New autonomous agents prevent vulnerabilities by securing code before it’s submitted
MOUNTAIN VIEW, CA – July 14, 2026 – AI is generating code faster than teams can review it. Checkmarx, the leader in agentic application security, today addressed that gap by introducing self-healing application security: autonomous agents that detect, fix, and verify vulnerabilities as developers code.
Key Takeaways
- Developer Assist now runs a continuous find-and-fix loop directly in AI coding tools through hooks, catching and fixing vulnerabilities as code is written with up to 70% less manual remediation effort.
- Triage and Remediation agents autonomously prioritize what’s already in the codebase and generate merge-ready fixes, cutting manual triage and accelerating developer productivity.
Closing the Loop from Code to Backlog
According to Checkmarx’s 2026 Future of Application Security report, 96% of developers now use AI coding tools, but only 18% apply security continuously as they write code, a gap autonomous remediation is designed to close.
In a study Checkmarx commissioned from independent researcher The Weather Report, published in July 2026, frontier models produced working code 83% to 95% of the time, but only 24% to 36% of that code was both secure and functional. Even a post-hoc security review lifted the secure-and-functional rate to only 47% to 56%, underscoring the gap that autonomous remediation is built to close.
“Security teams have spent a decade trying to keep pace with how fast code gets written, and AI just moved that goalpost again,” said Harshil Parikh, VP of Product Management at Checkmarx. “The only way to close that gap is to stop treating detection and remediation as separate steps handled by separate tools and let the system fix what it finds.”
“The goal is prevention – creating a continuous flow of clean code from the start and autonomous fixes before code reaches production,” said Jonathan Rende, chief product officer at Checkmarx. “With autonomous remediation, fixes are applied while developers are still writing code, before it’s ever checked in, and what’s in the pipeline gets prioritized and expedited without having to think about it.”
Developer Assist now works as a single remediation loop pre-commit. While the IDE, it runs autonomously through hooks and MCP. It detects a vulnerability, retrieves context from Checkmarx One, generates a fix and verifies it before code is committed. Developers using IDEs like Cursor, Windsurf or Kiro or a command-line interface (CLI) with LLMs like Claude Code can get the same autonomous loop without switching tools.
Once code reaches the backlog, Triage and Remediation agents take over. They isolate exploitable risk from severity noise using real-world reachability, what Checkmarx calls attackability, then generate merge-ready pull requests for the vulnerabilities that matter. Developers review and merge each fix; AppSec retains policy control and full traceability over every automated decision.
Availability
Developer Assist’s autonomous mode, along with Triage Assist and Remediation Assist, are generally available now with Checkmarx One. To learn more, visit Checkmarx.com.
1 For dependency and package-upgrade work specifically, Developer Assist’s Safe Refactor capability models a representative reduction in manual remediation effort of about 70%, cutting a typical six-hour package upgrade to 1.8 hours, an estimated $420 in developer time at $100 an hour.
About Checkmarx
Checkmarx is the leader in agentic application security, delivering enterprise-grade protection while lowering engineering costs and accelerating development velocity. The Checkmarx One platform scans trillions of lines of code each year, enabling companies to cut vulnerability density by more than half. Autonomous security agents continuously detect and counter AI-driven threats across the software development lifecycle, delivering prevention-first protection for legacy, modern, and AI-generated code at enterprise scale. Follow Checkmarx on LinkedIn, YouTube, and X.
For more information, contact: