Hopper officially launched out of stealth to reinvent how organizations manage open-source software (OSS) risk.
Modern software relies on open-source. As OSS scaled, accelerated by AI, legacy security tools failed to keep pace, introducing undesired cost, complexity, and drag on developer productivity. Gartner cites false positives, alert fatigue, and the lack of exploitability context such as function-level reachability as key barriers to effective application security.
Today’s Software Composition Analysis (SCA) platforms overwhelm teams with noise, miss critical risks, and frustrate developers. Hopper delivers a modern alternative to SCA, with function-level reachability, automated asset discovery, hidden vulnerability detection, and support for complex web frameworks — all without agents or CI changes.
Hopper is already used by Fortune 500s and fast-growing tech companies, empowering security and engineering teams to replace legacy SCA tools and secure their code with a more precise, developer-aligned solution. Before switching, Hopper customers report spending up to 8 percent of total development time addressing alerts. By improving remediation SLAs, reducing MTTR, and boosting developer productivity, Hopper becomes a cost reduction tool for the enterprise.
“We didn’t start Hopper because the world needed another SCA tool,” said Roy Gottlieb, Co-founder and CEO. “We started it because existing solutions overwhelm teams and slow down development. Hopper is built to cut through the clutter, surface real risks, and make open-source security fast, accurate, and developer-friendly.”
Gottlieb is a seasoned investor and operator, a veteran of Unit 81, and recipient of the Israel Defense Prize. His co-founder, Oron Gutman, is a veteran vulnerability researcher and two-time Israel Defense Prize winner, with 14 years of experience including section lead of Unit 8200.
Why Function-Level Reachability Matters
Most vulnerability databases (NVD, OSV.dev, and GitHub) don’t reveal where a vulnerability lives in the code. CVE standards intentionally omit function-level detail to avoid exploitation, but that tradeoff comes at a cost.
Log4J, for example, contains 60,000+ lines of code and 7,000 functions, but only the lookup function in JndiManager class was exploitable. Hopper closes that gap with a proprietary knowledge base mapping vulnerable functions across the OSS ecosystem.
“Hopper doesn’t just tell you that a vulnerability exists. It shows you the line of code, the function, the evidence, and why it matters. That’s what finally gets developers to act,” said a Fortune 100 CISO, speaking under NDA.
Built for Modern Security and Engineering Teams
Where legacy SCAs inventory manifest files, Hopper simulates how applications are built and executed, providing deep visibility without agents or CI/CD integration, delivering:
-
Function-level reachability across direct, transitive, and internal dependencies
-
Full SBOM and VEX export, aligned with compliance workflows
-
Agentless deployment, via read-only Git access
-
Contextual remediation evidence, linked directly to source
-
Automatic asset discovery, including internal and shadow dependencies
Backed by Industry Builders
Hopper raised $7.6 million in seed funding, co-led by Meron Capital and New Era, with participation from the Sequoia Scout Fund, M-Fund, and leaders behind exits to Intel, Oracle, Google, HPE, Symantec, ZoomInfo, AWS, and more.
Hopper is now available to organizations ready to stop chasing noise and start fixing real risk. Learn more at hopper.security
