Anyone who\u2019s used SAST (Static Application Security Testing) tools knows the issues of high false positives while missing entire classes of vulnerabilities like AuthN/Z bypasses or privilege escalations. This limitation is a result of their core architecture. By design, SAST tools parse code into a simplistic model like an AST or call graph, which quickly loses context in dynamically typed languages or across microservice boundaries, and limits coverage to only resolving basic call chains. When detecting vulnerabilities they rely on pattern matching with Regex or YAML rules, which can be effective for basic technical classes like (XSS, SQLi) but inadequate for logic flaws that don\u2019t conform to well-known shapes and need long sequences of dependent operations to reach an exploitable state.
My co-founder and I saw these limitations throughout our careers in national intelligence and military cyber forces, where we built automated tooling to defend critical infrastructure. We realised that LLMs, with the right architecture, could finally solve them.
Vulnerabilities are contextual. What's exploitable depends entirely on each application's security model. We realized accurate detection requires understanding what's supposed to be protected and why breaking it matters. This meant embedding threat modeling directly into our analysis, not treating it as an afterthought.
To achieve this, we first had to solve the code parsing problem. Our solution was to build a custom, compiler-accurate indexer inspired by GitHub's stack graphs approach to precisely navigate code, like an IDE. We build on the LSIF approach (https://lsif.dev/) but replace the verbose JSON with a compact protobuf schema to serialise symbol definitions and references in a binary format. We use language\u2011specific tools to parse and type\u2011check code, emitting a sequence of Protobuf messages that record a symbol\u2019s position, definition, and reference information. By using Protobuf\u2019s efficiency and strong typing, we can produce smaller indexes, but also preserve the compiler\u2011accurate semantic information required for detecting complex call chains.
This is why most "SAST + LLM" tools that use AST parsing fail - they feed LLMs incomplete or incorrect code information from traditional parsers, making it difficult to accurately reason about security issues with missing context.
With our indexer providing accurate code structure, we use an LLM to perform threat modeling by analyzing developer intent, data and trust boundaries, and exposed endpoints to generate potential attack scenarios. This is where LLMs' tendency to hallucinate becomes a breakthrough feature.
For each potential attack path generated, we perform a systematic search, querying the indexer to gather all necessary context and reconstruct the full call chain from source to sink. To validate the vulnerability we use a Monte Carlo Tree Self-refine (MCTSr) algorithm and a 'win function' to determine the likelihood that a hypothesized attack could work. Once a finding is above a set practicality threshold it is confirmed as a true positive.
Using this approach, we discovered vulnerabilities like CVE-2025-51479 in ONYX (an OSS enterprise search platform) where Curators could modify any group instead of just their assigned ones. The user-group API had a user parameter that should check permissions but never used it. Gecko inferred developers intended to restrict Curator access because both the UI and similar API functions properly validated this permission. This established "curators have limited scope" as a security invariant that this specific API violated. Traditional SAST can't detect this. Any rule to flag unused user parameters would drown you in false positives since many functions legitimately keep unused parameters. And more importantly, detecting this requires knowing which functions handle authorization, understanding ONYX's Curator permission model, and recognizing the validation pattern across multiple files - contextual reasoning that SAST simply cannot do.
We have several enterprise customers using Gecko because it solves problems they couldn't address with traditional SAST tools. They're seeing 50% fewer false positives on the same codebases and finding vulnerabilities that previously only showed up in manual pentests.
Digging into false positives, no static analysis tool will ever achieve perfect accuracy, AI or otherwise. We reduce them at two key points. First, our indexer eliminates any programmatic parsing errors that create incorrect call chains that traditional AST tools are susceptible to. Second, we avoid unwanted LLM hallucinations and reasoning errors by asking specific, contextual questions rather than open-ended ones. The LLM knows which security invariants need to hold and can make deterministic assessments based on the context. When we do flag something, manual review is quick because we provide complete source-to-sink dataflow analysis with proof-of-concept code and output findings based on confidence scores.
