
Introducing deepsec: The security harness for finding vulnerabilities in your codebase
Quick Answer
Vercel has open-sourced deepsec, a security harness that utilizes coding agents for vulnerability detection in large codebases, running locally without cloud dependencies.
Quick Take
Vercel has open-sourced deepsec, a security harness that utilizes coding agents for vulnerability detection in large codebases, running locally without cloud dependencies. It employs models like Opus 4.7 and GPT 5.5 for tailored investigations, achieving a false positive rate of 10-20%, and supports custom plugins for enhanced scanning capabilities.
Key Points
- deepsec scans large codebases, identifying vulnerabilities with minimal setup required.
- It integrates with existing subscriptions like Claude and Codex for inference.
- The tool can run research jobs in parallel, scaling to 1,000+ concurrent sandboxes.
- A custom plugin system allows adaptation to specific codebase needs.
- False positive rates are managed effectively, enhancing the reliability of findings.
Article Content
From source RSS / original summaryToday we’re open sourcing: a security harness powered by coding agents. It runs on your own infrastructure and surfaces hard-to-find issues in large codebases. deepsecYou can run on your laptop without setting up a cloud service for privileged source code access. For inference, you can use your existing Claude or Codex subscription without any additional setup. deepsecScanning large repos can take multiple days on a single machine.
To run research jobs in parallel, supports optional fanout to Vercel Sandboxes for remote execution. Scans on Vercel’s codebases routinely scale up to 1,000+ concurrent sandboxes. deepsecAt its core, uses and to perform tailored investigation of a codebase using Opus 4. 7 at max effort and GPT 5. 5 at xhigh reasoning.
deepsecclaudecodexScans start with static analysis to identify security-sensitive files, then coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings. Here is the workflow: has been highly useful on our own monorepos and for our customers' codebases. During development, we ran on several open source repositories of Vercel customers and partners. deepsecdeepsecFor example, scanned the of.
Dub is a marketing attribution platform for affiliate programs and short links that is also available as SaaS. It features authenticated access, interacts with a database, and runs several backend services, creating a large security surface. When we shared our findings with founder Steven Tey, he replied:deepsecdeepsecopen source versiondub. coRunning against Vercel’s own monorepos, identified subtle edge cases in auth conditions, leading us to develop a that covers every authentication path in our code.
deepseccustom scanner pluginSome of 's findings will be false positives. In our experience the false positive rate is roughly 10-20%. Given the impact of true positive findings in our own research, we’ve been happy with this outcome, and we built the step to have the agent further verify its findings to reduce false positives. deepsecrevalidate works best for applications and services. It may be usable for libraries and frameworks, but those would likely require custom prompts and scanners.
deepsec ships with a plugin system for adapting it to your codebase. The most common plugins are custom scanners: regex matchers tuned to your auth model, data layer, or team conventions. We recommend using with your coding agent and asking it to write those matchers based on findings from an initial scan:deepsecdeepsecBoth Anthropic and OpenAI offer “cyber” versions of their most capable models, fine-tuned to accept security tasks the base models won’t.
works with these, but is also fully functional with off-the-shelf models. deepsec ships with a classifier that checks whether the task was refused after each research step. In our experience, for the prompt that is using, refusals are a non-issue for both Opus 4. 7 and GPT 5. 5. deepsecdeepsecTo get started, run at the root of your repository. This will create a directory called, which is used to configure the system and store a catalog of your investigations. From there, follow the output of the command.
Read the full. npx deepsec init. /. deepsecdeepsecdocumentation on GithubWhile we’ve used extensively, it is still early in its development. Feedback and contributions are welcome. deepsecon GitHubRead moreArchitectureRunning on production codedeepsecCustomization and pluginsDo I need access to a special “cyber model”? Getting startedFeedback welcome: It starts by performing a regex-only scan of all files for security-sensitive areas that subsequent steps will focus on.
Scan: Agents investigate each file identified in the scan. Investigate: A second agent run validates investigation findings to remove false positives and reclassify severity. Revalidate: Once investigation is complete, an agent uses git metadata and other optional services to identify the contributors responsible for fixing each issue. Enrich: The command formats the findings as instructions so that they can be turned into tickets for humans and coding agents. ExportexportFalse positives and best uses
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from Vercel AI
See more →
The Agent Stack
The Agent Stack by Vercel AI provides essential building blocks for creating production-grade agents, enabling seamless integration across multiple AI models and secure operations. It features components like AI Gateway for model routing, Workflow SDK for durable execution, and Vercel Connect for scoped access, streamlining agent development and deployment across various platforms.

