Apiiro introduced Apiiro AI SAST, a new approach to static application security testing (SAST) that automates code risk detection, validation and fixes with the precision and cognitive process of an expert application security engineer. Grounded in Apiiro’s patented Deep Code Analysis (DCA), Apiiro AI-SAST combines call flow, data flow and reachability analysis with AI reasoning to eliminate false positives, validate exploitable risks, and fix true business risks.
AI coding assistants have increased code delivery by 4x, while simultaneously raising application risk by 10x. Traditional SAST tools are unable to keep pace with this acceleration and the complexity of modern software. Built on legacy approaches, these tools generate large volumes of false positives without determining whether vulnerabilities are reachable, exploitable, or relevant to the business. The result is excessive noise, reduced developer productivity, and overwhelmed security teams.
“Apiiro’s AI-SAST, powered by Deep Code Analysis (DCA), dramatically reduced false positives in our environment within weeks. By mapping SAST findings to API entry points, we can better prioritize the risks that matter most,” said Colin Barr, Head of Information Security at Paddle.
“Plenty of vendors have tried bolting AI onto raw code to tame SAST noise, but these legacy fixes fail in enterprise environments because they simply don’t understand the software’s architecture or the business context around it,” said Moti Gindi, Chief Strategy Officer of Apiiro. “Apiiro AI SAST delivers what enterprise teams need: highly qualified risks with clear, actionable fixes, rooted in the deep software architectural intelligence only our DCA technology can deliver.”
By combining application security testing (AST) scanning, Large Language Model (LLM) reasoning, and Apiiro’s patented Deep Code Analysis (DCA), Apiiro AI SAST cuts through noisy alerts to detect and fix highly qualified, exploitable risks based on software architecture from code to runtime.
The technology mimics the cognitive process of an expert application security researcher, leveraging five core capabilities:
AST + LLM symbiosis: The technology uses AST scanning for rapid, deterministic detection of potential issues, then applies specialized AI agents with expert-level knowledge to validate each finding. This combination delivers the coverage of a scanner with the precision of human analysis.
Deep code analysis (DCA): Apiiro’s DCA technology builds a comprehensive Software Graph of the entire codebase – across code modules and code repositories – before AI analysis, mapping control flow, data flow, APIs, OSS dependencies, frameworks, secrets, and all other code resources across the entire tech stack. This software architectural foundation enables Apiiro to detect risks and generate fixes tailored to an organization’s environment.
Code-to-runtime: Using Apiiro’s proprietary “Applicative Fingerprinting” technology, Apiiro AI-SAST automatically maps code resources with their specific build and production artifacts to distinguish theoretical risks from real business risks.
AI remediation: Apiiro AI-SAST traces each vulnerability to its root cause and identifies the single optimal fix location to secure the entire application, generating precise code modifications tailored to existing software graph – across all APIs, OSS dependencies, frameworks, and coding patterns.
Adaptive feedback: The Apiiro AI-SAST engine adapts to each customer’s environment through customizable detection logic and human-in-the-loop feedback that refines the AI’s understanding of organizational security standards and business logic.