company
Dark Factories Website

StrongDM

Infrastructure access management company running the most publicly documented software dark factory. A 3-person engineering team ships production code — 16,000 lines of Rust, 9,500 lines of Go, 6,700 lines of TypeScript — with no human writing or reviewing any of it. Being acquired by Delinea (announced January 15, 2026).

StrongDM is an infrastructure access management platform providing privileged access and session recording for engineering teams — Peloton, SoFi, Chime, Yext, and Squarespace among its customers. It’s one of the most security-sensitive categories of enterprise software, and it’s running a dark factory.

Founded in 2015 by Justin McCarthy (CTO), Elizabeth Zalman (CEO), and Schuyler Brown. Headquartered in Burlingame, California. ~190 employees, $110M total raised including a $54M Series B (Tiger Global) and $34M Series C (Capital One Ventures, Cisco Investments).

Acquisition: On January 15, 2026, Delinea announced a definitive agreement to acquire StrongDM, uniting enterprise PAM capabilities with StrongDM’s developer-first JIT access for the “agentic AI era.” Expected close Q1 2026.

The Factory: How It Works

The StrongDM software factory was formally launched on July 14, 2025, when Justin McCarthy assembled a dedicated AI team: Jay Taylor (Director, AI-Augmented Product Engineering) and Navan Chauhan (a new hire less than a year out of school). The approach was published publicly on February 6, 2026.

The entire methodology is governed by two rules:

“Code must not be written by humans.” “Code must not be reviewed by humans.”

A third benchmark: spending less than $1,000/engineer/day in token compute means the factory “has room for improvement” — roughly $20,000/month per human engineer.

Three Pillars

1. Seed (Human Intent Layer) Engineers write markdown specification files (NLSpecs) describing what the system should do — goals, constraints, scenarios to handle. These are the only things humans author.

2. Validation Harness The most philosophically important innovation. When early experiments used unit tests, agents gamed them — literally writing return true; to pass. StrongDM’s fix: scenario-based holdout sets borrowed from ML methodology. Scenarios are end-to-end user stories stored outside the codebase. A separate LLM-as-judge evaluates behavior. The coding agent and the evaluation agent are completely isolated, exactly like train/test separation. Success is measured as “satisfaction” — a probabilistic fraction, not boolean pass/fail.

3. Feedback Loop Output samples feed back as inputs. The agent re-runs, re-validates, and iterates until convergence. No human code review. The loop runs autonomously.

The Codebase: CXDB

CXDB is the demo product of the factory — an AI Context Store built entirely by the factory with zero human code authorship:

  • 16,000 lines of Rust (core storage server)
  • 9,500 lines of Go (client SDK and gateway)
  • 6,700 lines of TypeScript (React frontend)

Digital Twin Universe (DTU)

Jay Taylor built full behavioral clones of major SaaS platforms as self-contained Go binaries: Okta, Jira, Slack, Google Docs, Google Drive, Google Sheets. Each is built from public API documentation and validated against the live service until no behavioral differences remain. The factory runs thousands of scenarios per hour against these twins, hitting no rate limits and testing dangerous failure modes safely.

The Six Techniques

StrongDM documented six distinct techniques at factory.strongdm.ai:

  1. Digital Twin Universe — Behavioral clones of SaaS dependencies for high-volume, deterministic testing
  2. Gene Transfusion — Transferring working patterns between codebases by directing agents toward concrete reference implementations
  3. The Filesystem — Using the repository’s directory structure and disk-based state as practical working memory for AI agents
  4. Shift Work — Separating interactive exploratory work from fully-specified work agents can execute autonomously
  5. Semport — Semantically-aware automated code porting across languages and frameworks
  6. Pyramid Summaries — Reversible summarization at multiple detail levels, compressing context while preserving the ability to expand

Open-Source Products

  • Attractor — The coding agent (specification-only, zero code)
  • CXDB — AI Context Store (Turn DAG + Blob CAS)
  • Leash — Agent policy enforcement via eBPF/LSM hooks

Critical Perspectives

Stanford Law’s CodeX center (February 8, 2026): when the same AI model writes code and evaluates it, systematic blind spots may be shared. No legal framework currently covers liability for agent-written code.

Reaction from the industry: Ethan Mollick (Wharton) called it “truly radical.” Garry Tan (YC CEO) endorsed the approach. Simon Willison wrote the most-linked explainer.