The company stated that modern software development is facing unprecedented risk levels, as artificial intelligence is reshaping code creation at scale. According to industry observations cited by Checkmarx, nearly 49 percent of production code is now AI-generated and demonstrably more insecure, while exploit windows for vulnerabilities are shrinking dramatically from months to mere minutes. In this environment, traditional scanning methods alone are no longer sufficient to address evolving threats.
To address these challenges, Checkmarx has introduced a hybrid scanning architecture within Checkmarx One that integrates three core layers of protection. The first is a deterministic rules-based scanning foundation, refined over two decades of enterprise application security expertise. The second is a purpose-tuned large language model engine designed to extend detection capabilities to AI-generated code, emerging programming languages, and complex polyglot codebases. The third layer is the Finding Analysis Engine, which evaluates raw security findings to confirm true positives while suppressing false positives before results are delivered to developers.
Checkmarx Chief Executive Officer Sandeep Johri emphasized that no single approach can fully address modern application security challenges, noting that deterministic analysis provides precision while AI-driven techniques expand coverage into previously unsupported code environments. He further highlighted that combining both approaches within a unified architecture is essential to reduce noise and improve actionable security outcomes at scale.
In internal head-to-head testing across seven production codebases, the new hybrid engine achieved an F1 score of 0.64, which is more than three times higher than the average score of 0.20 recorded across competing approaches evaluated by Checkmarx. The system also reduced false positives by 60 percent, enabling development teams to focus on high-confidence vulnerabilities that are genuinely exploitable rather than being overwhelmed by excessive security alerts.
The new Finding Analysis Engine plays a central role in this improvement by reasoning over every detected issue, filtering out false positives, and confirming real vulnerabilities. The system is designed to transform raw security signals into high-fidelity outputs that can be acted upon immediately by engineering teams. In addition, the platform supports language-agnostic scanning, enabling coverage across all programming languages, including those introduced or heavily used through AI-assisted development, without compromising accuracy in established codebases.
Checkmarx also highlighted the importance of defensible governance within the updated system, providing board-level evidence of exploitability and resolution status based on real attack potential rather than raw vulnerability counts. This approach is intended to support more informed risk decision-making at the executive level.
Chief Product Officer Jonathan Rende stated that while artificial intelligence has significantly improved developer productivity, independent evaluations show that a substantial proportion of AI-generated code remains insecure. He also noted that conventional tools often struggle with excessive compute consumption due to false positives. The new system, he said, is designed to provide confidence, predictability, and cost efficiency by prioritizing meaningful vulnerabilities and eliminating unnecessary noise.
The hybrid scanning engine and Finding Analysis Engine are currently available in early access as part of the Checkmarx One platform. The company’s broader platform reportedly scans trillions of lines of code annually and has helped reduce vulnerability density by more than half across enterprise environments. Checkmarx also announced that further details will be discussed at its upcoming virtual summit, “Agentic AppSec Unleashed ’26,” scheduled for June 16, 2026.
In conclusion, Checkmarx’s latest advancement reflects a significant shift in application security strategy, combining deterministic precision with artificial intelligence-driven adaptability to address the escalating risks introduced by AI-generated software development, while aiming to deliver higher accuracy, reduced noise, and stronger enterprise-grade governance across modern development pipelines.
About The Author
Comment List