We\u2019d love to get any feedback from the community, ideas for future direction, or experiences in this space. I\u2019ll be in the comments to respond!"},"title":{"matchLevel":"none","matchedWords":[],"value":"Launch HN: Gecko Security (YC F24) \u2013 AI That Finds Vulnerabilities in Code"}},"_tags":["story","author_jjjutla","story_44747204","launch_hn"],"author":"jjjutla","children":[44747541,44747575,44747637,44747798,44747850,44748209,44749661,44749725,44750727,44754393,44755199,44756271,44758207,44763730,44776137],"created_at":"2025-07-31T16:23:09Z","created_at_i":1753978989,"num_comments":36,"objectID":"44747204","points":66,"story_id":44747204,"story_text":"Hey HN, I'm JJ, Co-Founder of Gecko Security (https://www.gecko.security). We're building a new kind of static analysis tool that uses LLMs to find complex business logic and multi-step vulnerabilities that current scanners miss. We\u2019ve used it to find 30+ CVEs in projects like Ollama, Gradio, and Ragflow (https://www.gecko.security/research). You can try it yourself on any OSS repo at (https://app.gecko.security).
Anyone who\u2019s used SAST (Static Application Security Testing) tools knows the issues of high false positives while missing entire classes of vulnerabilities like AuthN/Z bypasses or privilege escalations. This limitation is a result of their core architecture. By design, SAST tools parse code into a simplistic model like an AST or call graph, which quickly loses context in dynamically typed languages or across microservice boundaries, and limits coverage to only resolving basic call chains. When detecting vulnerabilities they rely on pattern matching with Regex or YAML rules, which can be effective for basic technical classes like (XSS, SQLi) but inadequate for logic flaws that don\u2019t conform to well-known shapes and need long sequences of dependent operations to reach an exploitable state.
My co-founder and I saw these limitations throughout our careers in national intelligence and military cyber forces, where we built automated tooling to defend critical infrastructure. We realised that LLMs, with the right architecture, could finally solve them.
Vulnerabilities are contextual. What's exploitable depends entirely on each application's security model. We realized accurate detection requires understanding what's supposed to be protected and why breaking it matters. This meant embedding threat modeling directly into our analysis, not treating it as an afterthought.
To achieve this, we first had to solve the code parsing problem. Our solution was to build a custom, compiler-accurate indexer inspired by GitHub's stack graphs approach to precisely navigate code, like an IDE. We build on the LSIF approach (https://lsif.dev/) but replace the verbose JSON with a compact protobuf schema to serialise symbol definitions and references in a binary format. We use language\u2011specific tools to parse and type\u2011check code, emitting a sequence of Protobuf messages that record a symbol\u2019s position, definition, and reference information. By using Protobuf\u2019s efficiency and strong typing, we can produce smaller indexes, but also preserve the compiler\u2011accurate semantic information required for detecting complex call chains.
This is why most "SAST + LLM" tools that use AST parsing fail - they feed LLMs incomplete or incorrect code information from traditional parsers, making it difficult to accurately reason about security issues with missing context.
With our indexer providing accurate code structure, we use an LLM to perform threat modeling by analyzing developer intent, data and trust boundaries, and exposed endpoints to generate potential attack scenarios. This is where LLMs' tendency to hallucinate becomes a breakthrough feature.
For each potential attack path generated, we perform a systematic search, querying the indexer to gather all necessary context and reconstruct the full call chain from source to sink. To validate the vulnerability we use a Monte Carlo Tree Self-refine (MCTSr) algorithm and a 'win function' to determine the likelihood that a hypothesized attack could work. Once a finding is above a set practicality threshold it is confirmed as a true positive.
Using this approach, we discovered vulnerabilities like CVE-2025-51479 in ONYX (an OSS enterprise search platform) where Curators could modify any group instead of just their assigned ones. The user-group API had a user parameter that should check permissions but never used it. Gecko inferred developers intended to restrict Curator access because both the UI and similar API functions properly validated this permission. This established "curators have limited scope" as a security invariant that this specific API violated. Traditional SAST can't detect this. Any rule to flag unused user parameters would drown you in false positives since many functions legitimately keep unused parameters. And more importantly, detecting this requires knowing which functions handle authorization, understanding ONYX's Curator permission model, and recognizing the validation pattern across multiple files - contextual reasoning that SAST simply cannot do.
We have several enterprise customers using Gecko because it solves problems they couldn't address with traditional SAST tools. They're seeing 50% fewer false positives on the same codebases and finding vulnerabilities that previously only showed up in manual pentests.
