Cognition Launches Devin for Security to Automatically Patch Enterprise Vulnerability Backlogs

May 6, 2026 · Updated May 14, 2026

Cognition, an applied AI lab building software agents, launched Devin for Security to automate vulnerability remediation. The system introduces specialized workflows for reducing security debt by delegating patching to an autonomous agent. This follows recent Devin deployments at AstraZeneca and Devin's Mercedes-Benz deployment.

Vulnerability resolution rate: 70 percent
Supported security scanners: SonarQube, Fortify, Veracode
Test coverage improvement: 50 percent to 90 percent
Core workflows: Security debt reduction, release securing, incident response
Availability: Devin platform and enterprise plans

The launch addresses a capacity gap where AI-powered offensive tools have collapsed the time to exploit, while defensive remediation remains a manual bottleneck. By verticalizing its agent, Cognition is competing with specialized offerings like Anthropic's Claude Security and OpenAI's Codex Security. This moves AI from detection to autonomous resolution.

You can now use Devin to automatically resolve findings from scanners like SonarQube, Fortify, and Veracode. In a deployment at Itaú, the agent resolved 70 percent of the bank's vulnerability backlog and doubled test coverage to over 90 percent. These workflows are available through the Devin platform for integration into existing pipelines.

View the full update on devin.ai

Cognition

@cognitionMay 5

Security remediation is an engineering capacity problem. AI has collapsed the time to exploit, but defensive tools haven’t kept up. Today we’re introducing Devin for Security: a set of workflows for reducing security debt, securing every release, and accelerating response

47265

View on X

Still wondering? A few quick answers below.

Devin for Security is a specialized set of autonomous workflows built by Cognition to help engineering teams manage security debt. It uses an AI agent to identify, analyze, and remediate vulnerabilities in codebases. The system is designed to secure every software release and accelerate incident response by handling repetitive patching tasks that typically overwhelm human developers.

Devin for Security integrates directly into existing software development lifecycles and CI/CD pipelines. It works alongside static analysis security testing tools like SonarQube, Fortify, and Veracode. When these scanners flag a vulnerability, Devin automatically investigates the finding and generates a verified patch for human engineers to review and merge, reducing the manual effort required for remediation.

In a large-scale deployment at Itaú, Brazil's largest bank, Devin for Security automatically resolved 70 percent of the organization's security vulnerability backlog. The bank also used the agent to document over 300,000 repositories and increase its test coverage from under 50 percent to over 90 percent, demonstrating the agent's ability to handle complex legacy codebases.

Devin for Security is available as part of the broader Devin platform from Cognition. While the company offers self-serve plans for individuals and teams, these advanced security workflows and large-scale integrations are primarily targeted at enterprise customers. Organizations can contact Cognition directly to deploy Devin Enterprise, which provides the additional security and control required for institutional use.

Devin for Security can autonomously remediate vulnerabilities flagged by static analysis tools, document large and complex codebases, and write automated tests to improve coverage. It also assists with architectural planning by tracing data flows and identifying integration risks. Additionally, the agent can help with incident triage by analyzing legacy code to identify root causes and propose fixes.