Endor Labs is expanding its application security (AppSec) platform with agents to address development risks posed by AI and vibe coding.
Bolstered by agentic AI and what the company claims is the industry’s most comprehensive security dataset, the platform moves beyond mere risk identification to prioritise threats, propose solutions, and even implement fixes automatically.
The move comes amid a dramatic shift in software development practices. The rise of AI coding assistants means vast quantities of code are being generated faster, and often with less direct human oversight, than ever before. This acceleration introduces new security complexities that legacy tools struggle to manage.
Varun Badhwar, Co-Founder and CEO of Endor Labs, said: “We’re in the middle of the software development revolution. Until recently, 80% of code came from open source. Moving forward, 80% will be generated by AI. That future isn’t far off—it’s already reshaping how software gets built today.
“Everyone’s building AI agents, but most are just wrappers around LLMs. What makes our agents powerful is the data underneath. We’ve spent years building the security dataset the industry needs to make AI actually useful for AppSec teams.”
Endor Labs positions its platform as essential for navigating this new landscape, citing potential risks associated with AI-assisted development and vibe coding.
Statistics indicate that a significant percentage of AI-generated solutions may contain bugs or security vulnerabilities, with nearly 30% potentially including critical weaknesses. Traditional static analysis and vulnerability scanning tools often lack the context and speed to effectively counter these emerging threats.
To build the necessary intelligence, Endor Labs detailed the extensive groundwork undertaken over the past three years by its team, which includes renowned experts in programme analysis:
- Analysis of 4.5 million open source projects and AI models.
- Mapping over 150 distinct risk factors to each component.
- Construction of detailed call graphs, indexing billions of functions and libraries.
- Precise annotation of code lines where known vulnerabilities reside.
This deep contextual understanding fuels the platform’s new agentic AI capabilities, designed to integrate into the software development lifecycle and act decisively rather than just passively alerting teams.
Agentic AI designed to manage risks in the vibe coding era
Central to the enhanced platform are specialised AI agents trained for application security tasks. These agents are designed to reason about code changes much like human developers, architects, and security engineers would.
By working collaboratively, the AI agents review code, pinpoint potential risks, and suggest targeted fixes—effectively augmenting security teams’ capacity without impeding developer workflow.
The first features built upon this new agentic AI foundation were also announced today:
AI security code review
This capability employs multiple AI agents to scrutinise every pull request (PR). It focuses on identifying high-risk architectural changes that often fall outside the scope of traditional Static Application Security Testing (SAST) tools. Examples include:
- Introduction of AI systems potentially vulnerable to prompt injection attacks.
- Modifications to critical authentication or authorisation mechanisms.
- Creation of new public-facing API endpoints.
- Changes involving cryptographic implementations.
- Alterations to how sensitive data is handled.
Endor Labs asserts key benefits include surfacing significant risks hidden within numerous PRs, reducing alert fatigue through context-aware prioritisation, and allowing security engineers to concentrate on genuinely critical issues without hindering vibe coding.
Mark Breitenbach, Security Engineer at Dropbox, commented: “We’re looking for better ways to scale how we identify business logic risks and unknown unknowns in our codebase.
“Traditional static analysis tools haven’t really given us the lift we need. Being able to detect risks that we’d otherwise miss manually or through traditional automation is hugely valuable.”
MCP plugin for Cursor
Addressing the trend of “vibe coding” – where developers prioritise speed and intuition – the Meta-Code Protocol (MCP) plugin integrates Endor Labs’ security intelligence to manage risks directly into AI-native coding environments like Cursor and complements tools like GitHub Copilot.
By scanning code in real-time as it is written, it flags potential risks and assists both human developers and AI coding agents in implementing fixes promptly.
This integration aims to compress a security review process that could previously take weeks – involving ticketing systems, back-and-forth communication, and manual remediation – into an automated workflow resolving issues within minutes, directly within the developer’s preferred tools and before a PR is even submitted.
Chris Steffen, VP of Research at Enterprise Management Associates, observed: “Despite the advances we see on a daily basis, application security teams are still struggling to adopt AI in a way that helps them improve productivity.
“They need greater visibility and context into AI-generated code, and solutions to help them uncover security risks sooner and faster. Endor Labs is ahead of the game with AI innovations built specifically for application security engineers using its wealth of data and knowledge.”
Endor Labs’ platform aims to manage risks effectively in an era increasingly dominated by AI-driven software development and vibe coding, promising to neutralise entire classes of threats before they can impact production systems.
(Photo by Daniel Herron)
See also: Mozilla open-source tools help developers build ethical AI datasets
Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Intelligent Automation Conference, BlockX, Digital Transformation Week, and Cyber Security & Cloud Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
