By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
Product Updates
January 22, 2025

Introducing Natural Language Code Policies in DryRun Security

Blog
Product Updates
Linkedin
Twitter
Facebook

Hey everyone—James Wickett and Ken Johnson here. If you’ve been following DryRun Security’s journey, you know we’re on a mission to help Application Security (AppSec) teams keep up with today’s fast-moving development cycles without drowning in a sea of false positives and half-baked security tools. Today, we’re thrilled to introduce our latest innovation—Natural Language Code Policies (NLCP)—and share why it marks a huge leap forward for AppSec and development teams alike.

A Quick Look Back: Our Journey to NLCP

Our story started long before we ever formed DryRun Security. Over a decade ago, we were each working in DevOps and security roles, getting up-close and personal with the pain points caused by old-school security scanners. They were noisy, slow, and disconnected from the actual development workflow. Developers felt burdened, and security teams were stuck playing endless whack-a-mole with vulnerabilities.

We decided to do something different. In January 2023, we officially launched DryRun Security. Our initial prototypes taught us a lot, and soon we realized the best way to solve modern AppSec challenges wasn’t by slapping yet another static scanner onto the pipeline—it was by contextualizing the risk in code changes using AI and large language models (LLMs).

Over the summer of 2023, we focused on bridging the gap between developers’ workflows and meaningful security insights. By the spring of 2024, our beta GitHub app was already saving teams hours of manual security reviews each day. Today, DryRun Security processes over 13,000 code reviews per week—helping customers like Gusto, PlanetArt, Rollbar, BrightHR, and many more spot unknown risks in real-time.

The Problem: Finding the Needle in the Haystack

One of the biggest issues facing AppSec teams is simply knowing which code changes deserve closer scrutiny. In large organizations pushing out hundreds (or thousands!) of pull requests (PRs) each week, critical changes can blend right into the background noise. Our users told us:

  • “Our developers keep introducing the same vulnerabilities even though we’ve trained them.”
  • “We keep paying out bug bounties for the same class of issues, sometimes in the same, part of our app.”
  • “I would like to help the dev teams with security issues, but I often don’t know when they’re making important architecture decisions.”

It became clear that even the most advanced code scanning solutions often leave product security teams guessing which PRs might pose a serious risk. And if you’re stuck reacting to issues well after they’ve been merged, it’s already too late.

Enter Natural Language Code Policies

That’s where Natural Language Code Policies (NLCP) come in. By taking advantage of LLMs and our unique Contextual Security Analysis (CSA) approach, NLCP lets you create policy checks in simple, everyday language. On every code merge, these policies run alongside the core DryRun Security code policies, and if they get triggered, it notifies your security notification list—or even tags specific reviewers in GitHub—so the right people know about critical risks the moment they appear.

Why This Matters to AppSec Teams

Most AppSec teams know the feeling: you’re constantly stuck in a pattern-matching whack-a-mole game, blindly searching for high-impact vulnerabilities amidst a flood of low-value alerts. You find more issues, create more tickets, and developers become fatigued by noise. Meanwhile, critical threats can slip by because they don’t neatly match a static rule.

Natural Language Code Policies (NLCP) change the game by letting you ask the bigger, more contextual questions—literally in plain English—so you spot the issues that truly matter without drowning in irrelevant warnings. Let’s break down why it’s so impactful:

  1. From “More Alerts” to “Meaningful Alerts”
    Traditional security tools focus on counting possible vulnerabilities, leading to endless lists of “maybe” issues. With NLCP, you home in on code changes that could introduce real risk. Instead of pattern-matching strings like “password” or “secret,” you can ask, for example:
  • “Does this PR modify the logic around charging a customer’s credit card?”
  • “Are we introducing new routes that handle sensitive user data?”

    When NLCP finds a match, you know it’s something worth your time—no more sifting through an avalanche of false positives.
  1. Context-Driven Security Reviews
    Often, a code change looks harmless at first glance. Maybe it’s just adding a new endpoint or modifying a library. But context matters:
  • Is the new endpoint handling payments or storing personally identifiable information (PII)?
  • Has a developer modified authentication logic for the endpoint?

