The novelty of this workflow relies on the self-learning processes that allow the system to not only identify similar situations and apply the best solution, but also to automatically adapt to new cases based on the interaction between all of the security roles that work together to reinforce each other’s knowledge and actions.
The Power of Mixology: Combining LLMs and SAST
Given a code repository, the Vulnerability AI agent is responsible for finding vulnerabilities in the received source code or in the pull request updates of an application. With each new scan, the agent selects one or more SAST tools that fit the target application, based on the information it obtains from README files and from previous knowledge of similar cases.
The Vulnerability AI agent then initiates a comprehensive scan of the source code, leveraging custom rules for the SAST tool(s) to identify potential security weaknesses. This process is facilitated through collaboration with the Patching AI agent and the Red Teaming AI agent, which assist in generating security unit tests and validating vulnerabilities through exploitation.
Upon completing the vulnerability scan and validation processes, the Vulnerability AI agent refines its knowledge base by assessing the validity of identified vulnerabilities and evaluating the accuracy of SAST tools for specific application types. This refined understanding enables the AI agent to generate highly effective patches that address the disclosed vulnerabilities.
There is considerable manual effort required to discover and address a pre-release code vulnerability. When any SAST alert is reviewed, the codebase is then opened to validate the issue, a fix is made, a pull request is made for the code, and it is then merged. With our approach, the time required for this process in our testing environment is reduced by approximately 90%.
Combining LLMs and SAST tools in a loop process, with the LLM interpreting README files and SAST tool output, enables continuous improvement of the AI agent’s capabilities in detecting and mitigating security threats.
AI-Powered Validation Through Exploitation
Our Red Teaming AI agent is a guardian of our security’s unseen vulnerabilities. With “instincts” honed from past experiences and training on retrieval-augmented generation (RAG) systems, this technology identifies and validates vulnerabilities through exploitation, and then uses its expertise to uncover new weaknesses that might have been hiding in plain sight. The results are used to refine and optimize our multi-AI agent approach with fine-tuning processes.
This agent’s LLM has contextual data from the Vulnerability role that allows it to generate an exploitation code and start the application by reading the configuration files (dockerfiles, makefiles, etc.). It then proceeds with gathering critical reconnaissance information, including the application endpoint, exposed ports, and available web routes. These steps support the final purpose of executing the targeted exploitation on the running code, ensuring maximum impact.
Together, our trio of AI agents collaborates in a glass testing-box role to deliver cybersecurity expertise at machine speed. They identify all potential vulnerabilities through exhaustive scanning and analysis, conducting rigorous testing using best exploit simulation techniques. This approach shows promise in ensuring that no remaining vulnerabilities are left unaddressed, preventing them from being released and subsequently requiring expensive and time-consuming human remediation.
Research Is Key to Stay Ahead of Adversaries – and Technology
It is important to stay one step ahead of malicious actors by simulating real-world attacks on your systems before they can be exploited. The research undertaken by CrowdStrike data scientists is facilitating the identification of vulnerabilities and weaknesses in real time.
By harnessing the collective power of our AI agents, organizations can look forward to a future where cybersecurity visibility, agility, and effectiveness have the potential to reach new levels. This will help to protect their most valuable assets in a rapidly evolving threat landscape and reduce the time and effort required to identify vulnerabilities with automated rigorous tests.
Our presentation of novel, self-learning MAS at the NVIDIA GTC 2025 conference is a part of CrowdStrike’s commitment to research, cybersecurity industry thought leadership, and staying ahead of adversaries to stop breaches. It is this focus on innovation that ensures the AI-native CrowdStrike Falcon® platform remains at the forefront of cybersecurity protection, even as game-changing technology like AI-augmented code generation comes into play.
Additional Resources
