Vercel Releases Deepsec, an AI-Powered Security Scanner for Development Teams
Vercel has open-sourced deepsec, a security scanning tool that uses AI agents to find vulnerabilities in large codebases. The tool runs on your own infrastructure and integrates directly into the development workflow-moving security checks from a late-stage review into the same process where code gets written and merged.
The timing reflects a real problem: AI-assisted coding produces changes faster than traditional security reviews can keep pace. When developers write code at human speed, security can wait until after merge. When AI writes and refactors code constantly, that model breaks down.
How the scanning works
Deepsec runs through five stages: scan, investigate, revalidate, enrich, and export.
The initial scan uses 110 regex matchers to flag security-sensitive files across your codebase. No AI calls happen here-on a 2,000-file project, this takes about 15 seconds. From there, Claude and Codex agents investigate each flagged file, tracing data flows and checking for mitigations.
A second agent filters out false positives. Git metadata identifies which contributors are best positioned to fix each issue. Findings export in formats that feed directly into ticketing systems for both human developers and coding agents.
For large repositories, deepsec supports parallel execution across Vercel Sandboxes. Scans on Vercel's own codebases routinely scale to 1,000 or more concurrent sandboxes.
Cost and accuracy trade-offs
Deepsec runs models at maximum thinking levels, which means scans can cost thousands or tens of thousands of dollars for large codebases. Vercel says customers view this as worthwhile given how quickly they patch vulnerabilities that would otherwise go unnoticed.
The false-positive rate sits between 10 and 20 percent. The revalidation step is designed to have the agent verify its own findings, reducing noise further.
The tool works best for applications and services. Libraries and frameworks may need custom prompts and scanners-deepsec ships with a plugin system for those cases.
Getting started
To begin, run npx deepsec init at your repository root. This creates a .deepsec directory to configure the system and store investigation records. Scans can run locally or scale out using Vercel Sandboxes.
You don't need a specialized security AI model. Deepsec works with standard Claude and Codex subscriptions. The tool includes a classifier that checks whether a model refused a task after each research step.
The project is open source on GitHub. Vercel describes it as early-stage and is actively seeking feedback and contributions.
For development and DevOps teams looking to tighten the loop between shipping code and securing it, deepsec is worth evaluating. Learn more about AI for IT & Development to understand how these tools fit into broader security practices.
Your membership also unlocks:
