HeadsUpAI

Vercel Releases deepsec to Automate Deep Security Audits With Coding Agents

Vercel, a frontend cloud platform and creator of the AI SDK, released deepsec as an open-source security harness. The CLI-first tool orchestrates a multi-stage pipeline starting with a fast regex scan for candidates, followed by an AI-driven process step where coding agents perform deep investigations.

This release follows a surge in agentic security tools like Claude Security and Replit's Security Agent. Unlike managed services, deepsec provides an open orchestration layer for your own infrastructure. It manages high reasoning costs by fanning out tasks across parallel sandboxes, making exhaustive audits of massive repositories economically viable.

Initialize with npx deepsec init to create project-specific configurations. The system is model-agnostic, supporting Anthropic and OpenAI via Vercel’s AI Gateway or direct API keys. For large-scale execution, you can deploy workers to Vercel Sandbox microVMs, which isolate agents to prevent credential exfiltration or unauthorized network access.

View the full update on github.com
Vercel Developers
Vercel Developers
@vercel_dev
X

Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of

275retweets2.5klikes
View on X

Still wondering? A few quick answers below.

Vercel deepsec is an agent-powered vulnerability scanner designed to find security flaws in large-scale codebases. It uses autonomous coding agents to perform deep reviews of existing code, identifying hard-to-surface issues that traditional scanners might miss. The tool is optimized for on-demand reviews and uses high-reasoning models to investigate potential vulnerabilities across entire repositories.

The tool follows a multi-stage workflow to balance speed and accuracy. It begins with a fast regex scan to identify candidate sites without using AI. A process step then uses coding agents to investigate those sites and confirm findings. Finally, a triage step uses cheaper models to classify the severity of the identified vulnerabilities.

Yes, deepsec is open source and released under the Apache 2.0 license. The source code is available on GitHub for anyone to download and run on their own infrastructure. It is designed to be pluggable, allowing developers to use their own AI provider subscriptions or Vercel AI Gateway to power the agents.

Because the tool uses high-reasoning models at maximum thinking levels, token costs can be significant. For large codebases, a full scan can cost thousands or even tens of thousands of dollars. Vercel states that the cost is often justified by the speed at which teams can identify and patch critical vulnerabilities that would otherwise remain hidden.

The tool uses a sandbox-based architecture to isolate coding agents during execution. By running agents in microVMs, deepsec ensures that API keys cannot be exfiltrated even if an agent encounters malicious code. Network egress from these sandboxes is strictly limited to authorized coding agent hosts, providing a secure environment for automated security audits.

Share this update