Digging into false positives, no static analysis tool will ever achieve perfect accuracy, AI or otherwise. We reduce them at two key points. First, our indexer eliminates any programmatic parsing errors that create incorrect call chains that traditional AST tools are susceptible to. Second, we avoid unwanted LLM hallucinations and reasoning errors by asking specific, contextual questions rather than open-ended ones. The LLM knows which security invariants need to hold and can make deterministic assessments based on the context. When we do flag something, manual review is quick because we provide complete source-to-sink dataflow analysis with proof-of-concept code and output findings based on confidence scores.
We\u2019d love to get any feedback from the community, ideas for future direction, or experiences in this space. I\u2019ll be in the comments to respond!","title":"Launch HN: Gecko Security (YC F24) \u2013 AI That Finds Vulnerabilities in Code","updated_at":"2026-04-05T14:48:46Z"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"emmettm"},"story_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Hi HackerNews,
Lately, I have seen an explosion in posts offering paid APIs/services to get unstructured data into LLMs (i.e. langchain extract, ragflow, unstructured, unstract, just to name a few) and I have been largely disappointed by them, either because they fail to implement multimodal support, fail to give good context for "really tricky" PDFs / Word docs / Powerpoints, or are just plain difficult to use. In light of all these posts I figured I'd share my solution that has been working smoothly for me and my clients. I put it up on GitHub for free so you can check it out and hopefully offer some feedback / criticism or contribute to the code yourself.
and BTW, I'm not trying to throw shade at any of the services mentioned, I'm just giving my honest experience in case there are others out there who feel the same way and want something that works
Cheers!"},"title":{"matchLevel":"none","matchedWords":[],"value":"Show HN: I just open sourced my document/website extractor for Vision-LLMs"},"url":{"matchLevel":"none","matchedWords":[],"value":"https://github.com/emcf/thepipe"}},"_tags":["story","author_emmettm","story_39909351","show_hn"],"author":"emmettm","children":[39909381,39909478,39914376],"created_at":"2024-04-02T18:40:01Z","created_at_i":1712083201,"num_comments":4,"objectID":"39909351","points":37,"story_id":39909351,"story_text":"Hi HackerNews,
Lately, I have seen an explosion in posts offering paid APIs/services to get unstructured data into LLMs (i.e. langchain extract, ragflow, unstructured, unstract, just to name a few) and I have been largely disappointed by them, either because they fail to implement multimodal support, fail to give good context for "really tricky" PDFs / Word docs / Powerpoints, or are just plain difficult to use. In light of all these posts I figured I'd share my solution that has been working smoothly for me and my clients. I put it up on GitHub for free so you can check it out and hopefully offer some feedback / criticism or contribute to the code yourself.
and BTW, I'm not trying to throw shade at any of the services mentioned, I'm just giving my honest experience in case there are others out there who feel the same way and want something that works
Cheers!","title":"Show HN: I just open sourced my document/website extractor for Vision-LLMs","updated_at":"2024-09-20T16:44:44Z","url":"https://github.com/emcf/thepipe"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"StephenWalther"},"story_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Hi HN \u2014 I built Superexpert.AI, an open\u2011source platform that lets you spin up multi\u2011task AI agents in minutes without writing any code (and lets you extend everything later).
What it does
- Plug\u2011and\u2011play agents \u2013 Create agents from a web form. Each agent can contain multiple tasks, and each task can run a different AI model, use its own tools, and follow custom instructions.
- First\u2011class extensibility \u2013 Register a TypeScript function with registerServerTool, registerClientTool, or registerContextTool to add new functionality. If you want to share it, publish it as an NPM package and Superexpert.AI will auto\u2011detect it when installed.
- Built\u2011in RAG \u2013 Upload docs via the UI, or use a CLI that chunks 100 MB files, auto\u2011resumes after network errors, auto-resumes after network errors (e.g. uploading a 500-page PDF manual) and pipes the data into your agent.
- Launch a full chat app in minutes \u2013 Everything is MIT\u2011licensed NextJS + TypeScript + Tailwind + Postgres. Deploy like any other NextJS project.
Links
- Walkthrough (no sign\u2011up): https://app.arcade.software/share/yGqgrj65xp6y4mkDbNnT
- Live demo (email sign\u2011up): https://demo.superexpert.ai/
- GitHub repo: https://github.com/Superexpert/superexpert-ai
- Quick\u2011start guide: https://superexpert.ai/docs/quick-start/
- Full docs & tutorials: https://superexpert.ai/
Why I built it
I kept hand\u2011coding LangGraph\u2011style workflows for clients and wanted a web\u2011first, stack\u2011agnostic way to launch agents fast and stay fully modifiable. Superexpert.AI lets you extend or swap every layer \u2014 from models to tools to UI themes \u2014 with TypeScript.
