# Marcus Delgado, Senior AppSec Engineer at Groveport Labs — read of Defending Code Scanner, June 7 2026

> 9 years in application security, currently the entire appsec team at a 140-person Series B SaaS. I am the person who gets the Snyk renewal quote and has to explain it to the CFO.

## How I got here

Got a renewal notice from Snyk two weeks ago with a 40% price jump. Started a tab graveyard of alternatives. Searched "AI code security scanner alternative to Snyk" and this showed up on page two. Clicked it because the meta description said "fraction of the cost" and I was already in cost-justification mode. That's the whole story. No referral, no trust already built.

## What I clicked first

"90% Cost Savings" in the hero is what my eyes landed on first. Hard to ignore. Then I looked for the asterisk and there wasn't one, which made me more suspicious, not less. The subhead "Pay only for what you scan" is actually a coherent value prop if true. That phrase landed. I know what I pay Snyk per seat and it's not tied to usage at all.

## Where I paused

The stats block. "2,400+ Repositories Scanned. 18K Issues Detected. 94% False Negative Reduction. $1.2M Breach Costs Avoided." I stopped and read it twice. These numbers are oddly specific in a way that feels credible but is also easy to fabricate. "94% False Negative Reduction" compared to what baseline? SonarQube? Semgrep? Checkmarx? My own gut? That number is doing a lot of work with zero sourcing. The $1.2M breach costs avoided is the kind of stat that sounds like it came from a Ponemon Institute press release, not an actual customer cohort.

## What I distrusted

Scroll down far enough and you hit this: "Honest disclosure: we don't have live customers on this idea yet."

So the 2,400 repositories and $1.2M avoided are... what exactly? Hypotheticals? Test runs the founder did? The page puts those numbers in a "Trusted by Security Teams" section and then later admits there are no customers. That sequencing is a choice that doesn't work in their favor. The moment I read that disclosure I scrolled back up and reread every number on the page with a different filter.

Also the page starts describing itself as an "idea" and talking about "Wishdeal Factory scores" and "Adoptability axes." At some point I realized I was not on a product page at all. I was on a page selling a business plan for $99-$199. The product being pitched in the hero is not actually available. That's a significant gap between what the page promises and what it delivers.

## What would convince me

One real GitHub Actions YAML that I can copy-paste and watch run on my own repo. Not a demo video, not a "schedule a call." Let me scan one repo against my current Snyk results and see where they overlap and where this catches things Snyk misses. A side-by-side on a real public repo with known CVEs, showing false positive and false negative rates, would take maybe one afternoon to put together and would be worth ten of these feature lists.

And if this is genuinely a startup idea being sold as a package: I need to understand that I'm buying a blueprint, not a working product. That framing should be in the hero, not buried after the fake social proof.

## What I'd ask in an email reply

1. Those numbers in the social proof block, 2,400 repositories and 94% false negative reduction, are those from real customer deployments or from internal testing? If internal, what was the test corpus?
2. When you say "works within your deployment pipeline" and list GitHub Actions, GitLab CI, Jenkins, is that working code today or planned? Is there a public repo or beta I can actually install?
3. The $99-$199 adoption tier includes "working code starter." What does that mean in practice? Is it a scaffolded repo I'd need to wire up to the Claude API myself, or is it a deployed service I could point at my codebase today?

## Verdict: on-the-fence

The underlying idea is sound and the cost framing is relevant to a problem I actually have. But the page puts fake-feeling social proof before an honest disclosure that there are no customers, which makes me trust the whole thing less, not just the numbers. If someone cleaned that up and let me run one real scan, I'd reconsider.

---
*Memo by skeptic persona, generated 2026-06-07. Studio breaks own self-grading loop.*
