Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team

Open source software drives human progress — but today, one of the biggest challenges for developers is how to use it safely and securely. Open source software is eating the world — but security has been an afterthought.

Today, we’re announcing a big step in securing the open source supply chain: Socket is acquiring Coana to bring best-in-class reachability analysis to every appsec team.

Coana's revolutionary reachability analysis engine allows developers and security teams to cut through the noise and pinpoint the vulnerabilities that truly matter, dramatically reducing false positives—by up to 80%.

You don’t have to wait to see the power of Coana's reachability analysis — try out Coana right now by uploading your project manifest files (e.g. package-lock.json, requirements.txt) below. You will instantly see the level of noise reduction you can expect in your own project with our first-of-its-kind precomputed reachability analysis that removes alerts from unused transitive dependencies:

Note: No source code access needed for this demo. It’s fast, private, and uses “precomputed reachability analysis" to removes alerts from unused transitive dependencies. This works without any setup hassle — no agent, no extra CI/CD step, no heavyweight tool to run in your infra — something that has traditionally been a huge problem with other reachability analysis solutions. (We, of course, also offer traditional function-level reachability as well.)

We’re thrilled to welcome the Coana team to Socket — world-class engineers and security researchers. Together, we’ll bring their breakthroughs to our customers and the broader open source ecosystem.

Bringing best-in-class Reachability Analysis to every appsec team#

Legacy vulnerability scanners dump thousands of vulnerability findings on teams, most of which are irrelevant. When devs drown in noise, they ignore all the alerts. More alerts ≠ more security.

We have a better solution.

Coana has mastered reachability analysis—a revolutionary technique that cuts through noise by pinpointing vulnerabilities that actually affect your apps. It dramatically reduces false positives—by up to 80%. Teams using Coana have seen up to 10× faster remediation times as a result – because they can focus on fixing real problems, not chasing ghosts.

Coana determines whether a given vulnerability is exploitable if it is reachable by your application code. If a vulnerable code path does not exist, we mark the vulnerability as unreachable, allowing you to deprioritize it—or ignore it entirely. Instead of thousands of findings from a legacy scanner, you get a short list of the few issues that actually require action.

Feross AboukhadijehFounder and CEO, Socket

Why Coana?#

Coana has built the most scalable and accurate reachability engine we’ve seen. Now, they’re bringing that deep expertise to Socket — and together, we’re going to push the limits of how—dare I say it?—delightful we can make SCA.

The vision is straightforward: whenever Socket flags a vulnerability in your open source dependencies, you’ll also see whether that specific vulnerability is reachable in your application or not – automatically. No additional setup, no separate tools. Just richer, smarter alerts.

Coana are pioneers in static and control-flow analysis

Coana—and now Socket—has the best reachability solution on the market for a few reasons:

• Drastically fewer false positives: Coana filters out unreachable vulnerabilities so you can safely ignore 80%+ of alerts. You only get notified about vulnerabilities your code can actually reach.
• Advanced static analysis: Coana uses advanced control-flow analysis built by academic experts. This isn’t grep or metadata scanning—it’s real code understanding, tuned for each language.
• Precomputed reachability: Socket's precomputed reachability classifies over 50% of vulns as unreachable right out of the box. No config. No source code access needed. Just fewer alerts and faster decisions. (We, of course, also offer traditional function-level reachability as well.)
• Function-level reachability: Cuts up to 80% of alerts by analyzing exactly which functions your application has used. You don’t even need to give Socket access to your source code or repo – the analysis runs on your machine or CI runner, and no proprietary code ever leaves your environment. (In fact, Coana can even run fully offline on an air-gapped network.)
• Built for scale: No external agents, no hooking into your runtime, no noise. It works across monorepos and large codebases, and it’s language-specific for accuracy. In short, Coana’s approach is fast, scalable, and won’t slow down or disrupt developers.
• Saves real money: By drastically reducing developer frustration, Coana saves real money—$300,000+ annually for the average 100-engineer team.

