Security backlogs aren’t a new problem. Most AppSec teams triage more findings than they can act on, and AI coding tools have accelerated that dynamic. More code, written faster, means more findings, and the security tooling has to keep pace.
Today, OpenAI announced Trusted Access for Cyber, a new program designed to give vetted defensive security organizations access to frontier AI models with stronger cyber reasoning capabilities. Semgrep is one of four initial recipients of OpenAI’s Cybersecurity Grant Program, which commits $10 million in API credits toward organizations focused on software supply chain security and vulnerability research.
How Semgrep applies AI
Semgrep Multimodal already combines AI reasoning with rule-based analysis for detection, triage, and remediation. This combination is proving to be successful in detection: it finds up to 8x more true positives with 50% fewer false positives vs using LLMs alone. These new capabilities have already found multiple incident level 0-days for our customers.
For triage, across more than six million findings analyzed, users agree with Semgrep’s triage decisions 95% of the time. That matters because manual review doesn’t scale, and noise kills adoption.
On the remediation side, Autofix provides contextual remediation guidance, breaking change analysis, and AI-generated fix suggestions directly in pull requests. Upgrade Guidance goes a step further: when a dependency upgrade introduces breaking changes, it shows the developer exactly where in their application code the affected dependency is used and what changed between versions. That context is the difference between knowing you need to upgrade and knowing what the upgrade actually requires.
Frontier models with stronger cyber reasoning improve the quality of this work. This matters most when determining whether a vulnerability is actually exploitable requires reasoning across complex code paths or dependency chains.
The broader program
Trusted Access for Cyber is backed by a coalition of enterprise security organizations including Bank of America, Cisco, Cloudflare, CrowdStrike, JPMorgan Chase, NVIDIA, Palo Alto Networks, and Zscaler, among others. OpenAI has also provided access to GPT–5.4-Cyber to the U.S. Center for AI Standards and Innovation and the UK AI Security Institute for capability evaluations.
The program’s premise is that defenders should have access to the same frontier capabilities as attackers, and it includes organizations with a proven track record in security research and remediation.
We’ll keep applying these capabilities to reduce the manual work security teams carry: better triage accuracy, more precise fix guidance, and broader coverage across the languages and frameworks Semgrep supports. You can read the full Trusted Access for Cyber announcement on OpenAI’s site.
.jpg)
