Our YC Application
We're often asked for our YC application as a reference for other founders applying to YC. Here's our full unedited version.
Note: our YC application is far from "perfect." I've added some commentary where I would suggest changes or corrections to the way that we answered a given question. If you are considering applying to YC, you should watch their video on the application process.
YC Application: Clearly AI
How long have the founders known one another and how did you meet? Have any of the founders not met in person?
We first met in February 2019 at Amazon. Joe was a software engineer on Secure AI Foundations and Emily was a software engineer at Alexa NLU. They both volunteered to be security reviewers, which is how Joe became a reviewer for Emily's software application.
Who writes code, or does other technical work on your product? Was any of it done by a non-founder? Please explain.
Both founders will write code for the product. Emily is building the MVP.
Please record a one minute video introducing the founder(s) * (Required)
Company name:
Clearly AI
Describe what your company does in 50 characters or less.
Software security and privacy reviews using AI.
Company url, if any:
If you have a demo, attach it below.
Please provide a link to the product, if relevant.
N/A
What is your company going to make? Please describe your product and what it does or will do.
We are building an AI-powered software security review system. It ingests artifacts (design docs, code, analyzer outputs, etc.) and checks them against security frameworks, best practices, and company-specific policies. Our dashboard provides visibility for security teams to evaluate and prioritize risks.
Every enterprise company performs security reviews on both internally-developed and 3P-vended software. Today, these reviews are manual, tedious, and error-prone. Security teams are overwhelmed, leading to late issue discovery and costly product release delays. CSOs have little visibility into where their software risks lie.
Clearly AI secures your entire software stack, from internal code to 3P vendors. Clearly AI helps your team in every step of the development lifecycle, from design to production. Clearly AI continuously monitors every change to your software and uncovers what’s vulnerable, what’s missing, and what’s non-compliant with your policies.
Where do you live now, and where would the company be based after YC?
Seattle, USA / Seattle, USA
Explain your decision regarding location.
Both founders have strong networks in Seattle. The greater Seattle area has a thriving tech scene as the headquarters for Amazon, Microsoft, and more.
How far along are you?
We’ve talked to 46 prospective customers, security leaders, and/or fellow founders over the past 8 weeks. These conversations highlighted three unsolved pain points: (1) manual and slow internal software reviews, (2) time-consuming external vendor reviews (as the buyer), (3) completing security questionnaires (as the seller). We are currently building our MVP.
How long have each of you been working on this? How much of that has been full-time? Please explain.
We spoke with our first prospective customer in February 2024. Emily has been working part-time (nights and weekends) since then. Emily will transition to full-time in June 2024. Joe will transition to full-time in July 2024 as we raise our pre-seed round.
What tech stack are you using, or planning to use, to build this product?
We plan to use common frameworks including: LangChain, Python, React, and Retool.
Are people using your product?
No
When will you have a version people can use?
June 2024
Do you have revenue?
No
If you are applying with the same idea as a previous batch, did anything change? If you applied with a different idea, why did you pivot and what did you learn from the last idea?
N/A
If you have already participated or committed to participate in an incubator, "accelerator" or "pre-accelerator" program, please tell us about it.
N/A
Why did you pick this idea to work on? Do you have domain expertise in this area? How do you know people need what you're making?
No matter what technology we worked on, one thing was constant: security reviews. And they were awful — manual, tedious, and repetitive. They were painful as the developer, and painful as the security engineer. We didn’t know if our experience was unique to Amazon and Moveworks, so we interviewed everyone: from security hackers at small startups to CISOs at global enterprises. In a short amount of time, one theme became clear: there is too much software for security teams to effectively cover.
We learned that security technology can use some serious improvements. Automated security methods like static and dynamic analysis fail to solve security at the design and architecture level. Security automation lacks contextual understanding and is full of false positives and noise. On the other hand, manual security methods, like threat modeling, architecture reviews, and vulnerability management are tedious and slow.
This problem space is huge and not going away. The world runs on software. Software handles more sensitive data now than ever before. Software security vulnerabilities and breaches effect us all. Even enterprises with significant resources constantly play catch-up as security standards and industry best practices evolve with new technologies and regulatory requirements. For example, the SEC just announced new cybersecurity disclosure requirements that include annual disclosures of cybersecurity risk management, strategy, and governance for all public companies [1].
We believe the manual pains of contemporary cybersecurity practices can be solved with recent advancements in AI and strong software engineering. The strengths and weaknesses of LLMs as tools to aggregate, summarize, and reason are becoming well understood as they become increasingly commodified. Techniques such as vector embedding and retrieval augmented generation (RAG) on specialized datasets provide more avenues than ever to break down the barrier between semantics and computation.
[1] https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214
Note: This answer should've been much shorter and highlighted why we (as founders) are uniquely positioned to tackle this problem: together we have completed hundreds of security reviews at Amazon and Moveworks and we are industry experts in both product security and AI systems.
