IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Checkmarx launches autonomous agents to fix code flaws

Checkmarx launches autonomous agents to fix code flaws

Wed, 15th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Checkmarx has launched self-healing autonomous agents in its Assist product family, designed to detect, fix and verify software vulnerabilities as developers write code.

The update centres on Developer Assist, which now runs what Checkmarx describes as a continuous find-and-fix loop inside AI coding tools before code is committed. Using hooks and MCP, the product retrieves context from Checkmarx One, generates a fix and then verifies it.

The latest version is aimed at teams using AI coding tools as software generation speeds up. Checkmarx's 2026 Future of Application Security report found that 96% of developers now use AI coding tools, while 18% apply security continuously as they write code.

Research cited by Checkmarx pointed to a gap between code generation and secure output. In a study commissioned from independent researcher The Weather Report, frontier models produced working code 83% to 95% of the time, but only 24% to 36% of that code was both secure and functional.

A later security review raised the secure-and-functional rate to 47% to 56%, but Checkmarx argued that still left software teams with a large remediation burden. Its response is to move remediation earlier in the development process rather than rely on checks after code has already been written.

Developer Assist is intended to work inside coding environments including Cursor, Windsurf and Kiro, as well as command-line workflows using large language model tools such as Claude Code. The system is designed to spot a vulnerability, propose a repair and confirm the result without requiring developers to leave their existing tools.

Checkmarx said the latest update can reduce manual remediation effort by up to 70% for dependency and package-upgrade work, cutting a typical six-hour package upgrade to 1.8 hours.

Backlog focus

Once code has entered the backlog, Triage Assist and Remediation Assist take over. The agents are designed to sort vulnerabilities using real-world reachability, which Checkmarx calls attackability, and then create pull requests for developers to review and merge.

Developers remain responsible for approving each fix, while application security teams retain policy control and a record of automated decisions. The approach reflects growing demand for tools that reduce developer workload without removing human oversight from security changes.

"Security teams have spent a decade trying to keep pace with how fast code gets written, and AI just moved that goalpost again," said Harshil Parikh, Vice President of Product Management at Checkmarx. "The only way to close that gap is to stop treating detection and remediation as separate steps handled by separate tools and let the system fix what it finds."

Jonathan Rende, Chief Product Officer at Checkmarx, said the launch is intended to stop security issues from reaching production systems. "The goal is prevention - creating a continuous flow of clean code from the start and autonomous fixes before code reaches production," he said. "With autonomous remediation, fixes are applied while developers are still writing code, before it's ever checked in, and what's in the pipeline gets prioritized and expedited without having to think about it."

Customer use

PatientPoint, a healthcare technology company and existing Checkmarx customer, has been an early user of Remediation Assist, according to Checkmarx. Its application security team used the tool to reduce a large vulnerability backlog into a smaller set of merge-ready pull requests for developers.

The use case highlights a broader issue for software teams as AI-assisted development increases the volume of code changes and the number of issues requiring review. Security teams are under pressure to keep pace without delaying releases or increasing costs.

"Triage and Remediation Assist agents identified false positives and gave our developers the chance to review before merging; that's exactly what we wanted," said Femi Oyesanya, Application Security Engineer at PatientPoint. "Our priority is to protect patient data, and this lets us do that without slowing developer productivity or driving up token costs."

Checkmarx said Developer Assist's autonomous mode, along with Triage Assist and Remediation Assist, is generally available through Checkmarx One.