Semgrep Announces the Private Beta of AI-Powered Detection to Uncover Business Logic Vulnerabilities

Semgrep, a leading application security platform, announced the launch of private beta for AI-powered detection to augment its popular static application security testing (SAST) engine. Participants in the private beta can leverage Semgrep’s AI-powered detection to uncover the types of business logic vulnerabilities, such as broken authentication and insecure direct object references (IDORs), that can lead to high profile security breaches.

Business logic flaws differ from the types of vulnerabilities such as SQL injection or cross-site scripting that organizations have historically used SAST tools to resolve. According to recent bug bounty data, broken access control vulnerabilities, including IDORs and authorization issues, now account for roughly half (49%) of all high and critical severity findings. These flaws require understanding developer intent and application context, which traditional SAST approaches were not designed to detect reliably without significant customization.

“Most of our high-severity responsible disclosure findings involve authorization logic flaws. Semgrep’s AI-powered detection now identifies those automatically, giving us the benefit of an internal researcher integrated right into our CI pipeline,” says Minh Nghiem, Senior Security Engineer at Homebase.

Also Read: CIO Influence Interview with Duncan Greatwood, CEO at Xage Security

Addressing Critical Security Challenges
AI-powered detection addresses three converging challenges facing modern security teams. For security engineers, business logic vulnerabilities like IDORs increasingly dominate bug bounty programs and penetration testing findings, yet most teams lack effective tools to detect them before production. For developers, AI-assisted coding tools accelerate development but introduce new security risks that existing scanners can’t assess accurately, creating friction between velocity and security. Security leaders are looking for demonstrable AI capabilities that deliver measurable security improvements while maintaining governance and compliance requirements.

While large language models (LLMs) have shown promise in many areas, they lack the reliability required for code security. To address this, Semgrep applies a hybrid system that harnesses the benefits of LLM contextual reasoning in a way that enforces a level of predictability by blending traditional SAST capabilities (e.g. rules, policies, and guardrails). By leveraging both approaches’ complementary strengths, the system delivers high-fidelity, actionable findings that span vulnerability classes with minimal false positives.

“AI is transforming the way we approach code security, and Semgrep is at the forefront of that shift,” said Isaac Evans, CEO and Co-Founder at Semgrep. “With AI built into Semgrep, every improvement in large language models translates into exponential gains for our customers. Our hybrid approach delivers compounding results that go beyond what LLM-only systems can achieve.”

Early Results From Alpha Program
Semgrep’s alpha program, with design partners scanning private repositories, demonstrated AI-powered detection’s effectiveness across multiple dimensions.

• Roughly 80% of participating customers discovered at least one critical or severe IDOR.
• In comparative testing, Semgrep’s AI-powered detection achieved 1.9 times better recall on IDOR detection compared to standalone AI coding assistants like Claude Code.
• When tested on traditional vulnerability detection, pure LLM approaches showed 95-100% false positive rates for SQL injection detection, demonstrating why hybrid approaches combining deterministic analysis with AI reasoning are necessary for reliable security coverage.

AI-Powered Detection Availability
The AI-powered detection private beta is available now to select Semgrep customers. Interested organizations can sign up here to get on the early access waitlist. Spots are limited.