Agentic application security provider Checkmarx has unveiled Checkmarx SAST, which the company said is the first static analysis engine with a security-tuned LLM at its core.
Along with Checkmarx SAST, the company has added a new Finding Analysis Engine that examines every signal the SAST engine produces and, with reasoning, either confirms vulnerabilities or suppresses the false positives. Those new tools are part of the Checkmarx One platform.
AI has reduced the time attackers traditionally would need to exploit vulnerabilities from weeks or months to hours or minutes, and legacy SAST tools weren’t designed to handle AI-generated code or applications using multiple languages, so code is being shipped more quickly than it can be secured. Checkmarx SAST, powered by the LLM, can trace data flow, sink reachability and exploit intent, in any programming language, at automation speed, the company said.
Checkmarx reported that its SAST engine earned an F1 score of 0.499, the standard measure of scanner accuracy that accounts for what a scanner catches and what it doesn’t. It said the category average is 0.20.
wrongly flags, against a category average of 0.20.
“This announcement doesn’t just represent a big leap for Checkmarx, it represents a big leap for the overall industry,” said Jonathan Rende, chief product officer at Checkmarx, in the news announcement. “Three engines run together to deliver unified protection: our deterministic rules foundation enterprises have relied on for two decades, AI-powered coverage for every language developers and AI coding assistants write today, and the Findings Analysis Engine that classifies true and false positives before a single result reaches your team.”
In its announcement of the new tooling, Checkmarx SAST listed the capabilities, which include:
- High-fidelity findings: fewer false positives, more trusted true positives, less alert fatigue.
- Ability to cover any-language including AI-generated code, emerging languages, and polyglot codebases that legacy SAST cannot process or understand.
- Defensible governance: board-grade evidence of what is exploitable and what has been resolved, anchored to Attackability, not raw counts.
Availability
Checkmarx SAST and the Finding Analysis Engine are part of the Checkmarx One platform and are available immediately. Existing Checkmarx One customers will be upgraded as part of their subscription. For more information, visit checkmarx.com or join our upcoming virtual Agentic Unleashed Summit on June 16.
