Apiiro Launches AI-SAST That Detects, Validates and Fixes Code Vulnerabilities with Software Architectural Context from Code-to-Runtime

New capability combines AST scanning, LLM reasoning, and Apiiro Deep Code Analysis (DCA) to deliver automatic vulnerability detection, validation with actionable fixes

Apiiro, the leading agentic application security platform, introduced Apiiro AI SAST, a new approach to static application security testing (SAST) that automates code risk detection, validation and fixes with the precision and cognitive process of an expert application security engineer. Grounded in Apiiro’s patented Deep Code Analysis (DCA), Apiiro AI-SAST combines call flow, data flow and reachability analysis with AI reasoning to eliminate false positives, validate exploitable risks, and fix true business risks.

AI coding assistants have increased code delivery by 4x, while simultaneously raising application risk by 10x. Traditional SAST tools are unable to keep pace with this acceleration and the complexity of modern software. Built on legacy approaches, these tools generate large volumes of false positives without determining whether vulnerabilities are reachable, exploitable, or relevant to the business. The result is excessive noise, reduced developer productivity, and overwhelmed security teams.

“Apiiro’s AI-SAST, powered by Deep Code Analysis (DCA), dramatically reduced false positives in our environment within weeks. By mapping SAST findings to API entry points, we can better prioritize the risks that matter most,” said Colin Barr, Head of Information Security at Paddle.

“Plenty of vendors have tried bolting AI onto raw code to tame SAST noise, but these legacy fixes fail in enterprise environments because they simply don’t understand the software’s architecture or the business context around it,” said Moti Gindi, Chief Strategy Officer of Apiiro. “Apiiro AI SAST delivers what enterprise teams need: highly qualified risks with clear, actionable fixes, rooted in the deep software architectural intelligence only our DCA technology can deliver.”

By combining application security testing (AST) scanning, Large Language Model (LLM) reasoning, and Apiiro’s patented Deep Code Analysis (DCA), Apiiro AI SAST cuts through noisy alerts to detect and fix highly qualified, exploitable risks based on software architecture from code to runtime.

The technology mimics the cognitive process of an expert application security researcher, leveraging five core capabilities:

AST + LLM Symbiosis: The technology uses AST scanning for rapid, deterministic detection of potential issues, then applies specialized AI agents with expert-level knowledge to validate each finding. This combination delivers the coverage of a scanner with the precision of human analysis.

Deep Code Analysis (DCA): Apiiro’s DCA technology builds a comprehensive Software Graph of the entire codebase – across code modules and code repositories – before AI analysis, mapping control flow, data flow, APIs, OSS dependencies, frameworks, secrets, and all other code resources across the entire tech stack. This software architectural foundation enables Apiiro to detect risks and generate fixes tailored to an organization’s environment.

Code-to-Runtime: Using Apiiro’s proprietary “Applicative Fingerprinting” technology, Apiiro AI-SAST automatically maps code resources with their specific build and production artifacts to distinguish theoretical risks from real business risks.

AI Remediation: Apiiro AI-SAST traces each vulnerability to its root cause and identifies the single optimal fix location to secure the entire application, generating precise code modifications tailored to existing software graph – across all APIs, OSS dependencies, frameworks, and coding patterns.

Adaptive Feedback: The Apiiro AI-SAST engine adapts to each customer’s environment through customizable detection logic and human-in-the-loop feedback that refines the AI’s understanding of organizational security standards and business logic.

Apiiro AI-SAST is available in public preview.

Apiiro is the Agentic Application Security Platform, powered by the AutoFix Agent – force-multiplying application security and development teams to design, develop, and deliver secure software faster in the AI era. Fortune 500 companies including BlackRock, TIAA, USAA, Bloomberg, SoFi, and Shell rely on Apiiro’s patented Deep Code Analysis (DCA) technology to continuously discover, inventory, and visualize their software architecture graph from code to runtime. This enables automated assessment, detection, prioritization, remediation, and prevention of application risks at scale.

Credit: Omer HaCohen