GoKawiilTL;DR: Aikido Code Audit fills the gap between SAST and pentesting by reasoning through your static codebases to surface multi-step, intent-dependent vulnerabilities before they ship.
Last week Anthropic released Claude Fable 5, a public version of their Mythos-class model, which was able to discover and chain zero-day exploits. Fable 5 ships with guardrails that block cybersecurity queries and fall back to a more limited model, so the public version doesn't run those attacks for you.
At least that was the idea.
But it appears 1 or more organizations have successfully jail-broken Fable 5, causing Anthropic to withdraw the model under pressure from the US government. The thing is, you can't put the genie back in the bottle. Whether through jail breaks or open source, attacker will gain access to increasingly capable models.
The direction is set. The skill and time it took to find and chain flaws across a application is collapsing into something an agent does without hours or days of human effort. This is particularly true for logic-based flaws not covered by existing static code analysis engines. These classes of flaws don't follow predictable patterns, so static analysis has nothing to match against.
But defenders can stay ahead using the same agentic models by analyzing and catching security flaws in their codebases before they make it to production. And that's why we built Aikido Code Audit.
What Code Audit actually does
Code Audit is not a replacement for your SAST engine, which is great at finding rules-based security vulnerabilities as you develop. It's also not a replacement for pentests. It sits between the two, working on your static code, with pentest-grade reasoning.
... continue reading