Security has two places to catch a flaw: in production, where it is expensive and dangerous, or in the code before it ships, where it is cheap. “Shift left” is the industry's name for moving detection earlier — and static analysis, reading source or binaries without running them, is the core technique that makes early detection possible.
Lacework, Inc.'s US12034754B2, “Using static analysis for vulnerability detection” (issued July 9, 2024; CPC G06F 21/57 — evaluating program/system security, and H04L 63/1425 — anomaly monitoring), describes detecting vulnerabilities via static analysis. Read it at US12034754B2.
Mechanically, static analysis models the code's structure and possible behaviors — the call graph, data flows, dangerous patterns — to surface vulnerabilities without ever executing the program. One of the named inventors, Peter O'Hearn, is a noted figure in program-analysis research, a tell that this is rigorous static reasoning rather than simple pattern-grepping.
Why this is a business story: cloud-security platforms are racing to own the full lifecycle from code to cloud, and static analysis is the “code” end of that pipeline. Lacework's trajectory illustrates the stakes — once valued at $8.3 billion, it was ultimately acquired by Fortinet in 2024 at a far lower price, a cautionary tale about cloud-security valuations. The IP, including code-to-cloud capabilities like this static-analysis grant, is what Fortinet bought to extend its cloud-native application protection platform.
The grounded read: static-analysis vulnerability detection catches flaws cheaply by reading code instead of running it — the shift-left half of code-to-cloud security. Lacework's 2024 grant names that capability, part of the portfolio Fortinet acquired in a deal that reset cloud-security valuation expectations.