DEPTEX: Organization-First, Open Source Dependency Risk Monitoring
New graph-based tool fuses CPG and LLMs to find true vulnerability blast radius.
DEPTEX tackles the systemic risk of open-source dependencies, a problem that grows with every new library. Existing SCA and reachability tools often treat risk as an intrinsic property of a component, flooding teams with false positives and forcing rigid compliance frameworks. DEPTEX flips the model by treating supply chain risk as emergent. Its Execution Path Dominance (EPD) technique first slices a Code Property Graph (CPG) to trace actual data and control flows, then uses a Large Language Model (LLM) to semantically verify whether a vulnerability can actually be triggered in the context of your codebase. This dramatically reduces alert fatigue by only flagging threats with a real blast radius.
Beyond detection, DEPTEX abstracts compliance into a programmable 'As Code' engine. Security teams can define dynamic pull request policies, assign asset tiers, and integrate with external APIs natively. This shifts the entire paradigm from reactive scanning to context-aware governance, making risk management proactive and aligned with organizational structure. The platform is fully open-source and targets enterprises that need to manage thousands of dependencies without drowning in noise.
- Execution Path Dominance (EPD) fuses Code Property Graph (CPG) slicing with LLM verification to compute a vulnerability's true operational blast radius.
- Programmable 'As Code' engine enables dynamic pull request policies, custom asset tiers, and external API integrations.
- Reduces alert fatigue by treating risk as emergent in organizational context, not as an intrinsic property of a dependency.
Why It Matters
Shifts dependency management from reactive scanning to proactive, context-aware governance — a major win for security teams.