Just as AI has made developers more productive, it's made attackers more capable. The tools designed to protect software in the era of human-written code and human-scale attacks are breaking. We're excited to share the new Semgrep Multimodal, a system that combines AI reasoning with rule-based analysis for detection, triage, and remediation, producing results that are better than either approach in isolation.
Semgrep Multimodal’s new detection capabilities have already found multiple incident-level zero-days at customers, and have been credited with saving tens of thousands of dollars on what would otherwise have been expensive, time-intensive bug bounty reports.
Attackers can’t have all the advantage
Attackers are capitalizing on the latest LLM improvements, giving them powerful weapons at unprecedented speed and scale. Meanwhile, AI-assisted software development is creating an orders-of-magnitude increase in code output, with downstream vulnerability counts up as much as 20x.
We believe defenders deserve to be just as well-equipped as attackers, so we built Semgrep Multimodal, a system that combines AI reasoning with rule-based analysis for detection, triage, and remediation, producing results that are better than either approach in isolation. With the release of the latest models, its detection capabilities have become even stronger: Semgrep Multimodal finds up to 8x more true positives with 50% fewer false positives vs. the base models.
Semgrep Multimodal allows security teams to scale themselves and review code not merely for things like SQL injection and SSRF, but also IDOR, broken auth, and business logic errors that can lead to the most expensive exploits. When supplied with threat models and architectural context, Semgrep Multimodal adapts detection to the way your system actually works.
“With Semgrep, I trust that a critical finding will be relevant to us. It saves time and helps our developers focus on the issues that actually matter,” said Minh Nghiem, Senior Security Engineer, Homebase.
Semgrep Multimodal avoids the pitfalls of AI-only techniques—lack of repeatability, auditability, spiraling costs, hallucinations, and false positives—while capturing the advantages of AI itself, such as reasoning about organizational context, the ability to detect complex, business-logic issues, and performing tedious work such as issue triage. And as models improve, Semgrep Multimodal’s performance also improves.
Inside Semgrep Multimodal
Semgrep Multimodal is built on Semgrep Workflows, a framework for autonomous code security. Workflows combine deterministic tools with AI to automate AppSec work. For example, Semgrep Multimodal uses the Semgrep Pro Engine's taint analysis to trace user input flows into sensitive operations like database queries or API responses, then passes that analysis to an LLM that reasons about whether authorization checks are missing along those paths. That combination finds business-logic vulnerabilities like IDORs and broken access control that neither static analysis nor LLMs catch reliably on their own.
.jpg)