    NLCP automatically correlates these details (via our CSA “SLIDE” framework) to see if the change could have bigger security implications. By focusing on why a change was made and how it affects your application, NLCP helps you catch vulnerabilities that hide between the lines.
  1. No Scripting Required
    Because you write policies in everyday language, NLCP is approachable for everyone—AppSec engineers, development leads, and even product managers. Here are a few more examples of real policies our customers use:
  • “Does this remove or weaken encryption for stored user data?”
  • “Does this PR add or modify any role-based access checks?”
  • “Does this affect how we store or transmit passwords?”

    Being able to phrase policies in normal sentences means less guesswork and fewer misunderstandings. Everyone can read, interpret, and refine these questions as the organization’s needs evolve.
  1. Catch Risks Past the OWASP Top Ten
    When developers add new features—or rework an existing feature to handle sensitive data—it can be overlooked by generic scanning tools if there’s no direct signature match. With NLCP, you’ll see the potential consequences right away:
  • “Does this add a new function that might store GPS coordinates or user location data?”
  • “Does this PR change how we define roles for multi-tenant clients?”

    By zeroing in on intent and context, NLCP makes it easier to identify critical changes that would otherwise remain hidden until after they’re merged.
  1. Seamless Adoption into Existing Workflows
    NLCP runs directly in GitHub on every PR. It’s not another bulky tool that demands a standalone UI or forces context-switching. Whether you choose to surface alerts to developers in real time or keep them discreet for the security team, the result is a natural, frictionless integration that doesn’t slow development.

    With NLCP, you’re no longer stuck playing whack-a-mole with suspicious keywords or pattern-based rule sets. Instead, you can stay focused on the code changes that are most likely to impact your organization’s security posture. The result: fewer false positives, faster triage, and a security program that truly protects your organization where it counts.

Early Success: Voices from the Field

One of our earliest adopters, BrightHR, has been using DryRun Security to gain deeper visibility into their code changes. Sean Holcroft, Application Security Architect at BrightHR, sums up his experience:

“With DryRun Security, it feels like we’ve more than doubled our AppSec team. We can focus on the pull requests that truly matter. What’s more, our developers get instant, actionable guidance on writing secure code — it’s like having a security coach in every pull request. The tool has transformed how we approach application security, scaling our efforts without adding headcount or slowing development.”

For the BrightHR team, a typical week involves juggling numerous high-priority tasks. Having a streamlined way to surface genuine risks helps them maintain a secure posture without asking developers to drastically change their workflow.

Try NLCP Today: Two Ways to Get Started

  1. Personalized Demo
    We’ll walk you through setting up and customizing your first policies. Perfect if you want expert guidance from day one.
    Schedule Your Implementation Call
  1. Self-Led Demo & Install
    If you’re more of a hands-on explorer, dive in at your own pace.
    Install DryRun Security on GitHub

The Road Ahead: Building AppSec Together

Our vision has always been to make security an intrinsic, empowering part of development—not a frustrating afterthought. With NLCP, we’re one step closer to that reality. From the very first code change to production deploys, we want you to feel confident that hidden risks won’t slip by unnoticed.

Thank you for joining us on this journey. Whether you’re brand new to DryRun Security or have been with us since our first alpha release, we appreciate you. We’re excited about where this industry is headed, and we can’t wait to continue innovating together.

Here’s to finding those needles in the haystack—before they become tomorrow’s headlines.

,
James Wickett
CEO & Co-Founder
Ken Johnson
Co-founder & CTO
Linkedin
Twitter
Facebook

Related Blogs

Product Updates
June 20, 2024

Announcing the SSRF and IDOR Analyzers at DryRun Security

We're excited to announce the addition of two new analyzers to our suite of analyzers. The addition of the SSRF and IDOR analyzers significantly enhances our ability to detect more of the critical vulnerabilities organizations care about and is a first step in honing our detection around access control and authorization.

James Wickett
CEO & Co-Founder
Product Updates
April 15, 2024

Say Goodbye to SQLi in Go and Python

Introducing an exciting update: We’ve integrated SQLi analysis into our automated secure code reviews. Now, the GitHub app will analyze your code for SQLi vulnerabilities for Python Django and Golang Object-Relational Mapping (GORM) in seconds using the DryRun Security AppSec Analyzer, with support for more languages and frameworks coming soon.

James Wickett
CEO & Co-Founder