Software Engineering Course [22AIE311]

SecureCodeAI

Neuro-Symbolic Framework for Autonomous Vulnerability Detection

Team: Ctrl+Alt+Create

Ansh Raj Rath — CB.SC.U4AIE23006
Aditya Krishna Samant — CB.SC.U4AIE23012
Keerthivasan S V — CB.SC.U4AIE23037
Krish S — CB.SC.U4AIE23040
Tamarana Rohith Balaji — CB.SC.U4AIE23069

Software Engineering Review • January 2026

Production-ready API • Docker & RunPod deployment • VS Code Extension

The Research Gap

1. The SAST Flood (Low Precision)

Traditional tools (Bandit, SonarQube) prioritize recall over precision. They lack semantic understanding, flooding developers with >40% false positives and causing "alert fatigue."

2. The LLM Hallucination

Pure Generative AI models have high semantic understanding but lack logic. They often invent bugs that don't exist or suggest "fixes" that introduce new vulnerabilities.

3. The Missing "Filter"

No existing system effectively acts as a filter between intuition and fact. The industry lacks a tool that uses AI to find bugs and Math to prove them.

4. Manual Triage Bottleneck

Fixing a bug in production costs ~100x more than in development. Current workflows rely on expensive human experts to verify every automated alert.

Research Objective

Core Problem Statement

Develop a neuro-symbolic framework combining LLM reasoning with formal verification:

  • Reduced False Positives: Semantic understanding to filter noise
  • Scalable Symbolic Execution: LLM-guided slicing to mitigate path explosion
  • Automated Remediation: Self-correcting patch generation with verification

Key Innovation

Neuro-Slicing: First system to combine LLM-guided program slicing with SMT-based symbolic execution, reducing verification time by 50-80% while maintaining mathematical proof guarantees.

Literature Review

Study & Year Core Idea Strength Limitation
Zhang et al. (2024) Systematic literature review of LLM use in Automated Program Repair (2020–2024). Taxonomizes prompting, retrieval-augmented, and fine-tuning APR strategies. Identifies need for symbolic verification to prevent hallucinated security patches.
LLM & Code Security SLR (2024) Systematic review of LLMs for vulnerability detection and remediation. Benchmarks detection/repair quality across PySecDB, CyberSecEval, SWE-bench. Finds persistent false positives and unverifiable patches without semantics.
Neuro-Symbolic AI Survey (2024) Maps hybrid reasoning stacks combining neural intuition and symbolic proof. Highlights verification loops, contract synthesis, and explainability gains. Notes execution bottlenecks without targeted slicing or solver guidance.
De-Fitero-Dominguez et al. (2024) Empirical study on LLM-guided vulnerability repair workflows. Shows improved precision using iterative prompts and risk scoring. Still struggles to guarantee correctness without external verification.
SecureCodeAI System Architecture

Full Stack Overview: Client Layer → Gateway → Agent Swarm → AI Inference

Performance Benchmarks

SecureCodeAI Performance Benchmarks

Achieves 1.2 req/s throughput with p50 latency of 1.8s and 97% success rate—exceeding production targets.

Deployment Footprint

SecureCodeAI Resource Requirements

Scales from 8GB dev environments to serverless GPU clusters (RunPod/Docker) with zero refactoring.

Methodology

01

Scanner Agent

The Detective

AST Parsing
Bandit SAST Scan
LLM Hypothesis
→ Vulnerability Candidates
02

Speculator Agent

The Lawyer

Contract Synthesis
icontract Decorators
Spec Validation
→ Formal Contracts
03

SymBot Agent

The Judge

CrossHair Engine
Symbolic Execution
Z3 SMT Solver
→ Counterexample / Proof
04

Patcher Agent

The Surgeon

Patch Generation
Self-Correction Loop
Re-verification
→ Verified Patch (max 3 iterations)

Technology Stack

LLM Inference Layer

Cloud: Gemini 2.5 Flash
Local: DeepSeek-Coder-V2

Symbolic Execution

Engine: CrossHair
SMT Solver: Z3 Theorem Prover

Static Analysis

SAST: Bandit
Parser: Python AST

Orchestration

Flow: LangGraph State Machine
API: FastAPI + Uvicorn

Supported Vulnerability Classes

SQL Injection Command Injection Path Traversal XSS Hardcoded Credentials Insecure Deserialization SSRF

Primary Innovation: Neuro-Slicing

The Path Explosion Problem

$$ \text{Paths} = 2^n, n = \text{branches} $$

A typical 1000-line file with 50 conditional branches generates 250 paths, making exhaustive execution impossible.

Neuro-Slicing Algorithm

1 AST Parse → Vulnerable Function
2 Taint Analysis → User Variables
3 Backward Slicing → Dependencies

Performance Impact

Metric Without With Slicing Improvement
Code Size 500 lines 50 lines 90% less
Exec Time 45s 1.8s 96% faster

VS Code Extension

SecureCodeAI VS Code Extension

Real-time vulnerability detection in the IDE—inline diagnostics, one-click patches, and workspace scanning.

Live Demo

Business Impact & Market

Market Opportunity

$22.54B

Global Application Security market by 2028. DevSecOps shift drives demand for automated, high-precision vulnerability detection.

ROI Advantage

100x

Production bug fixes cost 100× more than development-phase fixes. SecureCodeAI catches vulnerabilities in the IDE before deployment.

Competitive Edge

Near-Zero FP

Traditional SAST tools flood teams with >40% false positives. Our neuro-symbolic approach provides mathematical proof—no alert fatigue.

Target Segments

  • DevSecOps teams automating triage workflows
  • SMBs lacking dedicated security staff
  • CI/CD pipelines requiring verified exploit blocks