preloader

· devops security ai

Vercel Open-Sources deepsec: An AI Security Harness That Finds Vulnerabilities in Large Codebases

Source: Vercel Blog

Vercel released deepsec on May 4, 2026 as an open-source security harness for finding vulnerabilities in large codebases. The tool runs on your own infrastructure, uses your existing Claude or Codex subscription for inference, and is designed to integrate directly into the development and deployment workflow rather than sitting at the end of a release cycle as a gate.

What deepsec does differently

Most static analysis tools apply pattern matching and known vulnerability signatures. They are fast and cheap, but they struggle with complex, multi-step vulnerabilities that require understanding data flows across many files. deepsec takes a different approach: it uses AI coding agents – specifically Claude Opus 4.7 at maximum reasoning and GPT-5.5 at high reasoning – to investigate candidate vulnerabilities with the same level of contextual analysis a skilled security engineer would apply.

The workflow runs in five stages: scan, investigate, revalidate, enrich, and export.

The initial scan stage runs roughly 110 regex matchers across the codebase with no AI calls involved, completing in about 15 seconds on a 2,000-file project. The output is a prioritised list of security-sensitive files and candidate issues. Coding agents then investigate each candidate, trace data flows, check for existing mitigations, and produce findings with severity ratings. A second agent pass validates the findings and removes false positives before results are exported.

The result is a set of actionable, high-confidence findings rather than a long list of low-signal warnings that security teams have learned to filter out.

DevOps integration and scaling

deepsec is CLI-first and runs locally on a laptop without requiring a cloud service to access source code. For teams that need to scale, Vercel Sandboxes provide remote execution with scans reaching over 1,000 concurrent sandboxes on Vercel’s own internal codebases.

The tool is designed to run as part of an existing DevOps workflow rather than replacing it. Because it operates on the codebase directly and produces findings in a structured export format, results can be fed into existing issue trackers, code review systems, or CI/CD pipelines. The integration overhead is minimal for teams already running linting and testing steps in their pipelines.

Costs and expectations

deepsec is configured to use frontier models at maximum reasoning levels. That means scans on large codebases can cost thousands of dollars per run, and in some cases tens of thousands. For teams running it continuously or on a very large repository, costs need to be factored into the decision alongside the value of findings.

The false positive rate sits at roughly 10 to 20%, which is meaningfully lower than most automated static analysis tools but still requires human review of findings before remediation. The revalidation stage is specifically designed to reduce that figure, but it does not eliminate it.

For teams that have previously found automated security tooling noisy and low-value, deepsec represents a meaningful step forward in signal quality. The cost tradeoff is real, but customers who have run it report finding vulnerabilities that had gone undetected through conventional scanning processes.

Why this matters for DevOps security

The release of deepsec reflects a broader shift in how security is being embedded into the development process. AI coding agents have made it practical to apply deep, contextual analysis at scale without requiring a large manual security review team. The bottleneck is no longer the quality of the analysis – frontier models are capable of reasoning through complex multi-file data flows – but rather cost, tooling maturity, and integration into existing workflows.

For teams building on modern frameworks and deploying at high velocity, the window between code merge and exploitation of a vulnerability in production is shorter than it has ever been. Shifting security analysis earlier in the cycle, and making it capable of finding issues that pattern-matching cannot, directly reduces that exposure window.

If you want to evaluate whether deepsec or a comparable AI-driven security scanning approach is a fit for your team’s workflow and codebase, contact Excello Digital. We help engineering teams build security practices that match their deployment pace.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!