deepsec

Product Introduction

1. Definition: Deepsec is an open-source AI-powered security harness, categorized technically as a static application security testing (SAST) and code vulnerability scanning tool. It leverages coding agents (LLM-powered) to perform deep, contextual analysis of codebases.
2. Core Value Proposition: It exists to find and fix hard-to-detect, business-logic-level vulnerabilities in large-scale codebases by running on your own infrastructure with your own API keys, ensuring data privacy and control while eliminating the need for external, privileged code access.

Main Features

1. Multi-Stage AI-Powered Analysis Pipeline: The tool does not rely on a single LLM call. It employs a structured, multi-agent workflow. It starts with a regex-based static scan to identify security-sensitive code areas. Then, dedicated AI agents (using models like Anthropic's Opus 4.7 at max effort or OpenAI's GPT 5.5 at xhigh reasoning) investigate each candidate, trace data flows, and check for mitigations. A subsequent revalidation agent stage reduces false positives and reclassifies severity.
2. Infrastructure-Agnostic & Scalable Execution: Deepsec is designed to run locally (e.g., on a developer's laptop) without cloud dependencies for sensitive code. For speed, it supports optional fan-out to Vercel Sandboxes for massively parallel remote execution, enabling scans of large monorepos across 1,000+ concurrent sandboxes to complete in hours rather than days.
3. Customizable Plugin & Scanner System: The tool ships with a plugin architecture for deep customization. Organizations can develop custom scanner plugins—regex matchers tuned to their specific authentication models, data layers, or internal frameworks—to adapt the base security analysis to their unique architecture and uncover domain-specific vulnerabilities.

Problems Solved

1. Pain Point: Traditional SAST tools and automated security scanners often produce high volumes of generic, low-signal findings or false positives that are not actionable, missing complex, context-dependent security flaws in application logic.
2. Target Audience: Platform Security Engineers, DevOps teams, and CTOs at companies with large, complex codebases (especially monorepos). It is also highly relevant for development teams building applications and services (as opposed to pure libraries) who need to perform thorough, internal security audits without sending source code to third-party SaaS platforms.
3. Use Cases: Proactive security auditing of internal monorepos before major releases; scanning acquired codebases for hidden vulnerabilities; continuous security integration for application-focused development teams; and providing detailed, context-rich vulnerability reports for engineering teams to act upon, as evidenced by its use on Vercel's own code and customer projects like Dub.co.

Unique Advantages

1. Differentiation: Unlike generic SAST tools, Deepsec uses advanced LLMs not just for pattern matching but for contextual reasoning, simulating the investigative steps of a senior security engineer to find vulnerabilities that span multiple files and depend on application-specific logic. It also differs from cloud-only AI security tools by prioritizing on-premise execution.
2. Key Innovation: Its core innovation is the "security harness" concept—a structured framework that orchestrates multiple, specialized AI coding agents in a sequential workflow (Scan, Investigate, Revalidate, Enrich, Export). This transforms raw LLM capability into a repeatable, scalable, and auditable security analysis process, complete with a built-in refusal classifier to handle model safety guardrails.

Frequently Asked Questions (FAQ)

1. What AI models does Deepsec use for code security analysis? Deepsec is compatible with leading large language models such as Anthropic's Claude Opus 4.7 and OpenAI's GPT 5.5, configured for high-reasoning effort. It can also utilize specialized "cyber" fine-tuned versions of these models but is fully functional with standard off-the-shelf offerings.
2. How does Deepsec handle false positives in vulnerability scanning? The tool includes a dedicated "Revalidate" stage in its pipeline where a secondary AI agent review validates initial findings, which Vercel states reduces the false positive rate to an estimated 10-20%. This is significantly lower than many traditional automated scanners.
3. Can Deepsec scan private code repositories securely? Yes, Deepsec's primary architecture is designed for secure, private scanning. It runs on your own infrastructure (e.g., your laptop or servers) and uses your own API keys for AI inference, meaning your proprietary source code never needs to be sent to a third-party security service for analysis.
4. Is Deepsec suitable for scanning open-source libraries or frameworks? While possible, Deepsec is optimized for finding vulnerabilities in applications and services. Scanning libraries or frameworks may require significant customization via its plugin system and tailored prompts, as the security concerns and code patterns differ from those of deployable applications.
5. How do I get started with Deepsec for my codebase? Initial setup involves running npx deepsec init at the root of your Git repository. This command creates a .deepsec configuration directory. Users then follow the setup output to configure AI model access and can begin scanning, with full documentation available on the project's GitHub repository.