Checkmarx revamps AI-era app security with new agents

Checkmarx has launched a redesigned version of its Checkmarx One application security platform, adding autonomous agents and new analysis tools for software teams using AI systems to generate and modify code.

The release targets what Checkmarx calls "agentic development", in which AI systems produce large volumes of code and make changes faster than traditional review cycles can keep up. The platform applies AI-driven security across source code, open-source dependencies, AI components and runtime environments.

Checkmarx One is used for application security testing and policy controls across software development workflows. The update introduces a new architecture built around agentic security agents and what Checkmarx calls "AI-native intelligence" across software and AI supply chains.

New security agents

A key addition is Triage Assist, an autonomous AI agent that prioritises vulnerabilities in source control. It ranks issues by exploitability and contextual risk rather than static severity scores, aiming to reduce time spent on low-priority findings.

Another component, Remediation Assist, generates fixes for validated vulnerabilities before code merges. The fixes are intended to be ready for code review, reducing manual work for development teams.

These tools sit alongside established security testing approaches such as static analysis, dependency scanning and dynamic testing. Checkmarx framed the shift as a move from periodic reviews to continuous oversight that can keep pace with AI-assisted development.

AI supply chain

Checkmarx also introduced AI Supply Chain Security, a governance and visibility layer for AI components embedded in applications. It can discover AI assets such as models, agents, datasets, prompts and AI bill of materials elements.

The platform also assesses model-loading and execution risks and enforces policy within existing development workflows, according to Checkmarx. The move reflects broader industry concern that AI features add dependencies and assets that fall outside conventional software component inventories.

Broader code coverage

For code scanning, Checkmarx added AI SAST, a hybrid engine that combines large-language-model analysis with query-based techniques. The tool expands detection to emerging and unsupported programming languages, as well as AI-generated code that may not match existing rules-based patterns.

For dynamic testing, it introduced DAST for AI, a next-generation engine focused on runtime analysis across CI/CD pipelines and production environments. Checkmarx said it supports various testing strategies for organisations that ship software more frequently, with AI assistance.

Market context

The launch comes as security teams reassess how to manage risk as code generation shifts from developers writing and reviewing changes to AI-assisted systems producing large volumes of updates quickly. The pressure also extends to governance: many organisations now need to track not only libraries and containers, but also models, prompts and datasets that influence application behaviour.

Checkmarx said the redesigned platform addresses these changes by covering code, dependencies, AI assets and runtime within a single governance approach.

"The AI era has fundamentally disrupted the balance between software creation and assurance," said Sandeep Johri, CEO of Checkmarx. "Code is now produced at machine speed, but successful security in this environment requires more than speed alone. It requires independent oversight, full visibility across the AI software supply chain, and unified governance that spans code, dependencies, AI assets, and runtime. Agentic application security brings those capabilities together, helping enterprises close the risk gap without slowing innovation."

The update is designed for organisations that integrate security checks into development pipelines and rely on source control systems for change management. The new triage and remediation agents focus on earlier stages of the workflow, where security teams often struggle to keep up with alert volumes and recurring findings.

A second focus is oversight of AI artefacts that ship alongside application code. Some organisations already treat models and prompts as versioned assets, but governance practices vary widely across industries and teams. Checkmarx said it provides a centralised view of these assets and policy enforcement that fits into existing workflows.

"AI has compressed the software development lifecycle from months to minutes," said Jonathan Rende, chief product officer at Checkmarx. "When applications move that fast, risk compounds just as quickly. Our redesigned agentic platform allows development organisations to innovate at machine speed while securing AI-generated applications to protect the business."

The new functions are available in Checkmarx One Enterprise Edition and as add-ons for the Essentials and Professional editions. Checkmarx plans to demonstrate the updated platform at the RSA Conference 2026.