Patchstack, an Estonian-based cybersecurity startup, is on a mission to protect users globally from open-source vulnerabilities. From identifying new threats to mitigating against attacks in real-time, Patchstack offers a comprehensive approach to open-source security. What sets it apart is a reliance on both a network of ethical hackers and the power of Google's AI tools.

Former hacker and CEO Oliver Sild has long been fascinated with how easy it is to take over websites with little to no effort and was curious about finding ways to keep them secure. “I've spent my whole twenties working in cyber security, and during my studies I launched my own company where the goal was to build more secure websites. First, we built an internal tool to keep track of all components we used during development then we set up monitoring for any new vulnerabilities. Over time, this evolved into what Patchstack is today,” says Sild.

Patchstack's goal is to provide the fastest vulnerability mitigation on the market so they built a platform to cover the entire lifecycle of vulnerabilities from the initial discovery to mitigation. “As a threat intelligence company we deal with a lot of security vulnerabilities that are reported to our system. We then create mitigation rules to eliminate these vulnerabilities. This is typically a very manual process, so we have automated it using AI,” says Oliver.

Leveraging AI for business operations and identifying vulnerabilities

The startup also relies on AI to streamline most of its internal processes including market research, product roadmaps, HR and marketing to help them to stay agile. “We are always looking at ways to optimize our business operations with AI. We've even set up an internal company rule ensuring whenever there’s a new task, we first try to address it with AI to see if we can automate it somehow,” Sild added.

As AI becomes the standard in the cybersecurity industry, Sild notes that hackers are finding ever more creative and insidious ways to infiltrate secure systems. “AI is like a double-edged sword. It can level the playing field between the defenders and the attackers but only if they both move at the same pace which they rarely do. Today, AI is being used to accelerate cyber attacks so it’s never been easier for novice hackers to exploit security vulnerabilities. Indeed, with advanced AI capabilities, we’re seeing a reduction in the amount of time hackers need to be able to start attacks which subsequently reduces the time for companies to defend against said attacks,” Sild warns.

As a participant in the Google for Startups Growth Academy: AI for Cybersecurity program, Patchstack relies on a Google tech stack that features Vertex AI and AI Studio to combine large language models (LLMs) with traditional machine learning and static analysis.

The startup has also developed The AI Code Review, a tool built by leveraging Google’s Gemini 2.5 Pro model to intelligently scan a developer's entire codebase, identifying CMS-specific security issues (such as those related to WordPress) and highlighting potential improvements. This latest advancement demonstrates the vast potential of Gemini 2.5 Pro for security analysis tasks, especially for open-source software vendors. By combining advanced AI capabilities with domain expertise, Patchstack has developed a system that significantly enhances the accuracy and efficiency of WordPress plugin security analysis.

A commitment to cleaning up the WordPress ecosystem

Patchstack has built an active ethical hackers community who help find vulnerabilities in open source packages and work directly with vendors to run its VDPs (vulnerability disclosure programs). Patchstack is now the world's largest CVE Numbering Authority (CNA), having coordinated over 4500 vulnerabilities in 2025 alone. Over 50% of all known vulnerabilities in the entire WordPress ecosystem (the largest open source ecosystem in the world) were coordinated and published by Patchstack.“This unique advantage of early visibility and data access allows us to detect vulnerabilities and protect customers before anyone else,” says Sild.

In 2024, Patchstack also expanded to other CMS platforms such as Drupal which is widely used by governments and other public sector organisations.

"Our goal going forward is to expand to more open source frameworks such as Laravel and NodeJS. Our deep visibility into vulnerabilities and ability to auto-mitigate vulnerabilities has been receiving attention from many companies who have asked us to support their platforms. We're gradually expanding our business offering one client at a time."

Achieving great outcomes for the business

As participants of the Google for Startups Growth Academy: AI for Cybersecurity program, Patchstack benefited from practical guidance and support from experts. “The program really helped us realise the value of the data we hold when it comes to vulnerability intelligence. We have gained a lot of valuable insights not only from the presentations and figures who spoke at the events, but also from connecting with the other startups who face similar issues to us. The mentoring sessions on topics like product and sales, gave us great insight into building out our team and helped us define our messaging, improve our hiring processes and even helped us prioritise some of our product decisions,” says Sild.

“As a result of the program, we even share the same investors with some of the founders we connected with and we eventually raised series A funding from one of the investors we were introduced to during the program too,” he added.