Socket Acquires Coana to Bring Best-in-Class Reachability Analysis to Next-Gen SCA

SAN FRANCISCO – April 23, 2025 – Socket, the market leader in software supply chain security, today announced it has acquired Coana, a top-tier reachability analysis engine built by leading security researchers from Aarhus University. This acquisition significantly strengthens Socket’s platform and positions Socket as the clear market leader in next-gen Software Composition Analysis (SCA).

Coana brings powerful static control-flow and call graph analysis to Socket’s platform, allowing teams to prioritize vulnerabilities based on whether they’re actually exploitable in a given codebase. Flooding developers with endless security alerts can often subject security teams to “alert fatigue”, meaning real issues don’t get addressed, a common phenomenon with traditional vulnerability scanners.

By applying reachability analysis to SCA, Coana enabled security teams to eliminate up to 80% of false positives compared to traditional SCA tools. Now, instead of chasing irrelevant alerts, security and engineering teams could focus only on what was actually relevant.

Feross Aboukhadijeh, CEO and Founder of Socket said: “For every team buried under thousands of vulnerability alerts, Coana’s reachability analysis offers a better way forward. Coana’s reachability analysis offers the most precise reachability engine for dynamic languages. We’re excited to bring it into Socket to give developers and security teams accurate, actionable vulnerability insights — without the noise.”

Led by Professor Anders Møller, a world-renowned pioneer in JavaScript analysis at Aarhus University, Martin Torp, Benjamin Barslev, and CEO Anders Søndergaard, the team has spent years advancing the state of the art in static and control-flow analysis. The entire Coana team have now joined Socket.

Anders Søndergaard, CEO at Coana said: “Joining Socket means we can scale our impact immediately. Together, we'll help organizations drastically reduce their vulnerability management burden.”

Martin Torp, CPO at Coana said: “We started Coana to help developers find 100 critical issues—not 10,000 trivial ones. Joining Socket lets us take that mission further. Socket has led the way on supply chain security, and together we’ll bring reachability analysis to more developers than ever before.”

Teams using Coana’s reachability analysis tool have seen up to 10x faster remediation times of critical security vulnerabilities as a result.

With this acquisition, Socket now offers the most complete next-gen SCA platform on the market. Revenue has more than tripled over the past year. Teams at Anthropic, xAI, Figma, and Vercel have already moved from legacy SCA tools to Socket.

Today, Socket protects 8,500+ organizations and 750,000+ repositories, securing 2+ million commits every month. Socket identifies 500+ supply chain attacks every week and has flagged more than 100,000 malicious packages across the open source ecosystem.

This news follows our $40M Series B led by Abstract Ventures, with participation from Elad Gil and a16z.

Zane Lackey, General Partner at a16z, said: “Socket’s approach to open source security is simply better — it’s proactive, precise, and built for how modern teams work. We believe that the combination of Socket and Coana will set a new standard for application security and marks the industry's shift away from legacy SCA.”

“Great technology is built by great people,” said Aboukhadijeh. “The Coana team shares our values and brings world-class engineering talent to Socket. Together, we’re going to redefine what secure software development looks like.”

To learn more about the Coana acquisition and what it means for customers, read Socket’s announcement blog post here.

About Socket#

Socket is a developer-first security platform securing every layer of the modern software stack—across dependencies, CI/CD, and developer machines. We surface real threats and block supply chain attacks before they hit production.

Socket protects 8,500+ organizations and 750,000+ repositories, securing 2+ million commits every month. Socket identifies 500+ supply chain attacks every week.

Built by the creators of open source tools downloaded over a billion times a month, Socket is trusted by leading companies across tech, retail, healthcare, finance, government, and telecommunications.

Learn more#

To learn more about our approach to developer security, check out a detailed walkthrough of the Socket platform by Feross Aboukhadijeh, Socket CEO. The Coana blog has many examples and case studies of Coana in action.

Socket is actively hiring across engineering, product, design, and sales. Candidates interested in building the future of software supply chain security can learn more at socket.dev/careers.

If you're interested in trying Socket, schedule a live demo, or just reach out – we’d love to show you how we can help.