Built on Semgrep Workflows, a new framework for autonomous code security, Semgrep Multimodal finds 8x more true positives while cutting noise by 50% compared to foundation models alone

Semgrep, a leading code security company, today announced Semgrep Multimodal, a system that combines AI reasoning with rule-based analysis for detection, triage, and remediation. Its detection finds up to 8x more true positives while cutting noise by 50% compared to foundation models alone, and has already discovered dozens of zero-days at customers. Multimodal is built on Semgrep Workflows, a framework for autonomous code security - using deterministic tools and AI so security teams can encode their processes once and scale them reliably across teams, repos, and the organization.

Workflows can be run as-is from a pre-built library, customized for a team's specific environment, or built from scratch. Semgrep's managed infrastructure handles the production deployment, so teams can focus on defining their security logic, not maintaining the stack.

The Problem: AI Code Volume Has Outpaced Security

AI-generated code is outpacing the security practices built for human-speed development. Security teams fielding hundreds of pull requests a day know the math is unforgiving: a 95% fix rate still means hundreds of unresolved critical issues compounding across hundreds of repositories. Most are already reaching for LLMs to close the gap and hitting the same walls: demos that fall apart in production, outputs that vary between repositories, token costs that spiral, and hallucinations that erode trust. The jump from proof of concept to running reliably across the organization is where most efforts stall.

Meanwhile, many of the largest and most costly breaches aren't caused by the vulnerabilities traditional SAST scanners catch. Instead they're caused by logic errors that escaped notice entirely.

Semgrep Multimodal: Better Than Either Approach Alone

Traditional rule-based SAST excels at catching known vulnerability patterns: SQL injection, SSRF, and secrets exposure. But it has always struggled with business logic flaws: IDORs, broken authorization, and authentication bypasses that require understanding context and developer intent. LLMs can reason about logic, but used alone they produce unacceptably high false positive rates and inconsistent results at scale.

Semgrep Multimodal closes that gap. By pairing the Semgrep Pro engine's precise program analysis with LLM reasoning, it covers both dimensions of vulnerability detection. And as underlying models improve, so does Semgrep Multimodal's performance automatically.

Semgrep Workflows: The Framework Underneath

Semgrep Multimodal is built on Semgrep Workflows, which is now available to builders who want to go further than out-of-the-box AppSec. Workflows enables teams to encode their own security policies into automated pipelines covering detection, triage, remediation, compliance, and other AppSec work. Pre-built workflows cover common cases for the OWASP Top 10 and business logic vulnerabilities. Custom workflows are written in plain Python, can be easily extended with new tools, and are deployed at scale without building or maintaining infrastructure.

Semgrep learns as teams build, incorporating feedback from security engineers and developers to improve accuracy over time. The result: customers are starting to report something the industry has long promised but rarely delivered.

"Semgrep's rule-based engine became the most widely deployed code scanner in the world by giving teams a way to encode their own security knowledge into precise, customizable rules. Semgrep Multimodal and Workflows are the next chapter of that same bet - that the teams closest to the code are best positioned to define what security means for their organization, and that our job is to give them the engine to automate it," said Isaac Evans, CEO and Co-Founder at Semgrep.

Availability

For more information on Semgrep Multimodal, read the company’s blog post.

Semgrep Multimodal is available to try today at semgrep.dev/signup. Custom Workflows are available via private beta. Teams can join the waitlist at semgrep.dev/contact/product-join-workflows-beta/.

Semgrep at RSA

Semgrep made today’s announcement ahead of the RSA Conference 2026 (RSAC 2026). To visit the company’s booth, visit #1743. To book a meeting with Semgrep, visit https://semgrep.dev/events/rsa/.

About Semgrep

Semgrep is an application security platform for scanning code for security, reliability, & other issues. Semgrep’s mission is to make it expensive to exploit software by bringing world-class security tools to engineers—software and security alike. Semgrep’s conviction is that the security process must enable rapid software development, instead of hindering it. Leading companies like Snowflake, Figma, Lyft, and Dropbox rely on Semgrep to safeguard their code. Semgrep is funded by Felicis Ventures, Lightspeed Venture Partners, Menlo Ventures, Redpoint Ventures, and Sequoia Capital.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260319711078/en/