Cybersecurity · sub-niche
OSS vulnerability graphs.
The dependency graph for open source vulnerabilities, indexed for AI agents and humans.
One-quarter buildTrickle — one deal per quarter
Why now
Agents need machine-readable security context. The graph layer is unbuilt or buried inside paid products.
What the signal looks like
Repos with CVE / OSV ingestion, dependency-graph build pipelines, and MCP / API surfaces.
Public examples
We name publicprojects + categories only — never founders we track inside the paid product. The buyer’s edge stays inside the product.
- GUAC / OSV graph projects
- Snyk Knowledge Base
- OWASP-style open repos
What this displaces
A CVE database + npm audit + grep.
Our build-vs-invest call
Open data is the wedge; commercialization is the platform on top. Fund only with prior security infra background.
Common questions about this niche
- Who pays?
- Security platforms paying for higher-fidelity data.
- Moat?
- Data freshness + graph completeness + API ergonomics.
- Build or fund?
- Build only with prior security data background; fund teams with named security backgrounds.
More inside Cybersecurity
- LLM firewall tooling — WAF for AI agents — prompt injection blocking, output sanitization, policy enforcement at the API boundary.
- Supply chain attack detectors — Catch malicious npm / PyPI packages before they land in production.
- Secret rotation automation — Secrets that rotate themselves — across HashiCorp Vault, AWS Secrets Manager, GitHub, and your CI.
- Cloud config drift detection — Continuous detection of AWS / GCP / Azure config drift, plus AI-suggested remediation.