portable.