Vercel Releases deepsec — AI Scanner for Finding Hidden Vulnerabilities in Code

Vercel has released an open-source tool called deepsec—an AI harness for finding vulnerabilities in large codebases. It's the first security scanner that runs on your own infrastructure, with your own API keys, without sending your source code to the cloud. The idea is simple: instead of uploading sensitive code to third-party servers, Claude and GPT agents analyze it locally.

Why deepsec is Needed

Existing security scanners (like SAST tools) often produce numerous false positives—so many that their results become unusable. Another approach is to hire a security audit firm. But that's expensive and time-consuming. deepsec attempts to fill the gap: AI agents that work like an experienced security engineer, but cheaply, quickly, and locally.

Architecture and Capabilities

Deepsec uses Claude Opus 4.7 in max effort mode and GPT-5.5 with high-level reasoning. The tool can run locally on your laptop—no need to set up cloud services. To scale to large monorepos, deepsec supports parallel execution through Vercel Sandboxes: during development, Vercel ran scans across 1000+ concurrent instances. Scanning a large repository can take several days on a single machine, so parallelism is critical.

How Scanning Works

The process consists of five stages:

• Scan — Regular expressions identify security-sensitive files and functions
• Investigate — Coding agents perform in-depth analysis of each candidate, trace data flows, and verify mitigations
• Revalidate — A second pass by agents filters out false positives and reclassifies the severity of each finding
• Enrich — An agent uses git metadata to identify the developers who should fix the issue
• Export — Results are converted into actionable instructions for creating tickets in your tracking system

Results on Real Projects

Vercel tested deepsec on its own monorepos and on open-source client projects. The results impressed even experienced security engineers and founders. On the open-source code of dub.co (a platform for link shortening and complex attribution systems for affiliate programs), deepsec found hidden errors in authentication logic—subtle edge cases in authentication conditions. The errors were truly cryptic: they weren't detected by standard SAST tools, but could have led to unauthorized access. The results prompted Vercel to develop a custom scanner plugin to check all authentication paths in its own monorepos.

"We receive many automated security reports, but most of them are

unusable. deepsec is the first tool that found exactly the issues a security engineer would flag, while running on our own infrastructure." — Steven Tey, founder of dub.co

What This Means

Security scanning automation is moving from the realm of cloud services to privacy-first tools. For developers and security teams, this means you can find vulnerabilities without uploading code to the cloud, with complete privacy, using your existing Claude and OpenAI API keys. Tools like deepsec are beginning to fill the gap between expensive professional security audits (which require weeks and cost hundreds of thousands) and inefficient automated scanners (which produce 95% false positives). This could potentially become the standard in security pipelines for large enterprises.