Gitar, a startup building AI agents for automated security code review, emerged from stealth with $9 million in funding. The company's approach is not fundamentally new — automated static analysis security testing (SAST) has existed for decades — but what has changed is the quality of the underlying model. Previous SAST tools generated high false positive rates that trained engineers to ignore their output; they lacked the contextual understanding required to distinguish a genuinely vulnerable code path from a safe one. Large language models applied to code analysis can understand semantics, call graphs, and data flow in ways that rule-based pattern matchers cannot. This has opened up a new category of AI-powered security tooling generating significant investor interest and real engineering traction.
What We'll Cover
What Happened and Why It Matters
Gitar's $9M raise is a signal about where the security tooling market is moving, not an isolated event. In the past 18 months, Snyk has integrated LLM-powered code analysis into its SAST product; GitHub Advanced Security has added AI-powered autofix suggestions via Copilot Autofix; Socket.ai uses AI to detect malicious patterns in npm packages at scale; and companies including Semgrep AI, CodeShield, and Gitar are building ground-up on AI-native architectures for security code review.
The problem they are all solving is the same: security review is a bottleneck in modern software development. A security engineer conducting manual code review can review perhaps 200 lines per hour to a high standard. A medium-sized engineering team committing 10,000 lines per day cannot be security-reviewed manually without slowing development to a halt. AI-powered security analysis that can review every line of every commit in near-real-time changes this equation fundamentally — not by replacing security engineers, but by dramatically expanding the coverage they can achieve.
What AI-Powered Security Analysis Actually Does
Understanding the technical capabilities and limitations of AI-powered security tooling helps engineering teams deploy it effectively:
- LLM-powered SAST (Static Application Security Testing) — Traditional SAST uses pattern matching and AST analysis to identify known vulnerability signatures. LLM-powered SAST adds semantic understanding: it follows data flow across function calls, understands that a variable sanitised in one context may be unsanitised in another, and identifies vulnerability patterns that do not match any known signature but are structurally equivalent to known-bad patterns. GitHub Copilot Autofix suggests remediation code alongside vulnerability findings, reducing engineer time-to-fix.
- AI-powered dependency and package analysis — Socket.ai and similar tools use LLMs to analyse package behaviour beyond what is recorded in vulnerability databases. They detect packages recently updated to add obfuscated network calls, that contain unusual install scripts, or that exhibit dependency confusion patterns — none of which would appear in a CVE database. This addresses supply chain attacks that have no known CVE but exhibit anomalous code behaviour.
- Infrastructure as Code security analysis — Tools like Checkov and Snyk IaC now use AI to analyse Terraform and Kubernetes manifests for misconfigurations that go beyond rule-based checkers. AI analysis understands the semantic intent of a template and flags configurations that are technically valid but create unnecessary attack surface.
- AI-driven penetration testing and adversarial simulation — The most frontier application: AI agents that can autonomously discover attack paths, propose exploit chains, and validate whether discovered vulnerabilities are exploitable in the target environment. Companies like Horizon3.ai and Pentera are building this capability — the most significant emerging shift in how security assessment is conducted.
How to Build an AI-Augmented DevSecOps Pipeline
The goal of a DevSecOps pipeline is to make security review happen continuously and automatically, at the pace of development, without creating a bottleneck. AI tooling significantly advances this goal:
- Integrate AI-powered SAST as a CI/CD gate — Deploy a SAST tool with LLM-powered analysis (Semgrep, Snyk Code, GitHub Advanced Security, or Gitar) that runs on every pull request. Configure it to block merges for high-severity findings (CVSS 7+, CWE Top 25 vulnerabilities) and flag medium-severity findings for review without blocking. The key decision is the false positive threshold — tune it for your codebase.
- Layer AI-powered dependency scanning — Run Socket.ai or Snyk Open Source on every dependency change to detect not just known CVEs but behavioural anomalies in new or updated packages. Set a policy that new dependencies for production services handling sensitive data require explicit review before merging.
- Use AI-generated fix suggestions to accelerate remediation — GitHub Copilot Autofix and similar features propose specific code changes to fix identified vulnerabilities in context. Developer acceptance of these suggestions is typically 65-75% — meaning most AI-suggested fixes are correct enough to merge without significant modification. This dramatically reduces mean time to remediate.
- Maintain human security expertise for architectural review — AI tools excel at finding known vulnerability classes in code. They are not yet effective at evaluating whether an authentication architecture is fundamentally sound, whether a threat model is complete, or whether a cryptographic design is correct. Human security engineers remain essential for these higher-level architectural questions. AI tooling changes the ratio of human time required for routine code-level review.
What Engineering Teams Should Do
The emergence of AI-powered DevSecOps tooling has real implications for how engineering teams are structured. An engineer who can configure, tune, and interpret AI-powered SAST tools — who understands both the underlying vulnerability classes and the failure modes of AI analysis — is significantly more valuable than one who relies entirely on manual review. The skill is not "use the AI tool" but "build the AI-augmented security process that scales with your engineering team."
At Pillai Infotech, we hire and place engineers who understand both the security fundamentals and the AI tooling reshaping DevSecOps. Our cybersecurity engineers are experienced with Snyk, GitHub Advanced Security, Semgrep, and emerging AI-native security tools — and with building the CI/CD integrations that make security review happen automatically at commit time. If you're building a security-aware engineering culture, our AI automation services include DevSecOps pipeline design as a specific practice area.
Frequently Asked Questions
What is DevSecOps and how is it different from traditional security review?
DevSecOps integrates security practices into the software development lifecycle at the code commit, pull request, and CI/CD pipeline level — rather than treating security as a final gate before release. Traditional security review (pen testing, code audits) happens at release checkpoints, meaning vulnerabilities are discovered late when they are expensive to fix. DevSecOps shifts security left — finding vulnerabilities when the code is first written.
What is SAST and how is AI making it better?
SAST (Static Application Security Testing) analyses source code without executing it, looking for vulnerability patterns. Traditional SAST uses rule-based pattern matching, generating high false positive rates. AI-powered SAST uses LLMs that understand data flow, call graphs, and semantic intent — dramatically reducing false positives while finding vulnerability classes that pattern matchers miss. Developers are more likely to act on AI SAST findings because they trust the signal quality.
What is the CWE Top 25 and why does it matter for SAST configuration?
The CWE (Common Weakness Enumeration) Top 25 is an annual ranking of the most common and impactful software security weaknesses, published by MITRE. It includes SQL Injection, Cross-Site Scripting, Out-of-Bounds Write, and 22 others. Configuring SAST to block merges for CWE Top 25 findings is a practical starting point for any DevSecOps pipeline — they represent vulnerabilities most likely to be found and most likely to be exploited.
Will AI replace security engineers?
No — AI tools handle code-level vulnerability detection at scale. They are not effective at evaluating whether an authentication architecture is fundamentally sound, whether a threat model is complete, or how an attacker would chain multiple findings into a significant breach. Security engineers who use AI tooling effectively will be significantly more productive, and those who can build and operate AI-augmented security pipelines will be in high demand.
What AI security tools should a startup adopt first?
For an early-stage startup, the highest-ROI starting point: (1) GitHub Advanced Security or Snyk Code for SAST on pull requests — both integrate natively with GitHub/GitLab and have generous free tiers; (2) Dependabot or Snyk Open Source for dependency vulnerability scanning; (3) Checkov or tfsec for IaC scanning if you use Terraform or CloudFormation. These three layers cover the most common vulnerability classes at near-zero cost with minimal setup time.