Offensive cybersecurity firm Theori Inc. today announced the commercial availability of Xint Code, a new large language model-native static application security testing or SAST tool capable of analyzing millions of lines of source code, configuration files and binaries in less than 12 hours.

The new offering takes a unique approach to deep scanning and contextual analysis of massive codebases to help application security teams quickly identify, reproduce, validate and understand the real-world critical vulnerabilities in applications.

Xint Code uses LLMs combined with a orchestration engine to scan and analyze each line of code from a context and business logic perspective to dramatically reduce false positives and help defenders quickly prioritize the vulnerabilities that matter.

Attackers are increasingly using artificial intelligence to surface critical vulnerabilities, resulting in security teams strugglingly to stay one step ahead. Also, traditional SAST solutions may be able to find known software vulnerabilities but also produce a high rate of false positives and trivial findings. Human penetration testing, though able to find more subtle business context vulnerabilities, can’t do so at large scale. Additionally, emerging AI coding assistants have context and attention window limits that prevent them from scanning entire codebases and prioritizing their results.

Xint Code claims to solve these issues by offering human-level insight at machine-level speed and scale.

“Critical vulnerabilities often stay hidden because traditional scanners miss business logic flaws and manual reviews can’t scale across hundreds of millions of lines of code,” said Chief Technology Officer Andrew Wesie. “But LLMs are changing this. What would take pentesters weeks or months to find — if they know what to look for — Xint Code surfaces in hours. And it doesn’t just flag potential issues; it tells you exactly how an attacker would trigger the exploit and what the impact is.”

Key capabilities of Xint Code include human-level insight into business logic vulnerabilities, with support to orchestrate multiple AI models to analyze code with contextual understanding. To define signals over noise, a multistage analysis pipeline verifies the severity and exploitability of every vulnerability before reporting, dramatically reducing false positives that drain security teams.

Every Xint Code discovery includes step-by-step reproduction instructions and real-world impact assessment, so teams can prioritize the vulnerabilities that actually matter and the offering offers zero-friction deployment with no formatting, packaging or harness configuration required.

While only being released commercially today, Xint Code is already being used by popular project maintainers, governments and companies, including MongoDB Inc., Fortune 10 companies, manufacturing giants and global retailers, to analyze massive legacy codebases.

Alongside the launch, Theori also released a new research paper that shows how Xint Code was used to identify a severe vulnerability. The problem had enabled data exfiltration and arbitrary code injection that had been undetected for over two decades in the popular PostgreSQL open-source project, which powers transactional and analytical workloads across software-as-a-service, finance, telecom and government deployments.

The report explains why traditional SAST tools, human pentesters and even next-gen AI tools missed this vulnerability and explains how both attackers and defenders can now scan millions of lines of code in just a few hours to find critical vulnerabilities in massive, legacy code bases.

Theori is a venture capital-backed startup that has raised $15.4 million over two rounds. Investors in the company include Naver Corp., Hana Bank and Dunamu & Partners Inc.

Image: Theori