AI has changed the pace of software development, and security reviews now have to keep up with workflows moving faster than traditional testing cycles were designed to handle. Developers can generate, edit, and ship code quickly, but every new change still needs to be checked before it reaches production.
Hacktron is taking aim at the pull request, one of the last checkpoints before new code goes live. The San Francisco startup has raised $2.9 million in pre-seed funding for a platform that tests code changes as developers submit them, so security issues can be caught while the work is still fresh.
AI Has Already Entered the Development Workflow
The pace of software development has already changed. Stack Overflow’s 2025 Developer Survey found that 84% of respondents were using or planning to use AI tools in their development process, up from 76% the year before, while 51% of professional developers said they used AI tools daily.
That says that AI-assisted development has taken a major leap forward for many teams now, especially since developers are using these tools to crank out code, decode legacy systems, track down bugs, and write tests at a pace previously unimaginable.
The real problem is that security checks often get left till the last minute. Developers whip out a piece of code, review it, and push it live – but the more thorough testing typically doesn’t happen till afterwards.
By that time, the project has moved on, and the fix ends up taking longer because recalling the original context gets really tricky. That’s why more and more teams are trying to test code early on – while the changes are still fresh in people’s minds.
The Numbers Paint a Pretty Grim Security Picture
When you think about how desperate the need is for seriously beefed-up software security, just look at the costs of breaches and the state of code nowadays.
IBM’s 2025 Cost of a Data Breach report found that the global average cost of a breach was a whopping $4.4 million, and that companies that used AI in security saved $1.9 million compared to those that didn’t. So, in a nutshell: automation can help limit the damage, but it only works if you use it early enough and know how to use it properly.
On the code side of things, there’s another problem lurking: Veracode analyzed the output of over 100 large language models across 80 coding tasks and found that 45% of the AI-generated code had security problems, with only 55% passing its security tests. That doesn’t mean AI coding tools aren’t useful: they do help teams move faster – it just shows that any code generated by them needs to be looked over much more carefully before it’s considered good to go.
Speeding Up Code Speeds Up Problems
There’s a nasty little side effect of using AI to speed up development: it means more code to review for security testing. Suddenly, more features get through the pipeline faster, more changes reach the point where you need to review them, and smaller teams can get more done – but security is still lagging way behind the pace of the engineering work.
Traditional security testing usually happens after the code has already been written, merged or built into a bigger feature. By the time that happens, the developers may have moved on, the original context is a bit fuzzy, and what was a simple fix during the review process becomes a bigger problem to clean up afterward.
Hacktron’s approach does things a bit differently by plugging security testing right into the code change itself. They say their platform combines AI with the same kinds of techniques an attacker would use to test every pull request and code change, finds vulnerabilities that the simple tests won’t catch, reduces the number of false positives, and helps developers fix things in real time.
The Trust Question Boils Down to Gettin’ it Right and Putting it in Context
The real question is : will teams actually trust AI-powered security testing when it’s right there in the merge process? From a developer’s perspective, the product needs to be slick enough not to grind pull requests to a halt with weak warnings. But security teams are going to demand that it catches some real exploit paths – enough to make it worth adding another tool to what’s already a crowded tool stack.
That trust challenge gets a whole lot harder when you bring open source into the mix. The Black Duck report for 2025 said that 86% of the apps they audited had vulnerable open source components, 81% had some pretty nasty high or critical-risk vulnerabilities, and 90% were running components that were more than 10 versions out of date.
Then of course there’s Sonatype’s 2026 software supply chain report, which found that open source consumption had reached a staggering 9.8 trillion downloads – a 67% year over year jump – while the number of known open source malware packages passed 1.2 million.
So what it boils down to is this: modern security testing has to be more than just a simple code diff. It needs to know about application logic, about dependencies, about how authentication works – not to mention all the risks, reachable code paths, and how a change impacts the rest of the system.
The First Movers Have It Made Easy
The first teams to jump on this bandwagon are probably going to be engineering teams that already move at breakneck speed and feel the pain of security review that keeps getting pushed to the back burner. We’re talking about startups that ship product updates once a week, AI-heavy teams that churn out new code all the time, enterprise teams stuck with massive AppSec backlogs, and open-source companies that really need a good look at the risks before they ship.
Hacktron says it’s raised about $240k in its first nine months, and that new funding is going to go towards a whole bunch of things: engineering, security research, product development, and, basically, getting its product out the door. But the real proof will be in how well their platform stacks up against a range of codebases, languages, frameworks, and different work habits.
The Merge Button: Where It All Gets Put to the Test
The real test of this whole thing is when a developer tries to merge some code. If Hacktron can flag up a serious issue inside the pull request, and actually explain why it’s such a big deal, and then help the developer fix it all without dumping a ton more work on them – then security is just part of the build process, and not some cleanup task that shows up way too late.
That’s the bottom line behind this round of funding: AI is helping software get faster, so you’d better believe security testing needs to get a whole lot closer to where the code changes are actually happening.