Socket Acquires Coana to Strengthen Software Composition Analysis (SCA) Offering

Socket, the market leader in software supply chain security, today announced it has acquired Coana, a top-tier static analysis and reachability engine built by leading security researchers from Aarhus University. This acquisition significantly strengthens Socket’s platform and positions Socket as the clear market leader in modern Software Composition Analysis (SCA).

Coana brings powerful static control-flow and call graph analysis to Socket’s platform, allowing teams to prioritize vulnerabilities based on whether they’re actually exploitable in a given codebase. Flooding developers with endless security alerts can often subject security teams to “alert fatigue”, meaning real issues don’t get addressed, a common phenomenon with traditional vulnerability scanners. Key to managing this workload is reachability analysis, which enables security teams to prioritize vulnerabilities that need to be addressed rapidly above those which cannot be practically exploited.

Coana’s revolutionary reachability analysis engine solves this problem, eliminating up to 80% of false positives — allowing AppSec (Application Security) teams to cut through the noise and dramatically accelerating time to remediation for the most critical vulnerabilities.

“For every team buried under thousands of vulnerability alerts, Coana’s reachability analysis offers a better way forward,” said Feross Aboukhadijeh, CEO and Founder of Socket. “They’ve built the most scalable and accurate reachability engine we’ve seen, and we’re excited to bring it into Socket to give developers precise, actionable vulnerability insights — without the noise. Joining forces with Coana turbocharges our ability to deliver actionable, noise-free security alerts. This is a big win for our customers.”

The world-leading team behind Coana have now joined Socket. Coana was founded by static analysis experts from Aarhus University. Led by Professor Anders Møller, a world-renowned pioneer in JavaScript analysis, Martin Torp, Benjamin Barslev, and CEO Anders Søndergaard, the team has spent years advancing the state of the art in static and control-flow analysis.

“Joining Socket means we can scale our impact immediately," said Anders Søndergaard, CEO at Coana. "Together, we'll help organizations drastically reduce their vulnerability management burden.”

Teams using Coana’s reachability analysis tool have seen up to 10x faster remediation times of critical security vulnerabilities as a result.

With this acquisition, Socket now delivers the most complete and mature SCA platform on the market. The company currently protects over 8,500 organizations and 750,000+ code repositories, scanning every commit in real time. Socket detects and blocks more than 500 software supply chain attacks per week, and has identified over 100,000 malicious artifacts across open source ecosystems like npm, PyPI, Maven, and Go.

“Socket’s approach to open source security is simply better — it’s proactive, precise, and built for how modern teams work," commented Zane Lackey, General Partner at a16z, who co-led their series B funding round. "The combination of Socket and Coana is the nail in the coffin for legacy SCA. This is the new standard for application security.”

“Great technology is built by great people,” said Aboukhadijeh. “The Coana team shares our values and brings world-class engineering talent to Socket and together, we’re going to redefine what secure software development looks like.”