New autonomous agents prevent vulnerabilities by securing code before itโs submitted
AI is generating code faster than teams can review it. Checkmarx, the leader in agentic application security, addressed that gap by introducing self-healing application security: autonomous agents that detect, fix, and verify vulnerabilities as developers code.
Key Takeaways
- Developer Assist now runs a continuous find-and-fix loop directly in AI coding tools through hooks, catching and fixing vulnerabilities as code is written with up to 70% less manual remediation effort.
- Triage and Remediation agents autonomously prioritize whatโs already in the codebase and generate merge-ready fixes, cutting manual triage and accelerating developer productivity.
Closing the Loop from Code to Backlog
According to Checkmarx’s 2026 Future of Application Security report, 96% of developers now use AI coding tools, but only 18% apply security continuously as they write code, a gap autonomous remediation is designed to close.
In a study Checkmarx commissioned from independent researcher The Weather Report, published in July 2026, frontier models produced working code 83% to 95% of the time, but only 24% to 36% of that code was both secure and functional. Even a post-hoc security review lifted the secure-and-functional rate to only 47% to 56%, underscoring the gap that autonomous remediation is built to close.
“Security teams have spent a decade trying to keep pace with how fast code gets written, and AI just moved that goalpost again,” said Harshil Parikh, VP of Product Management at Checkmarx. “The only way to close that gap is to stop treating detection and remediation as separate steps handled by separate tools and let the system fix what it finds.”
“The goal is prevention โ creating a continuous flow of clean code from the start and autonomous fixes before code reaches production,” said Jonathan Rende, chief product officer at Checkmarx. “With autonomous remediation, fixes are applied while developers are still writing code, before itโs ever checked in, and whatโs in the pipeline gets prioritized and expedited without having to think about it.”
Also Read:ย CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX
Developer Assist now works as a single remediation loop pre-commit. While the IDE, it runs autonomously through hooks and MCP. It detects a vulnerability, retrieves context from Checkmarx One, generates a fix and verifies it before code is committed. Developers using IDEs like Cursor, Windsurf or Kiro or a command-line interface (CLI) with LLMs like Claude Code can get the same autonomous loop without switching tools.
Once code reaches the backlog, Triage and Remediation agents take over. They isolate exploitable risk from severity noise using real-world reachability, what Checkmarx calls attackability, then generate merge-ready pull requests for the vulnerabilities that matter. Developers review and merge each fix; AppSec retains policy control and full traceability over every automated decision.
Validated in Production at PatientPoint
PatientPoint, a long-time Checkmarx customer in the healthcare technology space, has been an early user of Remediation Assist. Facing a growing vulnerability backlog as AI-assisted development accelerated the pace of code changes, the company’s application security team used the agent to translate a large volume of findings to a small number of merge-ready pull requests for developers.
“Triage and Remediation Assist agents identified false positives and gave our developers the chance to review before merging; that’s exactly what we wanted,” said Femi Oyesanya, application security engineer at PatientPoint. “Our priority is to protect patient data, and this lets us do that without slowing developer productivity or driving up token costs.”
Catch more CIO Insights:ย What Does โJob-Readyโ Really Mean in IT and Cybersecurity?
[To share your insights with us, please write toย psen@itechseries.com ]