Anders SøndergaardCEO, Coana

By integrating best-in-class reachability analysis, Socket gives security teams and developers a powerful one-two punch: find all the issues in your open source supply chain, and zero in on the few that really matter.

This acquisition isn’t just about tech — it’s about the team behind it. Coana was founded by some of the world’s top static analysis experts out of Aarhus University. Led by Professor Anders Møller, a world-renowned pioneer in JavaScript analysis, along with Martin Torp, Benjamin Barslev, and CEO Anders Søndergaard, the team has spent years advancing the state of the art in static and control-flow analysis.

Great technology is built by great people. The Coana team shares our values and brings world-class engineering talent to Socket. Together, we’re going to redefine what secure software development looks like.

To learn more about our approach to developer security, check out a detailed walkthrough of the Socket platform by Feross Aboukhadijeh, Socket CEO. The Coana blog has many examples and case studies of Coana in action.

What's next?#

The entire Coana team is joining Socket immediately. Their tech is being directly integrated into our platform. Nothing changes today for Coana users, but you can expect to see major enhancements within the next few months. We’ll provide a seamless migration path as soon as key Coana functionality is ready.

In the coming months, we’ll be working to integrate Coana’s reachability analysis technology directly into the Socket platform. Soon, every Socket user will start seeing reachability context in their vulnerability reports and dashboards.

Martin TorpCPO, Coana

Socket is now the clear leader in next-gen SCA#

With Coana’s capabilities in-house, Socket is now the undisputed leader in next-gen SCA:

• Easiest-to-use and most accurate reachability analysis: Like traditional SCA, we find known vulns. But with Coana, we go further—telling you which ones are actually reachable and exploitable in your app. Less noise, more signal.
• Malicious package detection, in real time: We monitor your dependencies 24/7 and block supply chain attacks as they happen—typosquatting, malware, hijackings, you name it. We regularly catch novel supply chain attacks before they are even public—attacks like dependency hijackings, malware implants, and more.
• License enforcement, handled automatically: Socket flags license issues automatically and blocks packages that violate your policies. For advanced needs, you can override license findings on a per-package basis—perfect for strict legal and compliance teams.
• Defense-in-depth across the entire SDLC: We monitor every package update, every PR, every new dependency. Socket is not just a scanner – it’s a guardian for your supply chain, acting the moment a threat emerges.
• Comprehensive support for 9+ languages: JavaScript, TypeScript, Python, Go, Java, Ruby, .NET, Scala, Kotlin. We built deep support for each, not just a checkbox.

Socket revenue has more than tripled over the past year. Teams at Anthropic, xAI, Figma, and Vercel have already moved from legacy SCA tools to Socket.

Today, Socket protects 8,500+ organizations and 750,000+ repositories, securing 2+ million commits every month. Socket identifies 500+ supply chain attacks every week and has flagged more than 100,000 malicious packages across the open source ecosystem.

This news follows our $40M Series B led by Abstract Ventures, with participation from Elad Gil and a16z.

Zane LackeyGeneral Partner at a16z

Join us to build the future of appsec#

We believe a small, focused team of can out-innovate the giants. This past year has proved that. Our team’s engineering velocity is second to none – we’ve shipped major features at a pace that surprises our customers (and sometimes even us!).

Speed and craftsmanship are baked into everything we do. And now with Coana’s team now joining us, we're moving even faster. We want a world where developers can move fast and break nothing – with security built in from day one.

We’re hiring across engineering, product, design, and sales. Still a small team, so every hire makes a big impact. If you care about dev tools, security, and building something meaningful, we want to talk to you. (Yes, that means you – check out our careers page!)

Bringing Coana into the Socket family is a big step forward. We’re excited for what’s ahead—and grateful for the trust of our customers and community.

If you're interested to try Socket, schedule a live demo, or just reach out – we’d love to show you how we can help.