Most security scanners are judged by what they find; the harder problem is proving a finding is actually exploitable rather than noise. DeepAudit's bet is that an LLM can do both halves — reason about code like a reviewer, then write and detonate a proof-of-concept to settle the question. Its closed-source predecessor reportedly surfaced 49 CVEs and 6 GHSA advisories across 17 projects, which says less about the model and more about closing the loop between detection and verification.
What Sets It Apart
- It verifies, not just flags. Each candidate vulnerability is handed to a sandbox where the system auto-generates and runs a PoC inside Docker; what survives is exploitable, not theoretical. That directly attacks the false-positive fatigue that kills most SAST adoption.
- Roles, not one mega-prompt. Separate Orchestrator, Recon, Analysis, and Verification agents divide the work, so reasoning about a large codebase is staged instead of crammed into a single context window.
- RAG over CWE/CVE, not just pattern rules. Retrieval grounds the analysis in known weakness classes, helping it explain why something is a vulnerability rather than matching a regex.
- Model-agnostic and self-hostable. OpenAI, Claude, Gemini, DeepSeek, and Qwen all plug in, and Ollama lets you keep proprietary source code on-prem.
Who It's For
Great fit if you maintain open-source or internal codebases and want a triage layer that filters noise by actually attempting exploitation, or if you need on-prem auditing where source code can't leave the building. Look elsewhere if you want a mature, battle-tested commercial scanner with support SLAs — this is a young open-source release whose results depend heavily on the LLM you wire in, and sandboxed PoC execution adds Docker, Postgres, and Redis to your operational footprint.