Who are your competitors? What do you understand about your business that they don't?
Today, most companies in the security space target (1) endpoint and network security (Palo Alto Networks, Crowdstrike), (2) static and dynamic code analysis (Wiz, Semgrep, Tenable, Snyk), or (3) compliance (Vanta, Drata). We are not planning to compete directly with any of these categories, but integrate with existing tools. We look at application and system design as a whole, including inputs from existing code analysis tools. Instead of auditing a company’s posture for a specific compliance framework, we focus on security and privacy best practices, and our evaluations can be a useful input into compliance tooling.
There are a few large companies moving into the space of automating security reviews, such as Semgrep Assistant and Google Cloud’s Security AI Workbench. Open AI even authored prompts for an SDLC Slackbot. Semgrep and Google’s solutions are narrow offerings focused on existing customers (e.g., only evaluates GCP posture).
We understand that businesses want a holistic view of their application security and privacy posture, in a single solution that will solve both internal software review and vendor reviews (both on the buy and sell side). They do not want a separate assistant for each part of their stack, or a separate tool for each security challenge. Clearly AI helps companies incorporate security throughout their software development and procurement lifecycle and helps CSOs allocate their resources more efficiently.
How do or will you make money? How much could you make (best estimate)?
We will charge an annual license fee with pricing tiers (e.g., Standard, Enterprise, Premium). To tackle price scaling for larger enterprises, we will charge one license per business unit (e.g., separate license for Marvel Studios vs. Disney Motion Pictures).
We believe this is a multi-billion dollar business, as spending on application security, cloud security, data privacy, data security, and security services equaled a combined $110 billion in 2021 per McKinsey [1] (overall security spending is at $215 billion and growing at 14% annually per Gartner). [2]
We can save potential customers >$100k for each security-related position we replace (currently a workforce gap of over 520,000 in the US [3]). With only 1% headcount replacement, we will reach $520M ARR. We expect to reach $100M ARR within 3-6 years.
[1] https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers
[2] https://www.gartner.com/en/newsroom/press-releases/2023-09-28-gartner-forecasts-global-security-and-risk-management-spending-to-grow-14-percent-in-2024
[3] https://media.isc2.org/-/media/Project/ISC2/Main/Media/documents/research/ISC2_Cybersecurity_Workforce_Study_2023.pdf?rev=28b46de71ce24e6ab7705f6e3da8637e (page 11)
Note: Instead of top-down market sizing, we should've worked bottoms-up from how much we would charge at each pricing tier. During our demo day fundraising pitch, we calculated the market size using the following formula:
There are 62k companies that make more than $25M ARR and therefore are subject to CCPA. If we charge 100k per year, the market opportunity is 6.2B.
How do users find your product? How did you get the users you have now? If you run paid ads, what is your cost of acquisition?
We are targeting two different customer acquisition techniques: (1) founder-led sales via our strong and deep connections in the security industry; and (2) partnership with security consultants that act as “Virtual AppSec” to sell Clearly AI as part of their consultant services. We will also leverage industry conferences and SEO content marketing (thought leadership blog posts) to spread the word.
Where will most of your initial users be located? (Country)
USA
Which category best applies to your company?
Security
Have you formed ANY legal entity yet?
No
If you have not formed the company yet, describe the planned equity ownership breakdown among the founders, employees and any other proposed stockholders. If there are multiple founders, be sure to give the proposed equity ownership of each founder and founder title (e.g. CEO). (This question is as much for you as us.)
Emily, CEO - 51%
Joe, CTO - 49%
Note: we were given the advice that we shouldn't have a 50/50 split so we have a "deciding" vote in case of a deadlock. In reality, I don't know that it matters.
Have you taken any investment yet?
No
Are you currently fundraising?
No
If you had any other ideas you considered applying with, please list them. One may be something we've been waiting for. Often when we fund people it's to do something they list here and not in the main application.
Plan AI - AI-powered trip / wedding / event planner.
Squarespace/Retool for AI Agents - building blocks to create custom AI workflows. Configure personal agents to do things for you in the background. No/low-code.
Todo - Capture todos on the go. AI fills in the blanks, organizes your backlog, adapts to your lifestyle, breaks down projects or vague tasks into small easy wins.
HomeLab in a Box - like Oxide Computer Company but for home. Just connect the box to your router. Home server, remote access, personal cloud made easy.
What convinced you to apply to Y Combinator? Did someone encourage you to apply? Have you been to any YC events?
Three YC founders encouraged us to apply: Jeff Barg (W21), Nick Fiacco (W23), and Edrei Chua (S23). While each entered YC at different stages, they all spoke to the benefits of YC’s mentorship, network, and support. As first-time founders, we are especially interested in the learnings we can gain from YC, the network of previous YC companies as potential customers, and the support from fellow founders and experienced group partners as we go through this process. We have not yet been to any YC events. But we love the startup school YouTube videos!
