Maze launches AI agents for Code Security
[Company][Product]

Introducing Maze Code: Code Security You Can Finally Trust

Harry Wetherald

Harry Wetherald

Co-Founder & CEO

Summarize with AI

ChatGPT Perplexity Gemini Grok Claude
Maze Code UI showing AI agents tracing a vulnerability's exploit path from the internet to remote code execution.

AI is supposed to be reinventing application security. So far, we’ve seen more hype than impact.

Today we’re launching Maze Code, code security you can finally trust.

Maze Code uses AI agents to investigate every vulnerability in your dependencies (AI-SCA) and the code your team writes (AI-SAST). Our agents reason over your code, cloud, compensating controls, and business context to prove which findings are exploitable in your environment. If one is exploitable, our agents trace its root cause and find a fix. Then they ship that verified fix directly to the developer or coding agent responsible.

We built Maze Code to solve the problems application security is facing now. Two things are happening at once:

  • Frontier models like Mythos give attackers the power to find and exploit flaws at unprecedented speed.
  • Coding agents mean your teams ship more code, faster, with less review. Risk goes up on the outside, and the attack surface grows on the inside. 

The old approach to code security just doesn’t work anymore. That’s why we built Maze Code. Together with Maze Cloud, we’ve built the first security platform using agents across your code and cloud environments at once. They investigate every vulnerability, figure out what matters, and automate remediation.

More than “AI-powered”

Every security product says it uses AI now. But AI is as unpredictable as it is powerful, and running agents at scale is expensive. That’s why so many AI security tools look great in a demo and fall apart in production. You can’t just bolt agents onto a legacy product, and building them yourself is harder than it looks. We rethought what a security platform should be in an AI world, and built one designed to train agents on specific security tasks. That’s what’s allowed us to deliver extremely high accuracy and great cost efficiency at scale.

We’ve spent two years building the infrastructure for our agents to gather information, with a focus on making reliable agents in Maze Cloud. Our agents are trained on millions of real investigations and evaluated against verified truth every day. 

Maze Code builds on the same foundation, and it’s why you can trust them.

Deeper, more accurate investigations

Most tools stop at reachability. Maze’s investigations go deeper. Maze treats it as the first qualifying signal, then weighs how the code is configured and what controls surround it to prove what’s exploitable in your environment. Is the vulnerable function included in your build? Used in your runtime?

Our agents reason over evidence like your best security engineer. We model your environment so our agents always have the right context, and they run on custom-built infrastructure that continuously validates their work. Errors get caught before they compound, delivering results that can be trusted.

Expert agents, affordable at scale

We’re constantly training our agents through layers of automated and human review, first for accuracy, then to be efficient. They learn to run the kind of deep, multi-step investigation that would take a security engineer hours, reasoning through every step and working as a team.

If you’ve ever used a frontier AI model, you’ve probably hit a usage limit or run up a surprisingly high bill. A lot of our work goes into teaching our agents when to reach for an expensive AI model and when to rely on cost-efficient techniques, so every investigation stays accurate and affordable while running at scale.

Unified code and cloud context

When you use Maze Code and Cloud together, we gather the full picture of your environment. Every finding draws on the same model of your business and environment, so a finding in one informs the rest, and if a vulnerability is exploitable, we create one unified ticket with targeted fix options for your environment. For example, if a vulnerable function sits in your code, Maze uses cloud context to see how it actually runs and evaluates the real risk it carries, not just its severity in theory.

The moment you connect Maze, we start ingesting your code, your cloud, your scanner findings, and any runbooks you want to share, and we keep that model live in the background. By the time a new vulnerability lands, we have the context to reason about it instead of assembling it from raw data each time.

Maze uses AI agents with full context, which is why it delivers some of the most meaningful findings and fixes I’ve seen.

James Berthoty, Founder & Analyst at Latio

How it works

Maze investigates vulnerabilities in your dependencies and your code using the same engine. Bring your own scanners and it ingests their findings, or use it as the scanner itself.

Dependencies

Maze’s AI-SCA investigates vulnerabilities in your dependencies using AI-built call graphs that map every possible connection. From there our agents go where rules-based scanners can’t. They trace reachability even through the dynamic calls a parser gives up on, piecing together a path others miss. And reachability is just one of our tools. Maze weighs it against build and runtime context to prove what’s genuinely exploitable, which is how it separates real risk from noise. 

The same CVE often shows up across multiple scanners and assets, so Maze deduplicates it across code, image, and cloud into a single investigation instead of a separate ticket from each source.

Your own code

Maze’s AI-SAST is a combination of two products. The first validates the findings from your existing SAST so only true positives reach your team. The second runs its own deep analysis to surface the business logic vulnerabilities other tools miss.

Maze’s AI-SAST combines static rules with AI analysis that reads the code’s structure and data flow. Because it understands what your code does rather than just matching known patterns, it surfaces novel vulnerabilities and business logic flaws that pattern-based scanners can’t. Our agents trace how untrusted input reaches a vulnerable call site to catch issues like SQL injection, XSS, path traversal, hardcoded credentials, and bug classes static rules miss.

This SAST finding is exactly the kind of finding that we were hoping to get from a pentest. So very much kudos to you. This is awesome.

Nathan Cooke, Engineering Manager, Product Security at Alloy

A new investigation workflow

Before sending an alert, our agents build an investigation plan for each finding. They apply human-like reasoning to every vulnerability. To learn and understand what has to be true for the vulnerability to be exploitable in your environment, they pull signals across three domains.

In your codebase (your own code and its dependencies), our agents build a call graph and reason over each vulnerability to determine if it’s dangerous in practice, not just on paper. This includes tracing whether any path connects an entry point to the vulnerable function, examining the configuration, and finding out if an attacker can control the input reaching the vulnerable function.

In your build (how your code gets packaged to ship), they work out whether the vulnerable package even survives the build or gets stripped before the final artifact ships. Our agents trace the full transitive chain to see how it got there. They inspect the base image it came from.

In your cloud (when you run Maze Cloud), our agents determine if the asset is exposed, examine the OS and runtime underneath it, and identify where it sits and how critical it is.

If a vulnerability is exploitable, Maze doesn’t stop at flagging it. It runs remediation analysis tailored to exactly what the investigation found. The fix can appear as a pull request in your CI/CD pipeline that blocks a merge on a confirmed critical or high. It can flag in real time inside your coding agent, like Claude, Cursor, or Windsurf, or arrive as a ticket to the developer who owns the vulnerable function. In many cases, several vulnerabilities share a root cause, so Maze closes them all with a single fix instead of multiple tickets.

If our agents determine a vulnerability is not exploitable, we close it before the alert ever reaches your team. Whether exploitable or not, every verdict comes with the technical evidence behind it to support the decision.

Our agents are trained to never guess at the answer, and to only label a vulnerability as not exploitable if they can provide definitive proof.

Every finding, one platform

Every tool in this category says it tells you what matters, the most overused promise in security. The previous generation can’t deliver it, because static rules match what they’ve seen before rather than investigate what’s at risk.

Maze reasons through every finding the way a security engineer would, across code and cloud, on one engine. We have already found CVEs in open-source projects and surfaced vulnerabilities like MFA bypass and cross-tenant data access in customers’ environments.

See Maze Code for yourself

Maze Code stands on its own, and gets sharper the moment you add Maze Cloud. We started with getting cloud vulnerabilities under control. Now the same agents secure your code. 

Book a demo here.