Security has long been the last item on the checklist. Code gets written, reviewed, merged—and then, somewhere down the line, a security team takes a look. That model worked when development moved at a human pace. It doesn’t work as well when AI writes and refactors code faster than any team can keep up with.
Vercel is taking a direct shot at that problem with the open-source release of deepsec, an agent-powered security harness that runs on your own infrastructure and surfaces hard-to-find vulnerabilities in large codebases.
How It Works
Deepsec uses Claude and Codex to conduct a tailored investigation of a codebase, starting with static analysis to identify security-sensitive files. From there, coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings.
The process runs in five stages: scan, investigate, revalidate, enrich, and export.
The scan stage runs roughly 110 regex matchers across the codebase with no AI calls involved. On a 2,000-file project, it takes about 15 seconds. From there, agents investigate each flagged file, a second agent filters out false positives, git metadata is used to identify the contributors best positioned to fix each issue, and findings are exported in a format that can feed directly into ticketing systems—for both humans and coding agents.
For teams with large repos, deepsec supports fanout to Vercel Sandboxes for remote parallel execution. Scans on Vercel’s own codebases routinely scale up to 1,000 or more concurrent sandboxes.
Built for the AI Development Era
AI-accelerated coding increases the volume of code changes, reduces developer familiarity with generated patterns, makes refactors constant, and causes security debt to quietly compound. Traditional late-stage security reviews can’t keep up with this pace.
That’s the core argument behind deepsec. Security review needs to move at the same speed as development—which means pulling it into the same agentic workflow developers already use.
What to Know Before You Use It
There are a few things worth noting. Deepsec is configured to use the best models at maximum thinking levels, meaning scans can cost thousands—or even tens of thousands—of dollars for large codebases. That’s not a small line item, but Vercel says customers have found it worth the investment given how quickly they were able to patch vulnerabilities that might otherwise have gone unnoticed.
The false-positive rate is roughly 10 to 20%, and the revalidation step is specifically designed to have the agent further verify its findings, thereby reducing it.
Deepsec also works best for applications and services. Libraries and frameworks may require custom prompts and scanners. The tool ships with a plugin system to handle those cases.
One thing you don’t need: a specialized security-focused AI model. Deepsec is fully functional with standard Claude and Codex subscriptions, and ships with a classifier that checks whether a task was refused after each research step.
Getting Started
To get started, run npx deepsec init at the root of your repository. This creates a .deepsec directory to configure the system and store a catalog of investigations. From there, you can run scans locally or scale out using Vercel Sandboxes.
The project is open source and available on GitHub. Vercel has made it clear that it’s still early—and that feedback and contributions are welcome.
For DevOps teams looking to tighten the loop between shipping and securing, deepsec is worth a closer look.