What if developers and security began on the same page with shared goals instead of competing priorities? That mindset was woven throughout RSA 2025, where the theme “Many Voices. One Community.” pushed teams to break down silos and build smarter, safer software together. AI grabbed the spotlight, but the real shift was also about collaboration — developers, security engineers, and operations aligning early to ship secure code without slowing down.
At RSA, Semgrep Co-founder Luke O’Malley laid out a pragmatic, developer-first vision for how AppSec can be collaborative, AI-augmented, and built to scale, without compromising developer speed or agility. In a series of conversations at RSA, he introduced an innovative and bold new way to think about application security —AppSec for Builders— and backed it up with a public Manifesto outlining the principles that will guide the next generation of security tools.
Below are key highlights and takeaways from Luke’s RSA video interview touching on the philosophy, the Manifesto, and what it means to build security into the way developers work today.
One community, shared responsibility
“Secure code or secure software starts with those who write it,” says Luke “I think the best security teams, the best AppSec teams, make sure that their developers have all the context they need to make the good decision or the right decision”
“Many Voices. One Community.” was more than a slogan at RSA 2025. It reflects a broader movement in security - the understanding that everyone who touches code has a role in keeping it safe. Semgrep’s platform reflects that reality. It’s not just built for security teams, it’s built to unify:
Developers writing and reviewing code
Security engineers defining policies and guardrails
Platform and compliance teams ensuring standards are met
AI copilots helping triage and resolve issues
Semgrep is designed to make those conversations happen early, often, and without friction. The result? Security becomes a shared responsibility, not a bottleneck.
AppSec for builders: Guardrails, not gates
“So if you want to empower your builder, you need to give them agency... it’s not about control, it’s about empowerment,” Luke explained. “We want to notify them if they’re doing something risky and provide a guardrail and nudge them back onto the paved road—a safer path that still lets them move fast.”
At the heart of Semgrep’s approach is the belief that security should enable software delivery, not slow it down. Semgrep’s AppSec for Builders philosophy is captured in a seven-part Manifesto:
Guardrails over Gates
Guide developers with safe defaults—don’t block them.
Real-world Impact over Audit Perfection
Focus on actionable issues, not theoretical ones.
AI Optimism over AI Pessimism
Use AI to automate the tedious and amplify human impact.
Build Time over Runtime
Catch issues early—fix before deploy.
Fixed over Found
Security only matters if issues get fixed.
Tailored Detection over Generic Scans
Customize scans to cut noise and highlight real risk.
Platform Extensibility over Completeness
Flexible, composable tools beat one-size-fits-all platforms.
Security teams stay deeply involved—not as gatekeepers, but as allies who help teams move fast and stay secure.
AI that adds leverage, not just hype
“Today is the least capable LLMs will ever be,” Luke observed “They’re only going to get better, faster, cheaper—so why not put them to work on low-leverage tasks that burn out security teams?”
Everywhere you turned at RSA, AI was the topic of conversation. But Luke and the Semgrep team focused less on buzzwords and more on authentic, high-leverage use cases.
With Semgrep AI Assistant, teams gain:
20% backlog reduction out of the box (up to 40% with tuning)
96% agreement rate between devs and security on flagged issues
Smart triage and prioritization, powered by LLMs + static analysis
“We want security engineers doing high-leverage work,”Luke explained “Let the AI triage and prioritize. Let humans make the decisions that matter.”
Rethinking legacy tools
Luke noted “Compilers are very good at finding complex problems in code—but not at understanding the context around them. By combining compiler-driven static analysis with LLMs, we can make those models significantly more accurate.”
Most traditional SAST tools were built for compliance, not developers. They generate noise, miss context, and stall teams.
Semgrep is rethinking that. Innovations include:
Live, developer-in-the-loop scanning
Click-to-fix SCA for safe package upgrades
Transitive dependency + reachability analysis
Managed scanning for fast onboarding and scale
Looking ahead: Empowering the builders
The future of AppSec isn’t more tools—it’s better collaboration. Semgrep’s goal is to make secure development a natural part of the build process.
“I think the best AppSec teams, make sure that their developers have all the context they need to make the good decision or the right decision when presented with a kind of that fork in the road.” said Luke
In closing and next steps
So when someone asks, “Why Semgrep?” Luke’s answer is simple: “If you want to empower your oldest builders to write secure code, you want Semgrep”
Explore the full Manifesto to see how Semgrep is redefining modern AppSec, or watch Luke’s RSA video interview for key insights and takeaways.