Looking for feedback
1. Agent use\u2011cases you still have to hand\u2011code today.
2. Gaps in the RAG flow or model tooling that block production use.
Discord for deeper chat: https://discord.gg/wsrc3enWN3
\u2013\u2013 Stephen"},"title":{"matchLevel":"none","matchedWords":[],"value":"Show HN: Superexpert.ai \u2013 Open-source, no-code platform for multi-task AI agents"},"url":{"matchLevel":"none","matchedWords":[],"value":"https://superexpert.ai/"}},"_tags":["story","author_StephenWalther","story_43905537","show_hn"],"author":"StephenWalther","children":[43905646],"created_at":"2025-05-06T14:27:18Z","created_at_i":1746541638,"num_comments":1,"objectID":"43905537","points":3,"story_id":43905537,"story_text":"Hi HN \u2014 I built Superexpert.AI, an open\u2011source platform that lets you spin up multi\u2011task AI agents in minutes without writing any code (and lets you extend everything later).
What it does
- Plug\u2011and\u2011play agents \u2013 Create agents from a web form. Each agent can contain multiple tasks, and each task can run a different AI model, use its own tools, and follow custom instructions.
- First\u2011class extensibility \u2013 Register a TypeScript function with registerServerTool, registerClientTool, or registerContextTool to add new functionality. If you want to share it, publish it as an NPM package and Superexpert.AI will auto\u2011detect it when installed.
- Built\u2011in RAG \u2013 Upload docs via the UI, or use a CLI that chunks 100 MB files, auto\u2011resumes after network errors, auto-resumes after network errors (e.g. uploading a 500-page PDF manual) and pipes the data into your agent.
- Launch a full chat app in minutes \u2013 Everything is MIT\u2011licensed NextJS + TypeScript + Tailwind + Postgres. Deploy like any other NextJS project.
Links
- Walkthrough (no sign\u2011up): https://app.arcade.software/share/yGqgrj65xp6y4mkDbNnT
- Live demo (email sign\u2011up): https://demo.superexpert.ai/
- GitHub repo: https://github.com/Superexpert/superexpert-ai
- Quick\u2011start guide: https://superexpert.ai/docs/quick-start/
- Full docs & tutorials: https://superexpert.ai/
Why I built it
I kept hand\u2011coding LangGraph\u2011style workflows for clients and wanted a web\u2011first, stack\u2011agnostic way to launch agents fast and stay fully modifiable. Superexpert.AI lets you extend or swap every layer \u2014 from models to tools to UI themes \u2014 with TypeScript.
Looking for feedback
1. Agent use\u2011cases you still have to hand\u2011code today.
2. Gaps in the RAG flow or model tooling that block production use.
Discord for deeper chat: https://discord.gg/wsrc3enWN3
\u2013\u2013 Stephen","title":"Show HN: Superexpert.ai \u2013 Open-source, no-code platform for multi-task AI agents","updated_at":"2025-05-07T06:24:49Z","url":"https://superexpert.ai/"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"ZeroAurora"},"story_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Once again I'm seeing an agent development platform in GitHub Trending. Dify, RAGFlow, Flowise, Sim, Coze, countless to name, yet implementing the exact same goal. And there are still more emerging.
It seems like anything AI can be a trending, despite their repetitive works."},"title":{"matchLevel":"none","matchedWords":[],"value":"Ask HN: Why are there always new agent platforms?"}},"_tags":["story","author_ZeroAurora","story_46578498","ask_hn"],"author":"ZeroAurora","children":[46580727],"created_at":"2026-01-11T18:49:46Z","created_at_i":1768157386,"num_comments":1,"objectID":"46578498","points":1,"story_id":46578498,"story_text":"Once again I'm seeing an agent development platform in GitHub Trending. Dify, RAGFlow, Flowise, Sim, Coze, countless to name, yet implementing the exact same goal. And there are still more emerging.
