Q&A: Cycode’s Next-Generation SAST Engine Reduces False Positives by 94%

In the world of application security, false positives have long been the bane of existence for development teams.

Cycode, the leader in Application Security Posture Management (ASPM), just launched a breakthrough next-generation Static Application Security Testing (SAST) engine that achieves a remarkable “94% reduction in false positives in OWASP benchmark tests compared to leading open-source and commercial alternatives.”

In the official press release, Lior Levy, CEO and Co-Founder of Cycode, explained the necessity behind it, noting: “When a third to half of the findings are false positives and slow scans delay progress, it is impossible to maintain developer trust and build an efficient and effective program.”

With its next-generation SAST engine, Cycode reduced false positives to 2%. To learn more, we spoke directly with Cycode’s Amir Kazemi, Director of Product Marketing, and Devin Maguire, Senior Product Marketing Manager, about how it reduces the noise and burden of sifting through thousands of false positive findings.

The transcript has been edited for brevity. Here’s Amir and Devin.

Amir: We’re in an era dominated by AI now. Last year alone, 93 billion lines of code were generated.

But AI also has its ripple effects — there’s a lot more code out there, and it’s more vulnerable now. Attackers are using AI against us, and that’s why these breakthroughs are so crucial right now. Security is racing to keep up with all of this. The attack surface is massive, there are too many tools, and security and development are still siloed.

There’s also an expectation to innovate faster, and that’s why these breakthroughs matter so much. It’s all about speed, efficiency, accuracy, and, of course, security. We call this AppSec chaos, and our mission is to secure the software that the world depends on in this AI-driven era. Leading enterprises are joining us on this mission, and we do it through our enterprise-proven complete ASPM platform to fix what matters. SAST is a major component of this approach, especially from an application security testing perspective.

Devin: That 93 billion lines of code have the same flaw density as before. That means there’s more code, but the flaws are still there, and the pressures on time and cost for developers haven’t changed.

This is why SAST and shifting left to enable developers matter. It helps them manage this scale while also delivering on time and delivering secure code.

But there’s been this persistent limitation with traditional SAST tools — they’ve either been too slow or too inaccurate. In fact, those quick SAST tools, while fast, are wrong about 40% of the time, which leads to a 40% false positive rate. On the other hand, if you want deeper analysis, you’re paying for it with slower DevOps processes and scans that disrupt developer productivity. So, this is the challenge developers face.

The breakthrough here is that, for the first time, we’re delivering deep source-to-sink analysis but still providing a very fast and efficient scanning process. It’s quick to deploy and doesn’t slow down DevOps workflows.

Devin: We’ve seen real-world validation of the 2% false positives through the OWASP benchmark and feedback from customers. For example, one customer reduced their false positives from 36% to just 2%. If they had 100,000 findings in their application, that’s a reduction from roughly 36,000 false positives down to around 2,000. This makes a huge difference, as it means developers are dealing with far less noise and can prioritize the issues that actually matter.

The goal is to eliminate unnecessary tasks, speed up fixes, and ultimately allow developers to get back to what they do best: Delivering great software.

While AI remediation isn’t part of this launch, we’ve already implemented it. We’re helping developers quickly identify and fix issues by focusing on three key areas: risk reduction, prioritization, and remediation. The goal is to eliminate unnecessary tasks, speed up fixes, and ultimately allow developers to get back to what they do best: Delivering great software. This not only helps with security but also drives business value.

Devin: At a high level, AI plays two key roles in security: prioritizing the vast number of findings and violations, and increasing developer productivity and capacity to remediate.

At Cycode, we focus on two main AI projects: one for security teams and one for developers. For security teams, AI helps with detection — like our secrets scanner using OCR — but most importantly, AI enhances prioritization. By analyzing the full context of violations, AI helps identify what really represents risks to the business.

For developers, AI is used to improve their experience by providing remediation guidance. We’re working on AI-generated code fixes, making it easier for developers to fix issues quickly, not just find and prioritize them. These AI-driven improvements help developers address security issues faster and more efficiently.

Amir: Building on what Devin said, AI is woven into the core of our ASPM platform, not just added on as a third-party solution, like OpenAI API. We have internal teams focused on AI projects, and this integration runs across the platform, benefiting both security and developers.

Devin: My personal view on AI is that it’s history repeating itself. Every new technology brings excitement, but also new risks and complexities that need to be managed from a security standpoint. Just like open-source adoption or cloud security, AI will add layers of security challenges. The difference with AI is that you can’t just keep adding layers of risk and complexity without eventually needing automation to handle it all.

AI will have a big impact on providing visibility into AI-related risks, but the key will be using AI to create clarity out of all the data. It’s not just about visibility; it’s about making sense of it. AI will also play a role in security by facilitating remediation. The future of security is moving toward autonomous systems, which use sensors to detect issues, algorithms to process data, and actuators to take action.

It’s not just about visibility; it’s about making sense of it. AI will also play a role in security by facilitating remediation.

Amir: We’re in an era of the “10x developer.” In the past, a company might have had a few standout developers, but now, with AI tools, all developers are becoming 10x developers. The downside is that attackers can also use AI, so we need to be cautious about relying too heavily on a single tool.

GitHub Co-pilot, for example, helps developers be more productive, but it shouldn’t be the only tool for security scanning. In the future, we’ll see more tools on the SAST side to complement tools like GitHub Co-pilot, and Cycode is well-positioned to lead in this space.

In the past, a company might have had a few standout developers, but now, with AI tools, all developers are becoming 10x developers.

Devin: Yeah, AI is now everywhere. You need specialized capabilities within your AI tools, much like you need specialized roles like security champions or AppSec engineers. AI will play a crucial role in enhancing those specialized security functions.

Amir: From my perspective, we see the market in three waves. The first wave is where ASPMs are just tool aggregators, pulling in third-party security data. Now, we’re in wave three, which is the complete ASPM, and Cycode is leading the way here. A lot of legacy vendors are trying to catch up, but it may take them two to three years to get there. The complete ASPM approach is the new vision, and the market is really excited about it.