Devin Review just got a significant upgrade: every pull request you open now automatically receives a full security review. Not a linter pass, not a dependency CVE check -- a deep, reasoning-level analysis of how your code actually behaves at runtime. Cognition is betting that as AI agents write more code faster, the security review layer needs to keep pace, and static pattern-matching tools simply cannot.
The timing is deliberate. AI coding assistants have accelerated output, but security review still depends heavily on deterministic scanners that miss important flaws -- and reports tracking AI-authored vulnerabilities show that faster generation often produces less safe software. Devin is now trying to be both the agent that writes the code and the one that catches what it missed.
What pattern-matching scanners miss by design
Traditional SAST tools (Static Application Security Testing -- tools that analyze source code without running it) work by matching code against known vulnerability signatures. They are fast and reliable for catching CVEs in dependencies and obvious injection patterns. But they evaluate lines in isolation, which means they are structurally blind to a whole class of bugs.
Devin reads your codebase and reasons across the full repository, understanding your auth model, business logic, and service interactions to catch what pattern-matching misses by design. The canonical example Cognition gives: a password-change endpoint that looks perfectly valid in isolation, but allows a full account takeover because a missing token quietly creates a guest session that reaches the handler. No scanner catches that without tracing the full request path through the auth layer.
Don't miss what's next in AI
Join 300,000+ engineers and researchers who get the signal, not the noise.
- Full access to in-depth AI research breakdowns
- Be the first to know what's trending before it hits mainstream
- Daily curated papers, repos, and industry moves