Why the future of application security isn’t AI or SAST—it’s both

Some practical considerations regarding AI scanning

AI code security scanning is powerful, but it is not a replacement for the operational backbone of an application security program. The constraints are practical, not philosophical. Available industry analysis supports that AI scans are, at minimum, 10X the cost of a SAST scan, and recent industry examples have highlighted the potential for significant token and compute costs associated with AI-driven development and testing.

And cost matters. Security checks must be performed at multiple points throughout the SDLC: during coding (at commit, pull request, and merge) and in CI pipelines. That volume of testing requires tools that are economical enough to run that often. AI code analysis is improving, but at scale, it remains measurably more expensive than traditional SAST.

A better approach combines both techniques, using SAST in early stages to cost-effectively identify the bulk of the defects, and then using AI code analysis out of band to find issues that were undetected by SAST.

Further, consistency matters. Security programs rely on repeatable findings to measure risk, track remediation, and support security compliance requirements. AI code analysis findings are nondeterministic, varying across consecutive scans—a reflection of the human-like reasoning LLMs apply each time they analyze the code. The findings also may lack the precision needed for compliance and audit, a gap that widens materially at scale. This type of analysis is useful for detecting novel defects and chained vulnerabilities, but it is not yet well suited to serve as the sole system of record for auditability and risk analysis. 

Here too, the combination of SAST and AI analysis gives teams a reliable and consistent baseline security assessment, plus deeper analysis like that of a human security researcher.

Finally, velocity matters. In fact, as AI coding assistants generate a rapidly growing volume of code, velocity is becoming critical. But while AI writes code faster than humans, it’s much slower than traditional SAST scans at analyzing code for security defects. Again, this reflects the probabilistic reasoning LLMs apply. They first try to understand the code, then discern what security defects are present. This is problematic in DevOps workflows where pipeline SLAs can be constrained to minutes. Teams that use AI analysis as a direct replacement for static analysis may encounter significant workflow bottlenecks.

The combination of SAST and AI enables development teams to implement testing processes that optimize velocity where required.

To be clear, none of these challenges diminish the value of AI. Rather, they clarify where AI adds the most value—and where it needs to be applied selectively and pragmatically.

What a modern hybrid model looks like

As we move into an era of AI-powered software development, the strongest application security programs will converge on a hybrid model.

In that model, SAST serves as the foundational layer for application security. It runs continuously, scales efficiently, and produces stable findings that support developer workflows, program governance, and auditability.

AI scanning plays a different role. It should be deployed where semantic reasoning materially improves exploit resilience: complex business logic, authorization decisions, high-risk applications, prerelease gates, and edge cases that deterministic tools are less likely to catch. In those contexts, AI can extend the reach of application security scanning.

This hybrid model is not a temporary compromise while AI matures. It is a durable operating model. Deterministic methods provide scale, repeatability, and control. AI adds adaptive reasoning where context matters. Together, they create broader and more resilient coverage than either approach can deliver on its own.