<![CDATA[I’m willing to believe that Anthropic built a better SAST.]]>I’m willing to believe that Anthropic built a better SAST. But that’s a total market of about $5B tops according to Google (some estimates seem to be just $0.5B) – it’s going to take a while to pay off their $30B Series G if they keep targeting these relatively tiny markets.

The same as with targeting developer productivity (another famously quite small market), they are focused on these markets because there are existing automated “bullshit-corrector” tools. In the case of software development, type checkers, linters, testing frameworks etc. In the case of memory corruption bugs, apparently they leant heavily on ASan to weed out the false positives.

Anyone who’s ever used a SAST on a mature code base knows that reducing false positives is the number 1 priority.

Also, in a parallel to recent articles about coding agents, finding vulnerabilities is not the bottleneck.

]]>https://board.circlewithadot.net/topic/d8bd79a9-96dd-4358-bf60-34969a49844c/i-m-willing-to-believe-that-anthropic-built-a-better-sast.RSS for NodeFri, 17 Apr 2026 14:54:24 GMTWed, 08 Apr 2026 14:17:40 GMT60<![CDATA[Reply to I’m willing to believe that Anthropic built a better SAST. on Fri, 10 Apr 2026 14:47:26 GMT]]>@hacksilon I’m also super interested in how well it generalises to non-memory-safety vulns. How load-bearing is ASan as a quality gate here, and what other classes of vulns have similar oracles?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116380955229414784https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116380955229414784Fri, 10 Apr 2026 14:47:26 GMT<![CDATA[Reply to I’m willing to believe that Anthropic built a better SAST. on Fri, 10 Apr 2026 05:59:34 GMT]]>@neilmadden yes. According to them that should be in 60+15 days, iirc. The thing that gives me some hope that this isn’t pure marketing is people like Daniel Stenberg reporting that there was a steep increase in the quality of AI-reported issues (https://mastodon.social/@bagder/116362046377975050), although he also says that no one from Glasswing was in touch, so who knows where those are coming from.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/hacksilon/statuses/116378879552343611https://board.circlewithadot.net/post/https://infosec.exchange/users/hacksilon/statuses/116378879552343611Fri, 10 Apr 2026 05:59:34 GMT<![CDATA[Reply to I’m willing to believe that Anthropic built a better SAST. on Thu, 09 Apr 2026 21:57:58 GMT]]>@hacksilon yeah, for the OpenBSD bug they mention a “few dozen” other findings. But if they were good findings I think they would have said something about them. The fact they just say it as an aside with no elaboration suggests to me these other findings are probably a bit “meh”, but we’ll wait and see. Hopefully we’ll see the full list eventually, once disclosure has run its course.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116376985829724444https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116376985829724444Thu, 09 Apr 2026 21:57:58 GMT<![CDATA[Reply to I’m willing to believe that Anthropic built a better SAST. on Wed, 08 Apr 2026 15:16:58 GMT]]>@neilmadden to be fair to them: an entire campaign cost $20k, but each campaign found more than one bug, so the price per bug is much lower. In a talk, one of their researchers said that he's sitting on 100+ high confidence findings from their Linux kernel runs alone that he hasn't yet had the time to verify and report to the maintainers. Of course, that's still a lot of money per bug, no doubt about it, but not quite the $20k you are quoting.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/hacksilon/statuses/116369746720582797https://board.circlewithadot.net/post/https://infosec.exchange/users/hacksilon/statuses/116369746720582797Wed, 08 Apr 2026 15:16:58 GMT<![CDATA[Reply to I’m willing to believe that Anthropic built a better SAST. on Wed, 08 Apr 2026 15:09:55 GMT]]>To be honest though, with quoted figures of $10-20,000 to find each of these vulns, I don’t think they’re going after the defender market...

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116369719031994447https://board.circlewithadot.net/post/https://infosec.exchange/users/neilmadden/statuses/116369719031994447Wed, 08 Apr 2026 15:09:55 GMT