It seems like anything AI can be a trending, despite their repetitive works.","title":"Ask HN: Why are there always new agent platforms?","updated_at":"2026-03-05T23:21:24Z"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"Norcim133"},"comment_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Correct-ish. LlamaCloud and GroundX do everything up to retrieval. Here is an interactive graphic of major players along RAG flow: https://claude.ai/public/artifacts/b872435b-1d9c-461e-a29c-b..."},"story_title":{"matchLevel":"none","matchedWords":[],"value":"Ask HN: Who is doing the best Word/PDF RAG tool with deep research?"}},"_tags":["comment","author_Norcim133","story_44641721"],"author":"Norcim133","comment_text":"Correct-ish. LlamaCloud and GroundX do everything up to retrieval. Here is an interactive graphic of major players along RAG flow: https://claude.ai/public/artifacts/b872435b-1d9c-461e-a29c-b...","created_at":"2025-07-22T19:36:53Z","created_at_i":1753213013,"objectID":"44652021","parent_id":44642748,"story_id":44641721,"story_title":"Ask HN: Who is doing the best Word/PDF RAG tool with deep research?","updated_at":"2025-07-22T19:41:26Z"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"aliasmaya"},"comment_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Seems that you're looking for a RAG System, and you may have a try RAGFlow"},"story_title":{"matchLevel":"none","matchedWords":[],"value":"Is there a way to run an LLM as a better local search engine?"}},"_tags":["comment","author_aliasmaya","story_44307466"],"author":"aliasmaya","children":[44308682],"comment_text":"Seems that you're looking for a RAG System, and you may have a try RAGFlow","created_at":"2025-06-18T08:10:49Z","created_at_i":1750234249,"objectID":"44307724","parent_id":44307466,"story_id":44307466,"story_title":"Is there a way to run an LLM as a better local search engine?","updated_at":"2025-06-18T15:58:44Z"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"simple10"},"comment_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"Congrats on the launch! Looking forward to playing with it.
Do you mind elaborating on what differentiates Sim Studio from n8n, Flowise, RAGFlow and other open source flow based AI automation platforms?"},"story_title":{"matchLevel":"none","matchedWords":[],"value":"Show HN: Sim Studio \u2013 Open-Source Agent Workflow GUI"},"story_url":{"matchLevel":"none","matchedWords":[],"value":"https://github.com/simstudioai/sim"}},"_tags":["comment","author_simple10","story_43823096"],"author":"simple10","children":[43824445],"comment_text":"Congrats on the launch! Looking forward to playing with it.
Do you mind elaborating on what differentiates Sim Studio from n8n, Flowise, RAGFlow and other open source flow based AI automation platforms?","created_at":"2025-04-28T18:01:02Z","created_at_i":1745863262,"objectID":"43824178","parent_id":43823096,"story_id":43823096,"story_title":"Show HN: Sim Studio \u2013 Open-Source Agent Workflow GUI","story_url":"https://github.com/simstudioai/sim","updated_at":"2025-04-30T00:06:43Z"},{"_highlightResult":{"author":{"matchLevel":"none","matchedWords":[],"value":"yingfeng"},"comment_text":{"fullyHighlighted":false,"matchLevel":"full","matchedWords":["ragflow"],"value":"RAGFlow v0.17.0 now enables Agentic Reasoning for Deep Research, integrating any LLM \u2014 no RLM dependency required."},"story_title":{"matchLevel":"none","matchedWords":[],"value":"[dead]"}},"_tags":["comment","author_yingfeng","story_43253353"],"author":"yingfeng","comment_text":"RAGFlow v0.17.0 now enables Agentic Reasoning for Deep Research, integrating any LLM \u2014 no RLM dependency required.","created_at":"2025-03-04T11:43:52Z","created_at_i":1741088632,"objectID":"43253354","parent_id":43253353,"story_id":43253353,"story_title":"[dead]","updated_at":"2025-03-04T11:48:59Z"}],"hitsPerPage":20,"nbHits":3936,"nbPages":50,"page":0,"params":"query=ragflow&advancedSyntax=true&analyticsTags=backend","processingTimeMS":12,"processingTimingsMS":{"_request":{"queue":14,"roundTrip":22},"afterFetch":{"format":{"total":1},"merge":{"mergeLoop":{"prepareNextHit":5,"total":5},"total":5},"total":5},"fetch":{"query":5,"total":6},"total":12},"query":"ragflow","serverTimeMS":27}