No items found.
I am excited to share two product updates. First, we are releasing an AI-native SAST capability in preview for select customers. This new capability solves both noise and validation problems common in other tools. Second, Kai has been accepted into Anthropic's Cyber Verification Program (CVP). With membership in the CVP, we gain access to advanced cyber capabilities for deeper, AI-native analysis of vulnerability candidates and autonomous exploit validation.
The two are connected, and I want to explain why. Both updates reflect significant steps toward our vision of collapsing and rebuilding the security stack for the AI era. Advances in frontier models, combined with acceptance into the Cyber Verification Program, mean we can execute that vision faster, not just with automation, but with truly AI-native workflows.
What we built and why we built it
Existing SAST tools have a noise problem. They flag thousands of findings, the majority of which are false positives, because they analyze code statically without understanding how it executes at runtime and how a real attack would unfold. Engineering teams spend the bulk of their time investigating findings that were never exploitable to begin with. The problem lies in how those tools (do not) reason about code.
We built Kai's SAST capability differently. Rather than flagging everything that pattern-matches a known weakness (SQL Injection, authentication bypass, etc.), Kai applies AI-native reachability analysis from the start, combining static analysis with runtime behavior to determine whether a finding is actually exploitable before it reaches a human. In one deployment, Kai identified several thousand previously unknown vulnerabilities across multiple repositories, including logical flaws that would have allowed a complete takeover. Kai validated each finding by automatically generating exploits and running them in an out-of-band non-production environment.
Kai's SAST capability has been available to a select number of customers for a limited period, and the early results are significant. Using models with guardrails, the capability has already identified thousands of previously unknown vulnerabilities across customer environments, including logical flaws and chained attack paths that existing scanners were not designed to find. These are not theoretical findings. They are confirmed vulnerabilities in production codebases that had been missed by the tools those customers were already running.
How membership in the Cyber Verification Program expands our capabilities
Kai has been accepted into Anthropic's Cyber Verification Program. With membership in the CVP, we gain access to advanced cyber capabilities for approved defensive use cases, including vulnerability discovery, exploit analysis, penetration testing, red-team simulation, threat modeling, and defensive security research. These are capabilities that are normally blocked or heavily restricted in standard model deployments. CVP membership unlocks them specifically for defensive use, scoped and governed by Anthropic's security and responsible-use requirements.
For Kai's SAST capability specifically, this matters in two ways. First, at the discovery layer, the advanced cyber capabilities we gain through CVP membership allow Kai to perform deeper vulnerability analysis, surfacing critical findings that guardrailed models cannot fully reason about. Second, and more importantly for our customers, it changes what exploit validation looks like. Previously, our ability to autonomously generate working exploits was constrained by the guardrails applied to standard model deployments. With membership in the CVP, we gain access to advanced cyber capabilities that significantly enhance our ability to generate working exploits against validated findings in isolated environments. The result is definitive proof of exploitability, produced autonomously.
What this means across the full exposure management cycle
Findings from Kai's SAST capability feed directly into the same reachability and exploitability pipeline we run for SCA, enterprise, and infrastructure vulnerabilities. Kai aggregates and de-duplicates findings, applies AI-first reachability analysis across runtime and network layers, and delivers least-invasive remediation plans ready for engineering to act on immediately, with no delays between validation and mobilization. With the advanced capabilities we gain through CVP membership flowing into the front of that pipeline, the signal is earlier, the context is richer, and the window of time available to attackers shrinks at every phase.
The outcomes reflect what that looks like in production. Kai investigated and triaged 250 million vulnerabilities in 20 hours, eliminating 83% as benign positives and generating optimized remediation plans for genuinely exploitable findings. In AppSec, Kai saved 3 million combined infosec and engineering hours through 99.5% false positive reduction and autonomous pull request generation. For zero-day and supply chain attacks, Kai reduces the time from incident to remediation steps and updated detections from days or weeks to under five minutes. No analyst required. No ticket filed.
The SAST capability is currently in preview for select customers across AppSec and enterprise infrastructure environments. If you are running existing SAST tooling and want to see what the false positive reduction and exploit validation layer looks like against your own findings, please contact us.
