Checkmarx buys Tromzo to boost AI-driven code security

Checkmarx has acquired AI security start-up Tromzo in a deal that brings autonomous, reasoning-based agents into its application security platform and expands its use of artificial intelligence across software development workflows.

The deal brings Tromzo's founders, Harshil Parikh and Harshit Chitalia, and the company's full AI engineering team into Checkmarx's product and engineering organisation. Checkmarx plans to embed Tromzo's technology into its Checkmarx One platform and extend its Checkmarx Assist suite of AI agents.

Checkmarx, based in New Jersey, focuses on application security for enterprises. Tromzo has specialised in AI-native autonomous security agents that sit inside development pipelines.

AI reshapes code

Checkmarx said the accession reflects rapid structural change in how software is written and secured. The company cited its own research that suggests 60% of code is now AI-generated and that 98% of organisations have experienced breaches linked to vulnerable code. Only 18% of those organisations reported formal governance policies for AI usage.

Checkmarx argued that traditional manual checks have struggled in this environment. It said manual gating processes cannot keep pace with modern development. It said this creates bottlenecks in prioritisation and remediation and leaves a growing backlog of security issues.

"This acquisition propels Checkmarx forward on our path to redefine AppSec through agentic AI that transforms how enterprises secure all of their code, whether it is existing, human-created, or produced through AI-driven development," said Sandeep Johri, CEO of Checkmarx.

Johri said the Tromzo technology sits on top of a cognitive architecture. He said the approach aims to mimic reasoning across complex software environments rather than run isolated pattern-matching checks.

"By acquiring Tromzo, we are integrating the only platform built on a true cognitive architecture capable of enterprise-grade reasoning. We're offering an AI-powered virtual security assistant to every developer that understands real risk and automates remediation, moving us closer to a world where code is continuously protected and AI becomes an intelligent partner in security," said Johri.

Tromzo team moves

Under the deal, Tromzo's founders will take leadership roles inside Checkmarx's AppSec AI effort. The full Tromzo AI engineering team will also join Checkmarx.

Tromzo has focused on using AI agents that sit between security and software engineering teams. Its technology analyses code, deployment artefacts and business context. It then applies this information to triage alerts and proposes specific fixes that align with an organisation's risk models.

Checkmarx said these agents will form a core intelligence layer within Checkmarx One. The same engine will underpin current and future members of the Checkmarx Assist family of agents.

Earlier in the year, Checkmarx launched Developer Assist. The product offers real-time, context-aware security guidance within popular integrated development environments such as Windsurf by Cognition, Cursor and GitHub Copilot. A developer receives in-line prompts as they write code and can apply suggested changes.

Autonomous triage

The combined roadmap points toward more automation across vulnerability management. Checkmarx said Tromzo's reasoning-based agents would support autonomous triage of security findings. The system will classify and prioritise issues according to enterprise risk models. It will then propose or apply remediation steps.

The company's acquisition highlights three areas of focus. The first is a push towards what it describes as autonomous application security. The second is the integration of Tromzo leadership and engineers into Checkmarx's AppSec AI group. The third is an expansion of Checkmarx Assist with new agents that run on Tromzo's reasoning engine from early 2026.

Parikh said the company he co-founded had concentrated on shortening remediation cycles for security issues rather than on detection alone.

"We built Tromzo with a singular mission: accelerate remediation of the risks that truly matter," said Harshil Parikh, co-founder of Tromzo. "Joining Checkmarx, the undisputed leader in enterprise AppSec, is the perfect acceleration of that mission. By combining our deep reasoning agents with Checkmarx's reach, scale, and market leadership, we're delivering the only solution that lets enterprise security teams move fast with enterprise-grade control."

Enterprise focus

Checkmarx said Tromzo's technology will handle both human-written and AI-generated code, as well as legacy and cloud-native applications. The combination of tools will operate across the software development lifecycle. It will sit inside code creation, testing, deployment and production monitoring workflows.

The firm positions its Checkmarx One platform as a single environment for code scanning across multiple languages and frameworks. It said the system already processes trillions of lines of code each year. The integration of Tromzo aims to add reasoning-based triage and automated remediation on top of those scans.

Checkmarx also said its autonomous agents look for AI-driven threats that emerge from new development patterns and toolchains. These agents run across different stages of development and release rather than at a single security gate.

Checkmarx and Tromzo plan to develop additional Assist-branded agents that draw on Tromzo's cognitive architecture. The first of those new agents is scheduled for release in early 2026.