The recent announcement around Claude Code Security has sparked significant excitement and has shaken the cybersecurity world. We’ve already seen waves of reactions predicting the end of SAST (I personally loved the term “SASTpocalypse”) and, more broadly, the decline of traditional SaaS models.
Here is our view at Glev on how this shifts the market, and how it doesn’t.
Pattern-Based SAST vs. Reasoning-Based Detection
Claude Code has demonstrated impressive detection capabilities powered by reasoning. Frontier AI models scanned open-source repositories and uncovered hundreds of previously unknown high-severity vulnerabilities, including subtle issues that had survived years of expert review and fuzzing.
But saying pattern-based SAST is dead does not seem accurate. In fact it's a question of efficiency:
Reasoning-based detection can apply deep contextual analysis to identify complex vulnerabilities. But at a significant computational cost in time and tokens. For simple and well-known vulnerability classes, pattern-based scanners remain significantly more efficient.
As Eric Dupré would say (he loves metaphors) using a large reasoning model to detect a basic injection flaw can feel like running a full MRI scan to diagnose a simple paper cut. Powerful, but disproportionate to the task.
There are already examples where a reasoning model spent 17 minutes and 155,000 tokens identifying an issue that a pattern-based scanner flagged in under 30 seconds (for free).
And there is another structural reality: Deterministic engines do introduce rigidity. But probabilistic models introduce variability. Each will miss things the other can catch.
In the end, the most effective strategy today is not choosing between them: it’s orchestrating both intelligently.
That’s the architectural choice we’ve made at Glev.
Remediation: The Problem Isn’t Solved. It’s Shifted.
Integrated remediation directly in the developer workflow is a major step forward. Suggesting patches before code is committed shortens feedback loops and reduces friction.
But remediation introduces a fundamental challenge: decision-making.
Every patch still needs validation. And if an AI suggests 100 patches, the real question becomes: which ones matter most? Should I fix them all? Where do I start?
This isn’t a new problem. It already exists with traditional pattern-based scanners, and it still exists in AI-driven workflows.
To take the right decision, you need context.
Context about the application architecture. Context about runtime exposure. Context about business criticality. Context about security policies and compliance requirements.
Without that context, decision making is impossible. And sending hundreds of patches just add fuel to the flame.
At Glev, we focus on capturing and structuring the right context so organizations can move from raw detection to informed decision-making. Prioritization is not just severity scoring, it’s understanding impact in a specific environment.
That is how you close the decision gap.
Real AppSec: Building Security, Not Just Reacting
The question circulating this weekend was whether AppSec is becoming obsolete.
In complex organizations, Application Security goes far beyond reacting to findings. It is about building security systems that include standardization, harmonization, control and governance.
Standardization means defining the right security standards and assurance levels based on business context, SLAs, and regulatory obligations.
Harmonization of practices means ensuring remediation approaches are consistent, reusable, and shared across teams. Especially in environments with rotating teams or external contributors.
Control and governance means establishing visibility, measurement, and enforcement mechanisms that ensure security objectives are continuously met while delivery pressure remains high.
AppSec is not just about detecting vulnerabilities. It is about constructing security as a systemic capability.
The Rise of AppSec Intelligence
At Glev, we believe AppSec does not reduce to a detection methodology or another one.
The future of software development will reshape both threats and detection methods. Emerging technologies — especially AI-driven systems — no longer behave in fully deterministic ways. It will soon be impossible to predict with certainty that a specific input will generate a specific flaw. Applications are becoming more dynamic, more composable, and more autonomous.
In this environment, detection alone is insufficient.
Our conviction is that organizations need to build their own AppSec Intelligence layer:
- Combining deep application context
- Structuring and evolving security policies
- Bridging engineering reality and security requirements
This intelligence layer is what allows organizations to:
- Close the decision gap
- Scale remediation in a world where code volume keeps accelerating
- Anticipate vulnerabilities in increasingly dynamic systems
AI will transform the tools.
But strategy, context, and structured security intelligence remain the differentiators.
And that’s where the next generation of AppSec platforms must operate.
