
Endor Labs acquired Autonomous Plane, expanding Endor Labs' AI-native application security platform to deliver full-stack reachability across applications and container images.
"Container scanning has been stuck in inventory mode, telling teams what's installed rather than what matters," says Varun Badhwar, CEO and co-founder of Endor Labs. "Security tools have to evolve beyond scanning components in isolation. With this acquisition and the launch of full-stack reachability, we're delivering evidence-based visibility across the entire stack so teams can focus on real risk, reduce operational noise, and make compliance achievable."
Key takeaways:
· Enabled by technology developed by Kyle Quest, who joined Endor Labs through the acquisition, full-stack reachability combines source code analysis with dynamic and static container analysis to model applications end-to-end, tracing vulnerability impact from application code through language runtimes and OS components.
· By coupling static dependency graph analysis with automatic runtime profiling, full-stack reachability identifies which vulnerabilities are actually exploitable, filtering out up to 90% of false positives reported by traditional scanners.
· Endor Labs delivers what is said to be the industry's first full-stack approach, analyzing SCA findings and container image vulnerabilities together.
· The evidence-based approach also proves particularly valuable for regulated industries. Standards like FedRAMP mandate strict remediation timelines for vulnerabilities, but container bloat means base images contain hundreds of general-purpose libraries that most applications never use. Without reachability analysis, teams waste engineering resources fixing vulnerabilities in unused code or risk compliance penalties by missing critical issues buried in noise.
"Traditional container scanners report every CVE in an image, forcing teams to sift through hundreds of findings manually," says Quest. "Full-stack reachability uses information from the application layer to understand which container image packages are loaded, identifying which packages and vulnerabilities are reachable in running applications. For regulated industries, this evidence-based approach ensures teams can focus on real risk without getting lost in noise."




















