In the last 90 days, every major frontier AI lab has launched a cybersecurity platform. Anthropic announced Project Glasswing and Claude Mythos models to demonstrate autonomous vulnerability discovery in closed-source software. Google has shipped the Gemini CLI security extension. And this week, OpenAI launched Daybreak, a multi-layer platform built on GPT-5.5 and Codex Security, with partners like Cisco, CrowdStrike, Palo Alto Networks, and Cloudflare already integrating its capabilities.
This isn’t a single vendor doing anything interesting. This is a structural shift in who builds security tools and how quickly they evolve. For security leaders, the question is no longer whether AI will reimagine application security. What matters is whether your program is in step with what already exists.
The same AI capabilities that speed up security analysis for defenders also speed it up for adversaries. That’s not a theoretical concern. It’s already creating real operational pressure.
HackerOne suspended its bug bounty program earlier this year after a spike in reports that open source maintainers were unable to process AI-assisted vulnerability investigations fast enough. The term the industry has settled on is “triage fatigue.” There are too many results, too few people evaluating them, and too little time to fix the problems. AI didn’t create the vulnerability backlog, but the backlog can no longer be ignored.
At the same time, AI-assisted development tools are producing more code faster than any team could write by hand. More applications, more code, faster cycles. As a result, the attack surface that enters production environments every day expands and is discovered faster by more capable attackers.
Most press coverage sees these platforms as the beginning of the end for traditional security testing. Economics tells a different story.
Anthropic’s own published Glasswing results show that an end-to-end scan of a single large codebase costs about $20,000 per review. For targeted bug discoveries in specific components, the cost was approximately $50 per discovery. These numbers help explain what AI scanning excels at: targeted, high-value analysis of complex code. Replacing traditional application security testing across enterprise portfolios where hundreds of applications ship code every day is not supported.
Even Daybreak’s own partner says the quiet parts out loud. Anthony Grieco, Cisco’s chief security and trust officer, told CyberScoop that the real value “is not in the model alone, but in the enterprise framework built around the model.” That’s the point. AI is a powerful component. This is not itself an AppSec program.
The trusted architecture, and the emerging consensus among analysts, enterprise security architects, and now AI Lab partners, is hybrid. Deterministic, rules-based scanning provides broad, fast and reproducible coverage of your entire portfolio. AI is layered on top of adding true leverage to prioritize backlogs of false positives, generate remediation guidance, quickly adapt to new languages, and detect vulnerability classes that require contextual inference rather than pattern matching.
But whether AI replaces traditional scanning is just one aspect of a larger change. AI is also changing the look of applications, the vulnerabilities they contain, and the way developers build them. Security leaders evaluating their programs today need to consider all of these aspects, not just the headline-grabbing tool-versus-tool issues.
3 Questions Every Security Leader Should Ask Now
- Does the AppSec program cover AI-specific risks? The applications the team is currently building include large-scale language models, AI agents, and Model Context Protocol (MCP) servers. These introduce new classes of vulnerabilities that traditional SAST was not designed to detect (prompt injection, excessive agency, data poisoning, supply chain risk for AI models). A gap exists when a vendor is unable to demonstrate coverage of the OWASP Top 10 for LLM Applications.
- Is security working where developers actually work? AI-assisted development has changed where code is written. Developers work in the IDE, AI agents work within the repository, and code generation occurs continuously. Security tools that only run at the end of the pipeline will miss that window. Security must exist in the IDE, CI/CD, and AI coding agents. The rear part is not secured with bolts.
- How long has the vendor been investing and what is in production? This year, all AppSec vendors will insist on an AI strategy. The differentiator is not what is planned, but what is shipped. Ask what is currently being produced. Ask when development began. Ask how triage and remediation actually works at an enterprise scale. The roadmap is simple. Shipping is difficult.
OpenText Fortify began building generative AI to SAST, DAST, and SCA in 2023. Before Glasswing. Before dawn. Before AI-powered security hit the headlines. A significant portion of our portfolio is now leveraging AI in production.
OpenText Fortify Remediation Aviator is available on-premises, in your private cloud, and on Fortify On Demand. It uses frontier models to audit SAST findings, separate true and false findings, explain each finding in plain language, and provide remediation guidance with ready-to-apply code fixes. In its first eight weeks of internal use at OpenText, Aviator audited over 300,000 findings across 1,500 applications and reduced average time to triage by 70%. In a market defined by triage fatigue, it’s the difference between a growing backlog and a shrinking backlog.
Fortify’s SAST engine covers all 10 categories in the OWASP Top 10 for LLM Applications of 2025, from prompt injection to data poisoning, across major AI frameworks and libraries. Fortify MCP Server and Fortify Agent Skills allow AI coding agents to operate in a real AppSec context, ensuring security regardless of the tools developers use. The next generation of VS Code extensions purpose-built for AI-powered development workflows ships with the 26.2 release.
Fortify also continues to enhance traditional SAST, DAST, and SCA for organizations that cannot use AI tools due to compliance, air-gap requirements, internal policies, or other reasons. AI capabilities are optional add-ons and are not gated to the core product. That flexibility is important. Not all organizations are ready to adopt AI at the same pace, and vendors who force a choice are not serving the entire market.
conclusion
AI has not made application security obsolete. This has widened and made the gap between strong and weak programs even wider and clearer. Organizations that stay ahead of the curve will treat AppSec not as a checkbox to be reviewed once a year, but as a program that evolves with the threat landscape.
Go deeper: For a complete technical breakdown of Fortify’s AI investments and hybrid architecture, see AI Didn’t Disrupt Application Security. We’re publishing the next evolution in the Fortify community.
Let’s see it in action: Learn how the next-generation Fortify VS Code extension keeps security constant with AI-assisted development: Keep application security constant with AI-assisted development
