Vercel’s new deepsec tool might be the most practical AI security idea I’ve seen in a while.
Instead of treating agents like magic vulnerability scanners, it treats them like patient investigators that can trace code paths, re-check their own findings, and hand back something a developer can actually use.
Most AI-for-security demos still feel flimsy. They either produce vague warnings, drown you in false positives, or need you to trust somebody else’s cloud with your source code.
Deepsec is more interesting because it goes after a real pain point: large application codebases where the dangerous bugs are usually hidden in auth flows, data handling, and edge-case logic.
What Deepsec Actually Does
Vercel open sourced deepsec on May 4. It is a security harness that uses coding agents to scan a repository in stages:
- Run an initial regex-heavy scan to find security-sensitive files
- Send agents to investigate those candidates in more detail
- Revalidate findings with a second pass to reduce false positives
- Enrich findings with git metadata so the right people can fix them
- Export the results in a format that can turn into tickets for humans or coding agents
This is not “ask a model if my repo is secure.” It is closer to a repeatable research pipeline.
Why This Stands Out for Developers
A few details make this more useful than the usual AI security announcement.
- It runs on your own infrastructure, including locally on a laptop.
- It can use existing Claude or Codex subscriptions instead of some new proprietary service.
- It is designed for big codebases, with optional fanout to Vercel Sandboxes for parallel runs.
- It includes a revalidation step because false positives are still a real problem.
- It supports custom matchers, which is probably where the real value shows up on mature teams.
Every codebase has its own weirdness. Custom auth wrappers. Internal conventions. Data access patterns that look innocent until they are not. A plugin system for matchers means a team can teach the scanner what “risky” actually looks like in their world.
That is a lot more believable than pretending one general prompt will understand every monolith on earth.
The Practical catch
There is still a catch, and Vercel is refreshingly direct about it.
They say false positives still happen, roughly in the 10 to 20 percent range. That is not nothing. But for security work, I would rather see an honest number with a re-check step than the usual hand-wavy “enterprise-grade accuracy” marketing.
The other catch is time. Large repo scans can take days on one machine.
That probably sounds bad until you compare it to what usually happens: nobody does the deep review at all because it is too expensive, too boring, or too easy to postpone.
If an agent-driven harness can keep digging in the background and surface a few real auth or data-flow bugs you would have missed, that is already useful.
Where I Think This Fits
I would not use deepsec as a replacement for normal security review.
I would use it as a serious second layer:
- Before a big release
- After major auth or permissions changes
- On older internal apps that nobody wants to audit manually
- On monorepos where risky behaviour gets buried under sheer volume
It also looks like a good fit for teams already using coding agents day to day. If your developers are comfortable with Codex or Claude doing implementation work, letting a similar setup investigate security-sensitive paths is not a huge leap.
Why This Matters Beyond One Tool
The more interesting shift here is not just deepsec itself, it’s the pattern.
We are starting to see AI development tools move away from “generate code on command” and toward “run a structured workflow with multiple passes, specific roles, and a useful output format.” That is a much better fit for real engineering work.
One-shot prompts are fun.
Bottom Line
Deepsec looks like one of the first AI security tools aimed at developers that understands the assignment.
It is not pretending models are infallible. It is giving them a bounded job, a verification loop, and an output that can slot into normal engineering work. That is the right direction.
If you have a large application codebase, this one is worth a look.
Source Links
- Vercel announcement: https://vercel.com/blog/introducing-deepsec-find-and-fix-vulnerabilities-in-your-code-base
- GitHub repository: https://github.com/vercel-labs/deepsec/
A seasoned Senior Solutions Architect with 20 years of experience in technology design and implementation. Renowned for innovative solutions and strategic insights, he excels in driving complex projects to success. Outside work, he is a passionate fisherman and fish keeper, specializing in planted tanks.