Endor Labs has introduced its AI-native, multi-modal static application security testing (SAST) product, aiming to address persistent problems in code flaw detection. The company's new tool combines multiple AI agents and advanced program analysis, targeting longstanding industry issues such as high false positive rates and detection of complex logic flaws.
False positives
High volumes of inaccurate security alerts remain a core problem for development and security teams. Industry studies indicate that SAST tools regularly generate false-positive rates between 68% and 78%, with some teams reporting figures as high as 95% on production code. These findings require teams to devote considerable time to triaging, often delaying security responses and adding significant overhead to developer workflows.
The tool developed by Endor Labs employs a multi-agent system within its analysis engine. Detection agents review code for architectural and business logic vulnerabilities, classifying findings according to OWASP Top 10 criteria. Triage agents filter alerts by analysing syntax, dataflow, and inferred code intent, while remediation agents offer context-aware recommendations for addressing identified issues.
Programme analysis
The new SAST solution uses Endor Labs' proprietary Code API, allowing agents to build models of both code structure and organisational context. During testing with several enterprise partners in technology and data sectors, the system identified complex security weaknesses, including subtle logic flaws and insecure API handling.
Comparative assessments showed the AI SAST tool eliminated 95% of false-positive results, highlighted 4.5% as verified vulnerabilities, and marked only 0.5% as unknown or ambiguous cases. Teams were able to focus efforts on high-impact security risks rather than extraneous or erroneous alerts. The platform allows organisations to tailor its analysis to specific policies and frameworks using natural-language prompts, and it supports over 40 programming languages.
Remediation process
By prioritising accurate detection and contextual remediation, the platform is designed to improve engineering workflow efficiency. It generates remediation suggestions specific to each team's standards, architecture, and frameworks, which helps accelerate the process from identification to resolution. This targeted approach reduces time spent on false alarms and allows teams to ship code with a higher degree of confidence in its security posture.
"True software understanding requires multiple analytical lenses working in concert - syntax, dataflow, and AI reasoning that can infer intent. Instead of funneling entire codebases into an LLM, we apply intelligence only where semantic depth actually matters, enabling fully automated triage at enterprise scale. This multi-modal approach mirrors how top security engineers reason through risk, but delivers it at the speed and scale modern development demands," said Amod Gupta, VP of Product & Design, Endor Labs.
