Next-Gen AI Security Engineers Arrive: New AI-SAST Tools Find Logic Flaws and 50+ Zero-Days in Code
The market has begun to see the emergence of the first truly functional solutions that harness artificial intelligence to detect vulnerabilities in source code. This new generation of AI-SAST systems — often referred to as “AI Security Engineers” — no longer merely automates static analysis but rather emulates the analytical reasoning of a human auditor or penetration tester, identifying logical flaws, architectural weaknesses, and discrepancies between a developer’s intent and its actual implementation.
A researcher who tested these products reported that ZeroPath, Corgea, and Almanax currently deliver the most promising results. These tools can uncover real vulnerabilities and coding errors — including complex business logic defects — within minutes, without relying on rigid signature-based rules. They interpret context, correlate functions, variables, and data across files, and can even propose potential code fixes. The rate of false positives is significantly lower compared to traditional SAST platforms.
The AI engines powering these systems operate through a multi-layered analytical process. They begin by indexing the repository, constructing an abstract syntax tree, and determining the application’s purpose. Next, they perform a sequential analysis — line by line, function by function, and file by file — applying proprietary search algorithms, heuristics, and LLM-driven queries. In the final phase, they validate vulnerability reachability, assess severity, and automatically deduplicate results. Some solutions, such as ZeroPath, go even further by analyzing dependencies, determining whether public CVEs affect a particular project, and generating SOC 2-level reports.
In controlled tests, ZeroPath achieved near-perfect detection of test vulnerabilities and identified over 50 new security issues across open-source projects, including curl, sudo, Next.js, Avahi, and Squid. These findings encompassed buffer overflows, certificate handling errors, memory leaks, improper exception validation, and flaws in TLS implementation. Corgea demonstrated strong performance on JavaScript code and produced detailed taint analysis graphs, though it also showed a higher number of false positives. Almanax, while effective in detecting malicious fragments and simple coding mistakes within individual files, struggled with cross-file analysis.
Despite occasional classification errors and limited automated remediation capabilities, the effectiveness of these systems is already remarkable. They can audit legacy code, automatically analyze new commits, integrate seamlessly into CI/CD pipelines, and assist developers in remediating vulnerabilities before release. Given their relatively low cost, they represent an exceptionally valuable asset for both penetration testers and corporate security teams.
The reviewer’s key conclusion is that AI-SAST platforms may prove to be one of the most significant technological shifts in cybersecurity since the resurgence of fuzzing in the 2010s. While they are unlikely to replace human penetration testers entirely, they already eliminate much of the repetitive workload, enhance code quality, and substantially reduce the number of critical vulnerabilities.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
