Frequently Asked Questions
Snappy answers to common questions about AppSecAI and Expert Triage Automation (ETA)
General Questions
Why is your website so simple?
Less is more. As Mark Twain said, "I didn't have time to write a short letter, so I wrote a long one instead." We focus on clearly giving you what you need quickly and clearly.
What is AppSecAI?
AppSecAI is an AI-first application security company. Our mission is to build effective application security solutions that work FOR you by amplifying your skills at scale.
We currently have two products:
- Expert Triage Automation (ETA), which is available now. ETA accurately eliminates the costly and time consuming process of removing false positive noise from SAST scanners.
- Expert Fix Automation (EFA), which is in beta (sign up here). ETA provides validated code fixes for common vulnerabilities.
In other words, AppSecAI is here to make you an AppSec hero.
What is AppSecAI Expert Triage Automation (ETA) and how does it work?
AppSecAI Expert Triage Automation (ETA) is an AI-driven tool that automates the triage of Static Application Security Testing (SAST) findings. ETA complements and integrates with existing SAST tools to filter out false positives and document true vulnerabilities with up to 97% accuracy, saving you time and supercharging your productivity.
Triage less. Secure more.
Is AppSecAI ETA a SAST Tool?
No.
AppSecAI Expert Triage Automation (ETA) improves static code scanners by automatically removing false positives from their notoriously noisy findings. Even better, it improves true positives with repo-aware dev-ready guidance and code suggestions. It does this automatically—in hours, not weeks, with no experts required—saving tens of thousands of dollars of manual triaging tedium per SAST scan.
ETA simply takes the output from your SAST scanner. It then analyzes the vulnerability findings within the files, using application code and highly tuned LLM technology to identify false positives. It then outputs the results in the same file format as it was received.
ETA can also seamlessly integrate with CI/CD tooling, vulnerability management systems, and more.
Why is AppSecAI ETA important?
Security teams are overwhelmed with false positives from SAST scanners, which require extensive and tedious manual review. ETA virtually eliminates this burden by automating the triage process, helping you:
- Dramatically reduce or eliminate time spent on manual triage.
- Improve developer efficiency by removing false positives they shouldn't "fix."
- Speed downstream fixes with guidance customized to the code base.
- Scale application security assessment and risk reduction efforts across the entire enterprise by removing manual triage bottlenecks.
How are you different from other solutions?
AppSecAI Expert Triage Automation (ETA) stands out because it is:
• Up to 97% triage benchmark validated accuracy.
• SAST scanner agnostic: Improves the performance the scanners you already own.
• Dev-ready guidance: Provides insights that enhance understanding and speed resolution.
• Seamlessly integrates into existing operations and workflow.
As a company, we stand out because our focus is on providing real value to application security professionals first. We are as frustrated as you are with tooling that creates more work than it resolves. AI give us all the opportunity to flip that equation on its head for everyone's benefit.
Getting Started with Expert Triage Automation (ETA)
How do I start using Expert Triage Automation?
Getting started with ETA is simple. Sign up for our free AppSec Analyst Edition, upload your SARIF file and source code, and our AI will begin analyzing your findings. The video on the Getting Started page shows the process and results.
What SAST scanners does ETA support?
We support all major SAST scanners including Checkmarx, Fortify, SonarQube, Coverity, Veracode, CodeQL, and many more. Any tool that can produce a SARIF, JSON, or CSV file can be used with ETA.
Can I use AppSecAI without a SAST scanner?
No, AppSecAI (ETA) is not a SAST scanner—it enhances existing SAST solutions by eliminating false positives and verifying true vulnerabilities.
What programming languages does ETA support?
We currently support Java, Python, and JavaScript. Additional languages will be added based on customer demand. Ask us!
How long does it take to get results?
Results are available within 24 hours for users of the AppSec Analyst Edition. Enterprise customers receive results more quickly.
