Legit Security, the leader in agentic application security, launched new remediation agents that independently prioritize issues, generate fixes, open pull requests, and confirm results using context learned from each organization’s distinct codebase.

As AI allows attackers to exploit vulnerabilities faster than ever, rapid remediation becomes critical. As part of Legit’s agentic AppSec platform, these agents offer parallel remediation across code bases – critical when a common authentication bypass vulnerability is introduced through reused code and propagated across multiple services – along with using business context to prioritize the real threats, and create the right fix, regardless of which AppSec testing tools are deployed.

AI-first development has fundamentally changed the math on application security, necessitating an entirely new approach to AppSec. Consider:

• AI coding agents account for most of the committed code
• AI generated code contains 2.74 times more vulnerabilities than human-written code
• The median time to remediate a vulnerability is 252 days, nearly six times longer than attackers need to move from disclosure to exploitation
• Attackers equipped with new frontier models exploit new vulnerabilities within minutes of deployments

The bottom line: the faster teams ship with AI, the faster risk compounds – and the faster attackers execute exploitation campaigns. These trends collide to create enormous risk that must be solved with automated, intelligent, agentic tools

“Security teams aren’t losing the war because they lack talent. They’re losing because the model has changed completely, but AppSec testing tools have stayed the same,” said Roni Fuchs, co-founder and CEO at Legit. “Legit’s new remediation agents were built for this reality by offering AI-speed remediation centered on the context of your business and codebase, so you can trust them.”

Key Features: Legit Remediation Agents
Unlike general-use AI coding tools like Cursor, Claude Code and GitHub Copilot, Legit’s agents have the security knowledge and business context to generate production fixes, rather than patches. In addition, Legit’s remediation agents:

• Unified risk posture: Legit's stores the full risk posture of your codebases and apps, created from continuous scanning across the SDLC and the ingestion of risk signal from 3^rd party tools. LLMs and coding agents do not have native access to this data.
• Know what really matters: Legacy AppSec tools find volumes of issues without clear prioritization. Legit’s agents are informed by each customer’s distinct environment so only issues that really matter – prioritized by factors such as reachability, exploitability and production status – reach the remediation queue.
• Close complete attack surface gaps: Vulnerabilities rarely live in a single repo; a critical CVE can exist across dozens of services simultaneously. Legit’s agents open pull requests across every affected repo in parallel, to close every gap in the attack surface.
• Validate before opening a PR: Legit’s agents run tests, confirm the remediation held, and then create the PR with a plain-language explanation of what was fixed and why.
• Create auditable records of agent activity: Legit records every action its remediation agents take – from the original finding to the PR, the validated fix, and what engineering did with it – providing a complete, auditable record of activity.

“Security teams tell us they’ve tried pointing AI coding tools at their vulnerability backlogs, but the results are thousands of patches that lack context and aren’t validated, some even try to fix false positives, which wastes a lot of time,” said Yoav Stahl, vice president of product at Legit. “Legit’s agents know your codebase, your risk profile, and your organizational policies, so when we deliver a fix, we know it works for you.”