DryRun's Trust Architecture Tradeoff
DryRun Security
DryRun is making a deliberate trade, lower software economics in exchange for easier entry into serious security budgets. Its private LLM and short lived microservice design make each scan more expensive than a rules engine that mostly runs in the customer’s own CI, but that same design helps clear code privacy, compliance, and trust reviews that unlock bigger enterprise contracts and broader rollouts across security, engineering, and compliance teams.
-
DryRun prices around team footprint, not scan volume, because the product expands from PR comments into policy management, repo wide scans, and risk tracking. That supports higher ACV, but every extra analysis still carries real compute cost because the model and orchestration layer do work on each run.
-
Semgrep shows the cleaner SaaS model on the other side of the trade. Its scanner largely runs in the customer’s environment, it sends only limited code snippets for AI analysis, and it explicitly frames this as supporting higher gross margins than traditional AppSec vendors.
-
This is becoming a category pattern among AI native AppSec tools. Endor also uses multi agent analysis to reason about business logic and pull request risk, but says marginal cost falls once its core graph infrastructure is in place. DryRun is earlier and more narrowly centered on high trust PR review, so infrastructure efficiency matters more to future margin expansion.
The next step is turning trust architecture from a cost burden into a scale advantage. If DryRun keeps winning regulated teams that need private analysis, then larger contracts and multi product adoption can outrun compute costs. Over time, the winners in AI AppSec will be the vendors that keep reasoning quality high while pushing the cost per review closer to conventional SaaS economics.