Security bugs are sneaky. They rarely announce themselves as architectural disasters -- they hide in a missing auth check, a user-controlled string that crosses a trust boundary, or a token that quietly ends up in a log file. The most dangerous security bugs often look like ordinary code review details: a missing authorization check, a user-controlled string crossing a trust boundary, or a token logged where it should never appear. Factory's AI coding agent, Droid, just got a dedicated layer to catch exactly these issues before they ship.
Security baked into every PR, automatically
On every non-draft PR, Droid now runs a STRIDE-based security review alongside the standard code review. Findings come back with severity, a CWE reference (a standardized identifier for vulnerability classes), an explanation, and a suggested fix, posted as inline comments directly on the diff.
STRIDE is a threat modeling framework developed at Microsoft that categorizes threats into six buckets: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It gives the scanner a structured lens for thinking about what an attacker could actually do with a piece of code, rather than just pattern-matching on known bad patterns.
Droid runs a security-focused review using STRIDE methodology along with OWASP Top 10 and OWASP LLM Top 10 checks. The OWASP LLM Top 10 coverage is particularly notable -- it means the scanner is aware of AI-specific attack surfaces like prompt injection and insecure output handling, which most traditional static analysis tools completely miss.
Don't miss what's next in AI
Join 300,000+ engineers and researchers who get the signal, not the noise.
- Full access to in-depth AI research breakdowns
- Be the first to know what's trending before it hits mainstream
- Daily curated papers, repos, and industry moves