Product & Features
Does AppSecAI provide automated vulnerability remediation or just triage?
Today, we offer AppSecAI Expert Triage Automation (ETA). We are working on Expert Fix Automation (EFA) to provide validated and reliable remediation.
Please contact us at automation@appsecai.io if you are interested in participating in the beta program for EFA. Also see the EFA page on our website for more details.
What programming languages do you support?
We currently support Java, Python, and JavaScript. Additional languages will be added based on customer demand.
What SAST tools do you support?
We support all major SAST tools including Checkmarx, Fortify, SonarQube, Coverity, Veracode, CodeQL and many more. Any tool that can produce a SARIF, JSON or CSV file can be used with ETA.
Is there a limit to the size of the codebase that AppSecAI can analyze?
AppSecAI is designed to handle codebases of various sizes. For the free Analyst Edition, there are size limits. For the Analyst Edition, the general rule is be reasonable: Don't try to do the entire Internet! For exceptionally large projects, please contact us to discuss your specific needs.
The Enterprise Edition does not have any size limits.
What are the limits of the AppSec Analyst Edition?
Let's be real—don't upload the Linux OS! The AppSec Analyst Edition supports:
• Max findings: 10,000 findings per report.
• Max project size of the source code is 10MB uncompressed.
If you have a larger codebase, please contact us at automation@appsecai.io. We still might process it for free!
How long does it take to get results from ETA Analyst Edition?
Results are available within 24 hours for the AppSec Analyst Edition. Enterprise customers receive results more quickly.
How does your GitHub integration work?
GitHub integration automatically pulls security scan results, triages them, and pushes validated findings back to your repository as issues or PR comments. It works the same way you would, triaging and coloring vulnerabilities so they can be managed seamlessly within your existing application delivery processes.
Does AppSecAI ETA provide remediation guidance?
Yes. AppSecAI Expert Triage Automation provides dev-ready guidance (and sometimes custom code-specific suggestions) that helps speed remediation. ETA also provides detailed documented reasoning on how the specific vulnerability was classified.
Security & AI
How does AppSecAI assure strict data security?
At AppSecAI, safeguarding your data is our highest priority. Our approach to security and privacy is designed to ensure transparency, control, and protection for all our users.
* US-Based Infrastructure: All our AI models and processing are hosted within the United States, ensuring compliance with strict security and regulatory standards.
* No Data Training: We do not use your data to train or refine our AI models. Your information remains separate and is never incorporated into our systems.
* Data Privacy: You retain full ownership and control over your data at all times. We do not access, share, or store it beyond what is necessary for processing.
* Automatic Data Deletion: By default, we automatically delete all uploaded data within two weeks unless you explicitly request extended retention.
If you have any questions about our security practices or require a customized data retention policy, please contact us at security@appsecai.io
What AI models do you use?
All AI models are not created equal. We use a range of models that vary over time, depending on performance to the task and their compliance with our own strict security requirements.
Please contact us if you want to use a specific models for compliance or security reasons.
How does AppSecAI ensure AI accuracy?
We use proven open-source benchmarks and proprietary validation techniques to ensure high expected accuracy (97%) in triage results.
Can AppSecAI ETA be used in both cloud-based and on-premises environments?
Yes, AppSecAI ETA is flexible and can be deployed in both cloud-based and on-premises environments to suit your organization's infrastructure and security requirements. It can even use your locally hosted LLMs.
Pricing & Licensing
What is your pricing model?
We like simple. That's why we offer an AppSec Analyst version for free, and an Enterprise edition that is priced based on the size of your organization.
A unique feature of our pricing model is that we sell Enterprise wide licenses only. We do not charge by number of applications, lines of codes, or number of developers. We want you to use ETA as much as possible. Licensing should not get in the way.
Do you offer discounts for startups or open-source projects?
Yes. We contribute to and support open-source initiatives and non-profits. Email us at automation@appsecai.io for eligibility details.