Replit Launches Security Agent to Audit AI-Generated Code in Under an Hour

Replit has introduced Security Agent, an AI-powered tool that performs comprehensive security reviews of codebases in under an hour, replacing what previously required weeks of coordination with security engineers.

The agent works by mapping application architecture, building threat models, analyzing routes and APIs, and scanning for vulnerabilities including SQL injection, cross-site scripting, and request forgery. For larger projects, complete audits can take up to 15 minutes.

Hybrid Scanning Approach

Security Agent combines large language models with deterministic tools: Semgrep for static analysis and HoundDog.ai for additional security checks. According to research cited by Replit (Xiong & Zhang, 2026), LLM-based agents can identify up to 93.3% of false positives from traditional static application security testing (SAST) tools. Replit states its observed results align with these findings.

"The most effective security is the kind that works seamlessly," said Daghan Atlas, Head of Product at Semgrep. "Replit's Security Agent is a great example of what's possible when you pair the contextual reasoning of LLMs with the determinism and program analysis capabilities of Semgrep."

How It Works

Users access Security Agent through their project's Security panel. After scanning, the agent generates a report of identified risks that users can review, ignore, or revise. Approved issues can be passed to Replit's existing Agent for automated remediation.

The system automatically organizes vulnerabilities into separate tasks for parallel fixes. Users review proposed patches before applying them to their main branch. Replit recommends running scans before each major application update.

Integration with Existing Workflow

Security Agent builds on Replit's existing automatic vulnerability scanning, which monitors dependencies before projects are published. The new agent provides deeper, on-demand analysis beyond continuous monitoring.

Pricing for Security Agent was not disclosed in the announcement.

What This Means

This launch reflects the broader trend of using LLMs to filter and contextualize output from deterministic security tools rather than relying solely on pattern-matching AI. The 93.3% false positive identification rate, if reproducible, would significantly reduce security review overhead for development teams. The key question is whether the agent introduces new false negatives by filtering out legitimate issues—a metric Replit has not yet published.