Security tooling has a dirty secret: most scanners are built for a world where humans write code at human speed. Devin Security Swarm arrives at a moment where AI agents generate code faster than security teams were ever designed to review, with monthly security findings climbing from roughly 1,000 to more than 10,000 in six months, driven in part by the 42% of code that is now AI-generated or AI-assisted. The old tools are not keeping up, and Cognition is betting that the answer is to fight agents with agents.

Cognition, the AI lab behind the software engineering agent Devin, has announced Devin Security Swarm, designed to help security teams find exploitable vulnerabilities, validate them at runtime, and fix them at a lower cost than the next most accurate alternative. The product is available to enterprise customers starting today.

The problem with scanning large codebases

Most security tools face a fundamental tension: coverage versus depth. Pattern-matching scanners like Semgrep or CodeQL are fast and deterministic, but they operate on syntax. These are not incremental improvements to existing tools -- they represent something fundamentally different: AI that reasons about code rather than matching patterns against it. The gap is especially painful for business logic flaws, chained authentication bypasses, and cross-service exploit paths that only reveal themselves when you understand how the whole application actually works.

The deeper problem is that pointing a single AI agent at a large codebase is expensive and unreliable. A single search-driven agent pointed at a 50,000-file repo spends most of its budget finding the work rather than doing it -- grepping, opening the wrong files, backtracking, and re-deciding what to inspect next. Context becomes a shared bottleneck, and there is no explicit coverage boundary: the agent stops when it decides it is done, not when a finite work queue has been exhausted.

Agentic MapReduce: the architecture behind the swarm

Cognition borrowed a two-decade-old idea from distributed systems -- MapReduce -- and adapted it for agents. The result is a four-stage pipeline that separates the expensive reasoning work from the cheap deterministic work, running them in the right order.

Alpha Signal

Don't miss what's next in AI

Join 300,000+ engineers and researchers who get the signal, not the noise.

  • Full access to in-depth AI research breakdowns
  • Be the first to know what's trending before it hits mainstream
  • Daily curated papers, repos, and industry moves