I sold Dinoflux to Telefónica, spent a few years inside a 100k‑person telco, and still heard the same cry from engineering teams:

“We’re drowning in vuln alerts, but fixes crawl through red tape.”

Plexicus exists so those alerts become merged pull requests, not backlog sludge.

---

2023 — Delaware, COVULOR & the “what‑the‑hell‑are‑we‑building?” phase

Wait, let me clarify something important here. COVULOR was the first name I gave to our ASPM (Application Security Posture Management) prototype. It stood for Continuous Vulnerability Orchestrator — a mouthful, I know. It “worked” the way a duct‑taped drone flies: technically airborne… just don’t stand underneath.

That year I hired Juan José Florez as Plexicus’s first employee. We’d worked together before; I needed someone who could turn napkin sketches into code with zero drama. He said yes. We started shipping.

Now, you might be thinking: “But wait, isn’t COVULOR a DevSecOps and cloud security community?” Exactly! Here’s the thing: when we consolidated everything under the Plexicus brand, I decided to rescue the COVULOR name and give it a second life as the community it is today. It’s a nice full-circle moment — the prototype that started it all now lives on as a thriving community of security professionals.

So yes, the first ASPM prototype was called COVULOR, and yes, COVULOR is now a DevSecOps community. Two different things, same name, one origin story.

---

2024 — Rebuild, a wobbly MVP & a booth in San Francisco

2024 was the “rip it apart and do it right” year. We learned from the 2023 mess, rewrote huge chunks, and scraped together an MVP that mostly ran without catching fire.

With that shaky build we flew to RSA Conference 2024 (6–9 May, Moscone Center, San Francisco) as part of the INCIBE/ICEX Spanish pavilion. South Expo Booth #0842. Surrounded by polished giants, we were the scrappy kid with scars and a story. And, surprisingly, that story resonated.

In October (21–23 Oct 2024) we hit the stage at 18ENISE (León) with our first public talk: “Protecting the Software Supply Chain with AI.” 6,000+ attendees, 168 companies, one dying clicker, two sleepless nights — and an audience actually nodding when I said “auto‑remediation”.

---

2025 — Sales flip on, Ironchip signs, and accelerator bootcamps

Sales truly started in 2025. Our first paying customer? Ironchip, a Bilbao identity‑security startup that bet on us to tame scanner chaos and ship fixes faster. Customer #1 love is real.

4 March 2025 – Segurilatam announced CEFIROS will offer Plexicus to help companies in LATAM & Iberia define their AppSec posture. From day one, we wanted channel partners; this was our first big one.

May 2025 — Aupa, Bilbao (for real)

We moved HQ to Bilbao in May 2025, incorporating Plexicus S.L. as the global parent. Delaware gave us a clean cap table; Bilbao gave us a home, talent, and pintxos. Zero regrets.

Spring 2025 — SWG, Tallinn, Latitude59, Baku… & Graduation Day

• Startup Wise Guys (Cyber) — Spring 2025 batch. We got in, got a $100k ticket, and got our butts kicked — in the best way. On‑site week in Tallinn wrapped around Latitude59 (21–23 May 2025), where we pitched on stage with the cohort.
• ECSO Cyber Investor Days — 5 June 2025, The Shard (London). Agenda line read: “15:55–16:30 Pitching Session… Fortyx, Gataca, Plexicus, QuoIntelligence.” Five minutes to explain why fixing vulns shouldn’t take five weeks. We left sweaty and happy.
• South Summit — 4–6 June 2025 (Madrid). Madrid City Council rotated 85+ startups through its stand. We were one of them. Surreal to pitch at home turf after all the planes.
• Baku ID — 19–20 June 2025 (Azerbaijan). Five SWG startups, one stage, a lot of Baku heat; we pitched, networked, survived.
• 25 July 2025 — Graduated from SWG today. Diploma metaphorical; network very real.

We also started popping up in comparisons: Slashdot/SourceForge listed us alongside Wiz and Chainguard, noting our agentless scanning (Plexalyzer) and real‑time SQLi alerts. Seeing our scrappy product described like an enterprise suite was… weird, but welcome.

---

What We Actually Built (and why it matters)

Plexalyzer — The brain that reads everything

Think of Plexalyzer as a translator between a dozen security tools and your dev team. SAST, SCA, secrets, IaC, containers… it normalises, deduplicates, and scores them for exploitability, blast radius, and compliance fallout. Instead of 2,000 “critical” tickets, you get 20 “actually critical” ones.

(Example: first week at Ironchip, Plexalyzer collapsed thousands of duplicate Dependabot/Trivy alerts into a few dozen unique risks — the team fixed them all in days, not months.)

Codex Remedium — The hands that fix right now

Findings without fixes are just anxiety. Codex Remedium takes Plexalyzer’s output and opens a pull request with the patch, unit tests, and docs. Dev reviews, merges, ships. We built it because everyone talked about “shift left” — no one talked about “ship fixes”.

Under the hood (no BS version)

Code → Build → Deploy → Fix (PR merged)

• Code → SAST & secret scanning
• Build → SBOM & container checks
• Deploy → CSPM / runtime drift
• Fix → PR in < 2 minutes

All agentless. LLMs parse ASTs, rewrite unsafe patterns (e.g. string‑concat SQL → parameterised queries), and generate tests. Fewer broken builds than you’d think.

Demo Time

---

The Crew (balanced, no heroes left behind)

• 2023 – Juan José Florez: first hire, former teammate, co‑built the early Plexalyzer/Codex guts with me.
• 2024 – Irvine Pramudya Bagaskara (Indonesia, PM) & Tobias Malbos (Argentina, Backend). Product polish meets backend muscle.
• 2025 – Héctor Belzunces (intern → full‑time, business Swiss‑army knife), Luky Setiawan & Rizal Prasetya (Frontend, Indonesia), Septian Wahyu (Compliance). We hire hungry minds, not fancy titles.

---

What’s Next?

• Policy‑aware remediation — every fix cross‑checked against CIS Benchmarks, OWASP MASVS, etc., so we don’t “fix one, break ten”.
• Remediation‑as‑Code SDK — let any security vendor plug into Codex Remedium.
• Compliance engine++ — DORA, NIS2, ISO 27001, SOC 2 mapped automatically.
• MSSP network — CEFIROS is first; more regional partners are lining up.