Skip to content
Tech News
← Back to articles

Deepsec

read original more articles
Why This Matters

Deepsec is an advanced, agent-powered vulnerability scanner that enables organizations to perform thorough, on-demand security reviews of large codebases within their own infrastructure. Its ability to surface long-standing, hard-to-find issues helps companies quickly identify and patch vulnerabilities, ultimately enhancing software security and reducing risk.

Key Takeaways

deepsec

deepsec an agent-powered vulnerability scanner that you can run in your own infrastructure, optimized to perform on-demand review of all code in existing large-scale repos.

deepsec is designed to surface hard-to-find issues that have been lurking in applications for a long time. It is configured to use the best models at maximum thinking levels (tunable via --thinking-level , see docs/models.md), meaning scans can cost thousands or even tens-of-thousands of dollars for large codebases. Our customers have found the cost worth it for how quickly they were able to patch vulnerabilities that would have otherwise gone unfixed.

For large codebases, work fans out across worker machines in parallel. If a run is interrupted or errors out partway through, just re-run the same command — deepsec picks up where it left off, skipping files it already analyzed and only investigating the rest.

Get started

Navigate to the root of the repository that you want to scan, then:

npx deepsec init # creates .deepsec/ with this repo as the first project cd .deepsec pnpm install # installs deepsec from npm # Proceed as instructed by `init` output

Now have your coding agent bootstrap your installation. Open the agent of choice and prompt:

Read .deepsec/node_modules/deepsec/SKILL.md to understand the tool. Then read .deepsec/data/<id>/SETUP.md and follow it: skim this repo's README, any AGENTS.md/CLAUDE.md, and a handful of representative code files, then replace each section of .deepsec/data/<id>/INFO.md . Keep it SHORT — target 50–100 lines total. Pick 3–5 examples per section, not exhaustive enumeration. Name primitives (auth helpers, middleware) but no line numbers. Skip generic CWE categories — built-in matchers cover those. Cover only what's project-specific. INFO.md is injected into every scan batch; verbose context dilutes signal.

Then scan from inside .deepsec/ :

... continue reading