Checkmarx launches hybrid AI engine for code scanning

Checkmarx has launched a hybrid static application security testing engine for its Checkmarx One platform. In tests across seven production codebases, it achieved an F1 score of 0.64.

The engine combines three elements: a rules-based analysis layer, a large language model layer designed to work across programming languages, and a Finding Analysis Engine that reviews findings before they are sent to developers. The aim is to improve accuracy while reducing the number of false alerts that security and development teams must review.

Static application security testing tools inspect source code for vulnerabilities before software is deployed. The latest update reflects a broader shift in the software security market as companies try to manage code written or assisted by artificial intelligence tools, along with the growing mix of programming languages used in modern applications.

Checkmarx said almost half of production code is now AI-generated and argued that this has increased the volume of insecure code entering development pipelines. It added that traditional rules-based tools remain effective in languages they already cover, but can struggle to keep pace with newer or less common languages emerging through AI-assisted development.

The company's approach keeps deterministic scanning at the core of the product while adding AI-based analysis to extend coverage. The Finding Analysis Engine then assesses raw findings to identify likely true positives and suppress others.

In company testing, the hybrid engine outperformed what Checkmarx described as competing approaches, posting an average F1 score more than three times higher than the 0.20 average it recorded for other tools and models it evaluated. It also reduced false positives by 60%, according to the company.

An F1 score is a measure used in machine learning and detection systems to balance precision and recall. In application security, it indicates whether a tool can find genuine flaws without overwhelming users with incorrect results.

Hybrid model

The update addresses a longstanding problem in software security: development teams often receive so many alerts from scanning tools that they struggle to decide which issues need immediate action. That can lead to delays, higher review costs, and the risk that significant vulnerabilities remain buried among low-value warnings.

"No single approach - rules-based or AI - tells the whole story on its own," said Sandeep Johri, Chief Executive Officer, Checkmarx.

"Deterministic scanning has earned its place as the precision standard, and AI extends that reach to code the rules were never written for. But neither alone separates the findings that matter from the ones that don't. At today's volumes, that noise is what slows teams down and drives up cost. Checkmarx One's hybrid engines bring together the best of both in a fundamentally different architecture," said Johri.

Checkmarx said the language-agnostic design allows the engine to work across established and emerging programming languages, as well as codebases that combine several languages. That is intended to help organisations that have adopted AI coding tools while still relying on older applications and complex software estates.

Another part of the update is governance support for senior management and boards. Checkmarx said the product can provide evidence tied to exploitability and remediation status rather than relying only on raw counts of findings.

Market pressure

Application security vendors have been adapting their products as AI coding assistants gain wider use in software teams. While those tools can speed up software creation, security specialists have raised concerns that they can also introduce vulnerable patterns into code at scale.

Checkmarx framed the market challenge as one of both coverage and economics. Security teams need tools that can scan more code across more languages while avoiding excessive computing costs and the manual effort created by poor-quality findings.

"AI has handed developers an unprecedented productivity boost, but independent benchmarks show that even the best models produce insecure code in a third to nearly half of cases - and the tools meant to catch it can burn through compute budgets chasing false positives," said Jonathan Rende, Chief Product Officer, Checkmarx.

"What teams need isn't just more findings, it's confidence and predictability: surfacing the vulnerabilities that truly matter, eliminating the noise, and doing it without blowing past budgets. That's the assurance Checkmarx One now gives every customer - the highest fidelity in the industry, with the economics to match," said Rende.

The hybrid scanning engines and the Finding Analysis Engine are available in early access as part of the Checkmarx One platform.