Semgrep has launched a private beta for its new AI-powered detection capability, designed to augment its core static application security testing (SAST) engine. This advanced feature targets complex business logic vulnerabilities, such as broken authentication and insecure direct object references (IDORs), which are notoriously difficult to identify with traditional scanning methods but are a leading cause of high-severity security breaches.
Quick Intel
Semgrep's AI-powered detection is now in private beta for select customers.
It targets business logic flaws like IDORs, which account for 49% of critical bugs.
The technology uses a hybrid AI and deterministic analysis system for high fidelity.
Alpha testing showed 80% of participants found a critical IDOR with the tool.
It addresses vulnerabilities that AI coding assistants and traditional SAST miss.
The solution integrates directly into CI/CD pipelines for automated scanning.
Modern applications face a significant threat from business logic vulnerabilities, which differ from standard code flaws. Issues like broken access control now constitute nearly half of all high-severity findings in bug bounty programs. These flaws require an understanding of developer intent and application context, something traditional SAST tools, which rely on predefined rules, struggle to detect without extensive customization, leaving a critical security gap.
To solve the reliability challenges of using large language models (LLMs) alone for code security, Semgrep employs a unique hybrid system. This approach blends the contextual reasoning power of AI with the predictability and precision of traditional SAST rules and policies. The result is high-fidelity, actionable findings that span vulnerability classes with minimal false positives, a significant improvement over pure-LLM systems that can exhibit false positive rates as high as 95-100% for certain vulnerabilities.
Early results from an alpha program with design partners demonstrated the effectiveness of this approach. Roughly 80% of participating customers discovered at least one critical or severe IDOR that had previously been missed. In comparative testing, Semgrep's AI-powered detection achieved 1.9 times better recall on IDOR detection compared to standalone AI coding assistants. "AI is transforming the way we approach code security, and Semgrep is at the forefront of that shift," said Isaac Evans, CEO and Co-Founder at Semgrep. "With AI built into Semgrep, every improvement in large language models translates into exponential gains for our customers."
The introduction of AI-powered detection marks a significant evolution in application security, moving beyond pattern-matching to understanding code intent. By reliably uncovering the business logic flaws that lead to major breaches, Semgrep provides security and development teams with a powerful tool to shift security left without compromising development velocity, effectively building security directly into the development lifecycle.
About Semgrep
Semgrep is the leading code security platform for builders – helping teams catch, flag, and fix real issues before they ship, with security that learns as you build. Its developer-first platform unifies SAST, SCA, and secrets detection, embedding security directly into the development workflow so protection begins where code happens. Semgrep combines deterministic static analysis with AI reasoning that powers detection, triage, and remediation to help teams uncover real vulnerabilities, prioritize reachable risks, and fix issues faster. Backed by Menlo, Felicis, Lightspeed, Redpoint, and Sequoia Capital, Semgrep is trusted by global organizations, including Snowflake, Dropbox, and Figma.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.