Checkmarx Unveils Hybrid SAST Engine to Enhance Application Security in AI-Driven Development

Checkmarx has launched a next-generation hybrid static application security testing engine that combines rule-based, AI, and analysis techniques to reduce false positives and improve vulnerability detection.

Editorial Team · Jun 16, 2026 · 2 min read · Source: devops.com

Checkmarx announced a significant upgrade to its static application security testing (SAST) technology with the introduction of a hybrid scanning engine built for the AI era. This new engine merges deterministic rules-based methods with an advanced large language model (LLM) and a proprietary Finding Analysis Engine (FAE) designed to minimize false positives—including a major challenge with AI-based detection.

The hybrid engine is integrated into the Checkmarx One platform and aims to deliver a more precise and comprehensive security scan by combining traditional programmed language-specific vulnerability identification with AI-driven probabilistic analysis. The FAE plays a critical role by filtering out inaccurate vulnerability flags, enabling security teams to focus on significant risks rather than sifting through excessive false alarms.

Traditionally, SAST tools scan source code to detect security flaws before compilation, providing targeted insights for developers to mitigate vulnerabilities early in the software lifecycle. In contrast, LLMs extend detection beyond language constraints, identifying potential issues post-compilation regardless of the programming language used. Checkmarx’s hybrid approach brings together these complementary strengths, simplifying vulnerability management and raising the overall security quality of deployed applications.

Moreover, the enhanced SAST engine shares its findings with dynamic application security testing (DAST) components within the Checkmarx platform. This synergy helps security teams trace the root cause of vulnerabilities detected during runtime, fostering a continuous security feedback loop from development through production.

This innovation responds to a surge in software vulnerabilities driven by the rise of AI-assisted coding tools. According to a recent Checkmarx survey, a majority of respondents reported an uptick in discovered vulnerabilities since adopting AI in development, with nearly a third calling the increase significant. The shift signals growing complexity in the application security landscape, where traditional rule-based scanners alone struggle to keep pace with AI-generated code.

Industry experts highlight that combining deterministic scanning with reasoning engines marks a pivotal change in vulnerability detection. By moving from mere pattern matching to evaluating which findings truly require developer action, the hybrid engine enables more effective prioritization and remediation. DevSecOps teams are expected to place increasing value on tools’ ability to assess exploitability and direct focus toward real security threats rather than noise.