Frequently asked questions

AppSecAI automates vulnerability triage and code remediation. We take the output from your existing SAST scanners, separate real vulnerabilities from false positives with 97% accuracy, and generate validated code fixes delivered as merge requests. You pay only for fixes that ship.

EFA generates production-ready code fixes for SAST findings with 93% accuracy. It takes triaged vulnerabilities, analyzes the codebase context, and delivers fixes as merge requests your developers can review and merge. Remediation that used to take hours takes minutes.

ETA classifies SAST findings as true positives or false positives with up to 97% accuracy. It works with your existing scanners and uses a combination of AI and deterministic techniques to eliminate the manual triage burden from your AppSec team.

No. AppSecAI works with your existing SAST scanners. We take their output, remove false positives, and generate fixes for the real vulnerabilities. We make your scanners more effective without replacing them.

Three things set us apart: 97% triage accuracy validated on open-sourced benchmarks (not marketing claims), scanner-agnostic design (works with every SAST tool you already own), and a pay-per-fix pricing model where you owe nothing if nothing gets fixed.

Upload your SARIF file and source code, and our AI starts analyzing your findings. Most teams have initial triage results within 30 minutes. You can use your own projects or one of our open-source test repositories.

All major scanners: Checkmarx, Fortify, Veracode, SonarQube, Snyk, CodeQL, Semgrep, Black Duck, Coverity, and more. Any tool that produces a SARIF, JSON, or CSV file works with AppSecAI.

No. AppSecAI enhances existing SAST tools — it does not replace them. You need scanner output (findings) for AppSecAI to triage and fix.

Java, C#, .NET, Python, and JavaScript today. We add new languages based on customer demand — often within a week. If you need a specific language, ask us.

The enterprise edition has no size limits. For trial/analyst editions, be reasonable with project size. Contact us if you have an exceptionally large codebase and we can discuss your setup.

AppSecAI pulls security scan results from your repository, triages them, and pushes validated findings back as issues or PR comments. Fixes are delivered as merge requests in your existing workflow.

All infrastructure is US-based. We do not use your data to train our AI models. You retain full ownership and control. Data is automatically deleted within two weeks by default.

We use a range of models that change over time based on accuracy and compliance testing. If you need specific models for your compliance requirements, contact us.

Yes. AppSecAI can be deployed in our SaaS cloud, your private cloud, or with locally hosted LLMs.

$250 per fixed vulnerability. Triage is included free. You pay only for fixes your team accepts and merges. Nothing fixed, nothing owed. See our pricing page for details.

Yes. We support open-source initiatives and non-profits. Email automation@appsecai.io for eligibility details.