Frequently Asked Questions

Snappy answers to common questions about AppSecAI and Expert Triage Automation (ETA)

Less is more. As Mark Twain said, "I didn't have time to write a short letter, so I wrote a long one instead." We focus on clearly giving you what you need quickly and clearly.

AppSecAI is an AI-first application security company. Our mission is to build effective application security solutions that work FOR you by amplifying your skills at scale. 

We currently have two products: 

  • Expert Triage Automation (ETA), which is available now.  ETA accurately eliminates the costly and time consuming process of removing false positive noise from SAST scanners.
  • Expert Fix Automation (EFA), which is in beta (sign up here).  ETA provides validated code fixes for common vulnerabilities. 

In other words, AppSecAI is here to make you an AppSec hero.

AppSecAI Expert Triage Automation (ETA) is an AI-driven tool that automates the triage of Static Application Security Testing (SAST) findings. ETA complements and integrates with existing SAST tools to filter out false positives and document true vulnerabilities with up to 97% accuracy, saving you time and supercharging your productivity.

Triage less.  Secure more.

No.

AppSecAI Expert Triage Automation (ETA) improves static code scanners by automatically removing false positives from their notoriously noisy findings. Even better, it improves true positives with repo-aware dev-ready guidance and code suggestions.  It does this automatically—in hours, not weeks, with no experts required—saving tens of thousands of dollars of manual triaging tedium per SAST scan.

ETA simply takes the output from your SAST scanner.  It then analyzes the vulnerability findings within the files, using application code and highly tuned LLM technology to identify false positives.  It then outputs the results in the same file format as it was received.  

ETA can also seamlessly integrate with CI/CD tooling, vulnerability management systems, and more.

Security teams are overwhelmed with false positives from SAST scanners, which require extensive and tedious manual review. ETA virtually eliminates this burden by automating the triage process, helping you:

  • Dramatically reduce or eliminate time spent on manual triage.
  • Improve developer efficiency by removing false positives they shouldn't "fix."
  • Speed downstream fixes with guidance customized to the code base.
  • Scale application security assessment and risk reduction efforts across the entire enterprise by removing manual triage bottlenecks.

AppSecAI Expert Triage Automation (ETA) stands out because it is:

• Up to 97% triage benchmark validated accuracy.

• SAST scanner agnostic: Improves the performance the scanners you already own.

• Dev-ready guidance: Provides insights that enhance understanding and speed resolution.

• Seamlessly integrates into existing operations and workflow.

As a company, we stand out because our focus is on providing real value to application security professionals first.  We are as frustrated as you are with tooling that creates more work than it resolves.  AI give us all the opportunity to flip that equation on its head for everyone's benefit.

Getting Started with Expert Triage Automation (ETA)

Getting started with ETA is simple. Sign up for our free AppSec Analyst Edition, upload your SARIF file and source code, and our AI will begin analyzing your findings. The video on the Getting Started page shows the process and results.

We support all major SAST scanners including Checkmarx, Fortify, SonarQube, Coverity, Veracode, CodeQL, and many more. Any tool that can produce a SARIF, JSON, or CSV file can be used with ETA.

No, AppSecAI (ETA) is not a SAST scanner—it enhances existing SAST solutions by eliminating false positives and verifying true vulnerabilities.

We currently support Java, Python, and JavaScript. Additional languages will be added based on customer demand.  Ask us!

Results are available within 24 hours for users of the AppSec Analyst Edition. Enterprise customers receive results more quickly.

Product & Features

Today, we offer AppSecAI Expert Triage Automation (ETA). We are working on Expert Fix Automation (EFA) to provide validated and reliable remediation.

Please contact us at automation@appsecai.io if you are interested in participating in the beta program for EFA. Also see the EFA page on our website for more details.

We currently support Java, Python, and JavaScript. Additional languages will be added based on customer demand.

We support all major SAST tools including Checkmarx, Fortify, SonarQube, Coverity, Veracode, CodeQL and many more. Any tool that can produce a SARIF, JSON or CSV file can be used with ETA.

AppSecAI is designed to handle codebases of various sizes. For the free Analyst Edition, there are size limits. For the Analyst Edition, the general rule is be reasonable: Don't try to do the entire Internet! For exceptionally large projects, please contact us to discuss your specific needs.

The Enterprise Edition does not have any size limits.

Let's be real—don't upload the Linux OS! The AppSec Analyst Edition supports:

• Max findings: 10,000 findings per report.

• Max project size of the source code is 10MB uncompressed.

If you have a larger codebase, please contact us at automation@appsecai.io. We still might process it for free!

Results  are available within 24 hours for the AppSec Analyst Edition. Enterprise customers receive results more quickly.

GitHub integration automatically pulls security scan results, triages them, and pushes validated findings back to your repository as issues or PR comments. It works the same way you would, triaging and coloring vulnerabilities so they can be managed seamlessly within your existing application delivery processes.

Yes. AppSecAI Expert Triage Automation provides dev-ready guidance (and sometimes custom code-specific suggestions) that helps speed remediation. ETA also provides detailed documented reasoning on how the specific vulnerability was classified.

At AppSecAI, safeguarding your data is our highest priority. Our approach to security and privacy is designed to ensure transparency, control, and protection for all our users.

* US-Based Infrastructure: All our AI models and processing are hosted within the United States, ensuring compliance with strict security and regulatory standards.

* No Data Training: We do not use your data to train or refine our AI models. Your information remains separate and is never incorporated into our systems.

* Data Privacy: You retain full ownership and control over your data at all times. We do not access, share, or store it beyond what is necessary for processing.

* Automatic Data Deletion: By default, we automatically delete all uploaded data within two weeks unless you explicitly request extended retention.

If you have any questions about our security practices or require a customized data retention policy, please contact us at security@appsecai.io

All AI models are not created equal. We use a range of models that vary over time, depending on performance to the task and their compliance with our own strict security requirements.

Please contact us if you want to use a specific models for compliance or security reasons.

We use proven open-source benchmarks and proprietary validation techniques to ensure high expected accuracy (97%) in triage results.

Yes, AppSecAI ETA is flexible and can be deployed in both cloud-based and on-premises environments to suit your organization's infrastructure and security requirements. It can even use your locally hosted LLMs.

We like simple. That's why we offer an AppSec Analyst version for free, and an Enterprise edition that is priced based on the size of your organization.

A unique feature of our pricing model is that we sell Enterprise wide licenses only. We do not charge by number of applications, lines of codes, or number of developers. We want you to use ETA as much as possible. Licensing should not get in the way. 

Yes. We contribute to and support open-source initiatives and non-profits. Email us at automation@appsecai.io for eligibility details.

Still have questions?