LogoAIAny
Icon for item

deepsec

Performs agent-driven security scans of codebases using LLM coding agents to find and triage vulnerabilities. Combines fast regex discovery, per-file AI investigation and revalidation, with optional sandboxed parallel execution and Vercel AI Gateway integration for large monorepos.

Introduction

Most automated security tools surface many low-signal findings or miss cross-file authorization and data-flow issues. deepsec uses coding agents (LLMs) as investigators: it narrows candidate locations with fast regex matchers, then asks agents to trace flows, check mitigations, and produce actionable findings — reducing the manual effort to triage subtle, project-specific issues in large codebases.

What Sets It Apart
  • Agent-driven investigation: instead of only pattern matches, agents read code in context, reason across files, and produce narrative findings with remediation suggestions — so you get human-like traces and recommended fixes rather than raw alerts.
  • Revalidation stage: a follow-up agent re-checks findings to cut false positives; empirical guidance in the project reports a typical initial FP rate in the low tens of percent and substantial FP reduction after revalidation, so teams can prioritize higher-confidence issues.
  • Designed for scale and safety tradeoffs: supports optional fan-out to sandboxed Vercel microVMs for parallel runs on large monorepos and integrates with Vercel AI Gateway for provider failover; this enables multi-hundred-to-thousand-concurrency research but increases infrastructure and inference cost.
  • Extensible matchers and plugins: project-specific regex matchers and small INFO.md context let teams focus agent effort on their auth/data primitives, improving precision compared with generic scanners.
Who It's For and Tradeoffs

Great fit if you run large application monorepos and need fewer high-signal security tickets that include reasoning and remediation steps. It complements static analyzers by handling cross-file flows and authorization logic. Look elsewhere if your budget or inference quota is very constrained (full scans can cost thousands to tens of thousands of dollars for very large repos), or if you need a zero-inference-cost, always-local SAST-only solution. Also treat agent runs as code-executing tools: run on trusted sources or use sandboxed execution to reduce exfiltration risk.

Where It Fits

Use deepsec alongside conventional SAST/DAST: let regex/static tools surface broad candidate sets, use deepsec to convert hard-to-verify spots into explainable findings and prioritized tickets, and then revalidate before automatic remediation or remediation-by-agent workflows.

Information

  • Websitegithub.com
  • OrganizationsVercel
  • Authorscramforce, Melkeydev, steipete
  • Published date2026/04/30

Categories