How did you hear about Y Combinator?
We (especially Joe) have been avid consumers of Hacker News for over a decade and have watched much of YC’s Startup School content on YouTube.
Emily's Founder Profile
Please tell us about a time you most successfully hacked some (non-computer) system to your advantage.
At DEFCON, the Social Engineering village runs a competition to “vish” (voice phish) a randomly assigned business to elicit sensitive information from an employee. My three objectives were to obtain the corporate security policies, uniform store, and physical security measures for Planet Fitness. I completed these objectives the fastest without detection (<2 minutes) of everyone who attempted. The judges said I had a future career as a social engineer! :)
Please tell us in one or two sentences about the most impressive thing other than
I was elected president of EMS-Post 53 [1], where I led an 80-person organization responsible for all medical emergencies in Darien, CT. I delivered a woman’s baby, performed life-saving CPR three times, and responded to 20+ major car crashes on I-95, all while in high school and college.
Tell us about things you’ve built before. For example apps you’ve built, websites, open source contributions. Include URLs if possible.
I led the design, implementation, and launch of the Alexa Dynamic Entities feature. With Dynamic Entities, third-party skill developers can bias Alexa’s speech recognition, NLU, and entity recognition with custom catalog entities at runtime.
Launch announcement: https://developer.amazon.com/en-US/blogs/alexa/post/db4c0ed5-5a05-4037-a3a7-3fe5c29dcb65/use-dynamic-entities-to-create-personalized-voice-experience.html
Documentation: https://developer.amazon.com/en-US/docs/alexa/custom-skills/use-dynamic-entities-for-customized-interactions.html
List any competitions/awards you have won, or papers you’ve published
Presentations/Publications:
Presented in a Bishop Fox Webinar: https://bishopfox.com/resources/ai-ml-llm-security-mitigations-webcast
Presented at USENIX Privacy Engineering in Practice 2023: “Striking the Balance: Safeguarding Customer Privacy While Empowering Employees”
Greene E., Proctor P., Kotz D. “Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control.” J. Smart Health, vol. 12, 2019, pp. 49–65., doi:10.1016/j.smhl.2018.01.003.
Mention in the New York Times at DEFCON 32: https://www.nytimes.com/2023/08/16/technology/ai-defcon-hackers.html
Awards:
Alexa Engine Leadership Principle Award Recipient: awarded to a few outstanding Alexa engineers
Graduated Cum Laude with High Honors in Computer Science for my thesis: “Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control”
Presidential Scholar, College Honor List
Citations for Academic Excellence in Intro to Programming and Computing, Argentinean Literature, and Financial Intermediaries & Markets
Joe's Founder Profile
Please tell us about a time you most successfully hacked some (non-computer) system to your advantage.
In 2020, I wanted to move to Colorado to spend my lockdown outdoors without leaving my Boston-based team. Amazon was strict about “imminent” RTO, with notoriously difficult VP-level exceptions. I read through the Company Personnel Policies on Alternative Work Arrangements and Telecommuting policies, which allowed for case-by-case arrangements based on family needs. I presented the case that my significant other was moving to Colorado, and that so must I. My “significant other” at the time was of course Emily, who was then my girlfriend, and a fellow Amazon employee. I told Emily to present the same case, arguing her significant other’s move to CO required her to move as well. So, being each other’s significant other, we both got to enjoy plenty of skiing that winter.
Please tell us in one or two sentences about the most impressive thing other than this startup that you have built or achieved.
My name is engraved on one of two satellites in low-earth orbit, currently flying at over 17,500 mph. I also wrote the software running onboard that tells us how it’s doing, even when bandwidth is extremely constrained (< 1Mbps for a few minutes per day).
Tell us about things you’ve built before. For example apps you’ve built, websites, open source contributions. Include URLs if possible.
Jeff Bezos wanted to tell Alexa “forget everything I said today” and see his utterance disappear from his Alexa app’s activity history (and removed from all ML training systems). I designed and delivered new time-based Deletion APIs, cutting the delete latency SLA from 24 hours to under a second [1].
Those APIs turned out to be quite useful, as public interest in privacy grew. Within a year, it enabled auto-deletes for over a million daily users.
The one time I was happy to get paged on a weekend was during the height of COVID. A cross-functional team needed help getting some Echo Show devices to permanently forget all history so that they can facilitate communication between doctors and patients at hospitals without violating HIPAA. This was an easy task thanks to the Deletion APIs I built the previous year [2].
[1] https://www.cnn.com/2019/05/29/tech/alexa-delete-everything-privacy/index.html
[2] https://www.businessinsider.com/amazon-alexa-hospitals-echo-next-to-us-hospital-bed-2021-10
List any competitions/awards you have won, or papers you’ve published
I’m admittedly a bit of an Amazon nerd. I am a top 250 contributor on Sage, Amazon’s internal version of StackOverflow.