According to a recent report, the ever-present threat of cybercrime is expected to come with an eye-watering price tag of $10.5 trillion in 2025.
This isn’t for want of trying from organizations, leaders and CTOs. Cyber defense strategies are a priority, however the target surface area that needs protection is constantly growing and changing. It’s especially difficult to secure the perimeters when cloud and off-prem technologies are involved.
Further, new research shows that these sprawling infrastructures can be breached without detection. In fact, the average breach takes 212 days to detect and another 75 to contain.
It goes without saying that these types of delays pose a grave security risk, with almost a year of free reign to sensitive data and ample time to infect computers, servers and networks. For banks and companies in the financial sector, they remain a prime target for cybercriminals due to the goldmine of valuable data and confidential information they interact with.
DeepSource, the Y Combinator startup making waves in the cybersecurity community, announced this week its autonomous AI Agents observe that key events, such as commits made to the code base, apply reasoning to optimize for their security goals, and autonomously take action to proactively keep the organization’s code base secure.
The 3 AI agents being launched include:
False-positive Triage Agent
Based on the repository’s context, its own memory, and the real-world threat intelligence, the agent will decide if security issues found in the code are valid or not. If they are invalid, it will automatically suppress them with proper reasoning.
Common Vulnerabilities and Exposures (CVE) Prioritization Agent
This agent triages open-source vulnerabilities based on the repository’s context and re-prioritizes them autonomously – currently a manual task that AppSec teams spend a lot of time on that can be fully replaced by AI.
Autofix™ AI Autopilot
This agent puts DeepSource’s existing Autofix™ AI feature on autopilot by learning developer behavior and autonomously creating pull-requests with security fixes in the code.
Some elements of the agents are that these run 100% autonomously; they save ~5 hours every week per developer in areas including manual triaging and executing fixes; and the the agents understand the context of the software projects, and reason about their observations based on their memories and their team’s goals.
Said DeepSource CEO Sanket Saurav in a company statement: “Real end users will be impacted if companies don’t evolve their tooling to ensure they’re securing this exponentially higher volume of code.”
“Code is no longer being written just by humans. The surge of AI-generated code means 10x more code can now be developed in the same amount of time, and by less experienced developers. But we’re not speeding up our code security practices by that same factor,” added the executive.
AI-generated code is becoming a huge component in software development, with 1 in 4 Y Combinator startups using AI for 95% of their code.
At the same time, research has found that almost half of the AI-generated code being studied had bugs that could lead to harmful exploitation.
It may be counterintuitive to suggest that AI-driven tools can solve an AI-generated problem; however, the nature of LLM-based AI being used by code generators and the AI used in this SCA tooling is very different.
“We built our AI Agents to be goal-based, and work with hundreds of signals and observations, so we are able to align these agents to act autonomously – rather than follow simple code generation loops,” says Jai Pradeesh, co-founder of DeepSource. “All the traces of our AI Agents are visible to users, so they can see how the agents reason.”
“This can be used by companies to align how the agents behave. Doing this is not possible for generalist AI tools since they lack the code’s context that we see with static analysis,” concluded the executive.
In February of this year, the company had released Globstar, an open-source project bringing the most cutting-edge code security tooling to the AppSec community, with no restrictions on commercial usage.