Skip to main content
close search
site logo
Sponsored

How AI Agents can help AppSec teams keep up with AI-generated code vulnerabilities

Published April 8, 2025
By Charlie Klein, Director of Product Marketing, Jit
Rocket ships with animals going into space
Permission granted by 10k Media

While AppSec teams are stuck with legacy scanners and backlogs, developers and hackers have adopted AI tools to accelerate their respective objectives.

  • Developers are deploying code 70% faster with the help of AI code generation tools.
  • AI-generated code isn’t reliably secure. According to a recent Cornell study, 30% of AI-generated code snippets contain a security weakness that could enable a vulnerability depending on how they’re deployed in a runtime environment, and whether there are compensating controls.
  • Hackers are adopting AI tools to reduce the cost and technical ability needed to execute cyber attacks.
  • AppSec teams spend hours manually reviewing newly introduced security issues, trying to determine if they introduce real risk, creating tickets, and following up with those tickets when busy developers can’t get to them.

As a result, vulnerability backlogs keep growing, applications are becoming less secure, and hackers are well-equipped to take advantage of the growing gap between developer and AppSec productivity. Shifting security left to developers isn’t enough – the industry needs a renewed focus on AppSec engineer efficiency.

Breaking down manual AppSec tasks

Why can’t AppSec teams keep up with the rate of newly introduced vulnerabilities using the status quo technologies and process?

The simple answer is that mitigating product security risk requires a tremendous amount of manual work. AppSec teams are drowning in time-consuming tasks, and vulnerabilities are introduced faster than they can be resolved. Let’s break these tasks down:

1. Manually querying backlogs to find newly introduced security findings

Each day, AppSec engineers query the backlog to identify scanner-detected findings introduced in the last 24 hours. They then manually investigate each one to determine whether it introduces real risk based on the application architecture and runtime environment, or if it's just another false positive—an exercise that can eat up hours.

2. Creating context-rich tickets for developers that explain why the relevant security issue introduces real risk and enables a vulnerability.

Once a finding is confirmed to be risky, AppSec engineers must translate it into a ticket that clearly explains why it matters within the application’s architecture and runtime. Without that context, developers won’t prioritize it, so AppSec spends significant time justifying every single ticket.

3. Following up on tickets as vulnerability SLAs approach

AppSec teams are responsible for tracking and escalating open security tickets as SLA deadlines near. This follow-up process is time-consuming and repetitive, especially when tickets fall through the cracks due to shifting development priorities.

4. Mapping compliance requirements to their current environment

To identify compliance gaps, AppSec engineers must manually map abstract security requirements (e.g., SOC 2, OWASP ASVS) to actual controls and security weaknesses in their codebase and infrastructure. This mapping is tedious, easily outdated, and rarely automated—making it a constant source of overhead.

The bottom line

Mitigating product security risk simply takes too long. AI code generation tools are pushing vulnerabilities into production faster than AppSec teams can detect, prioritize, and mitigate them.

How AI Agents can accelerate AppSec tasks if they have the right context

AI Agents are well-positioned to automate the tedious tasks that slow AppSec teams down—but only if they have the right context. Without a deep understanding of the systems they operate in, AI Agents will generate noise, not insight.

To be effective, AI Agents need access to:

  • Runtime context AI Agents have visibility into the application runtime environment to understand whether vulnerabilities introduce real risk. That means identifying whether a vulnerability is: internet-facing, loaded into application memory (and therefore exploitable), capable of impacting sensitive data or privileged services.
     
  • Business context: AI Agents must prioritize issues based on what the business actually cares about. That includes: whether the affected application handles sensitive data (e.g., payments, auth), whether an issue is approaching its SLA, whether a vulnerability violates internal security policies.
     
  • Compliance context: AI Agents need to map security weaknesses against regulatory requirements—like SOC 2, PCI-DSS, or OWASP ASVS—to determine if any security gaps put the organization out of compliance.
     
  • Human intervention: AI Agents cannot operate alone. They require validation and collaboration with humans to understand if they made the right decisions before taking action.

With this context in place, AI Agents can stop being noisy automation and start becoming high-leverage teammates. Here's how they can accelerate core AppSec tasks described earlier.

Automatically identify and triage newly introduced vulnerabilities

Rather than manually querying backlogs, AI Agents can surface scanner-detected findings introduced recently, and evaluate each issue based on runtime and business context. If a vulnerability is loaded into memory on the internet-facing payments service, and your policy prohibits exploitable bugs in that service, the Agent flags it. If not, it’s ignored or deprioritized.

Generate developer-ready tickets with actual risk context

Once a risky vulnerability is identified, AI Agents can create tickets that clearly explain why the issue is dangerous—using runtime, business, and compliance context to make it understandable to developers. This makes it easier for AppSec engineers to get the right information into the right hands, and helps developers take action faster.

Track open tickets, monitor SLA deadlines, and follow up as needed

AI Agents can monitor vulnerability tickets, follow up with unresolved tickets, and automatically escalate the ones approaching SLA—ensuring real risks don’t fall through the cracks while AppSec teams focus on higher-impact work.

Continuously map compliance requirements to your environment

When AI Agents understand which compliance requirements are relevant, they can automate compliance mapping by continuously evaluating whether your environment lacks necessary controls or contains vulnerabilities that violate relevant standards. No more manual spreadsheets or last-minute audit scrambles.

AI Agents can be more than hype

AppSec teams can’t keep up with the pace of modern development using manual workflows and legacy scanners. AI-generated code introduces vulnerabilities faster than humans can triage them, and attackers are moving just as fast.

AI Agents offer a clear path forward—if they have the right context. With visibility into the runtime environment, business priorities, and compliance requirements, AI Agents can automate the most tedious and time-consuming AppSec tasks, helping teams focus on actual risk instead of alert noise.

At Jit, we’ve built AI Agents that do exactly this. Our Agents accelerate AppSec operations by continuously prioritizing vulnerabilities, generating developer-ready tickets, tracking SLAs, and mapping compliance requirements—based on the context that actually matters. AppSec teams stay in the loop to validate agentic decisions before any action is taken.

As a result, AppSec teams can spend less time chasing findings and non-security work, and more time building secure architectures.

Editors' picks

Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.