Semgrep Launches Private Beta of AI-Powered Detection to Combat Business Logic Vulnerabilities

Semgrep's New Private Beta of AI-Powered Detection

On November 12, 2025, Semgrep, a prominent platform in application security, unveiled the private beta of its AI-powered detection feature. This innovative solution aims to bolster its well-regarded static application security testing (SAST) engine. The primary goal of this advancement is to help users uncover various types of business logic vulnerabilities, including broken authentication and insecure direct object references (IDORs), which can lead to significant security incidents.

Business logic vulnerabilities represent a different category of threats than the more conventional vulnerabilities like SQL injection or cross-site scripting. Historically, these types of threats have been the focus of SAST tools. Recent findings from bug bounty programs reveal that broken access control vulnerabilities, which include IDORs and issues with authorization, account for nearly half of all high and critical severity findings. Detecting these vulnerabilities necessitates a clear understanding of developer intent and the specific context of applications—an area where traditional SAST practices fall short without extensive customization.

Minh Nghiem, a Senior Security Engineer at Homebase, commented, "Most of our high-severity responsible disclosure findings involve flaws in authorization logic. Semgrep's AI-powered detection now automatically identifies these, integrating an internal researcher into our CI pipeline effectively."

Tackling Crucial Security Issues

The introduction of this AI-powered detection tool seeks to address three major challenges faced by modern security teams. First, security engineers are increasingly seeing business logic vulnerabilities like IDORs dominate bug bounty programs and penetration testing results. Most teams currently lack efficient tools to identify these problems before application deployment.

Second, while AI-assisted coding tools have significantly accelerated the development process, they have inadvertently introduced new security risks that existing scanners fail to evaluate accurately. This inconsistency creates friction between the need for rapid deployment and maintaining robust security measures.

Lastly, security leaders are now demanding demonstrable AI capabilities that will not only enhance security but also ensure compliance with necessary governance requirements. Despite the promise shown by large language models (LLMs) in several applications, they often lack the reliability essential for code security.

To address this, Semgrep has implemented a hybrid system that combines the contextual reasoning benefits of LLMs with the predictability offered by traditional SAST functions, including rules and guardrails. By taking advantage of both methodologies, Semgrep provides users with high-fidelity, actionable insights across various vulnerability types, all while minimizing false positives.

As Isaac Evans, CEO and Co-Founder of Semgrep, stated, "AI is changing how we approach code security, and Semgrep is leading this transformation. With integrated AI, every enhancement in large language models directly results in significant benefits for our customers. Our hybrid method produces compounding results that exceed what LLM-only systems can deliver."

Early Insights from the Alpha Program

Throughout the alpha program, which involved design partners scanning private repositories, the effectiveness of the AI-powered detection feature was put to the test. Notably, around 80% of participating customers reported discovering at least one critical or severe IDOR during the assessment. In head-to-head comparisons, Semgrep's AI detection methodology achieved 1.9 times better recall rates for IDOR detection compared to standalone AI coding tools, such as Claude Code. Furthermore, while traditional vulnerability detection methods utilizing pure LLM technology recorded alarmingly high false positive rates for SQL injection detection—between 95-100%—this highlighted the necessity for hybrid strategies that interlace deterministic analysis with AI reasoning for dependable security coverage.

Availability of AI-Powered Detection

The private beta of AI-powered detection is accessible now for selected Semgrep customers. Organizations interested in availing themselves of this innovative solution can sign up for an early access waitlist, with availability being limited. For extensive information regarding the AI-powered detection, refer to the complete blog post from Semgrep.

About Semgrep

Semgrep stands at the forefront as a leading code security platform for developers. Its primary function is to assist teams in identifying, flagging, and correcting genuine issues before software deployment. The platform enhances security during the coding process by seamlessly integrating SAST, SCA, and secrets detection into workflows. By combining deterministic static analysis with AI-driven reasoning, Semgrep empowers teams to reveal real vulnerabilities, prioritize risks effectively, and expedite issue resolution. Backed by reputable investors such as Menlo, Felicis, Lightspeed, Redpoint, and Sequoia Capital, Semgrep enjoys the trust of notable global organizations including Snowflake, Dropbox, and Figma.