Replit launches “Security Agent” to scan and fix vulnerabilities in AI-built apps

Replit has introduced a new “Security Agent,” adding automated vulnerability detection and remediation directly into its AI coding environment.

Replit, for the uninitiated, is a browser-based coding platform that lets users build and deploy applications using natural language, with AI agents handling much of the underlying work.

The latest move builds on existing protections already baked into Replit Agent, which includes scanning applications for issues such as insecure dependencies and exposed secrets during development.

The new agent extends that by actively identifying security flaws and helping developers address them before deployment.

Zoom

Security moves upstream

Replit’s Security Agent reflects a broader change in how software security is handled. Instead of relying on separate tools or post-development audits, security checks are increasingly being folded into the development workflow itself.

And this is a trend permeating across the AI coding realm. Anthropic recently added security capabilities to its coding environment, with Claude Code analysing repositories and suggesting fixes inline with development. Shortly after, OpenAI followed with a research preview of security features for Codex, signalling a similar direction.

The common thread is that security is no longer treated as a downstream process. Instead, models are being used to reason about code behaviour and surface vulnerabilities as part of the act of building software.

Zoom

That matters because traditional tools often rely on known patterns, while model-driven systems are being positioned as able to interpret how code behaves in context.

Replit’s approach lands within a broader evolution of its own platform. Recent updates have focused on coordinating multiple agents to work on different parts of an application in parallel, introducing more structure through queue-based task management, and separating planning from execution through features such as “Plan Mode.”

Collectively, these changes push more of the development lifecycle into the hands of agents — with Security Agent now covering the security layer within that same system.

Replit Security Agent: the need-to-knows

Replit’s Security Agent runs a full audit of an application’s codebase, working from a configurable threat model rather than a fixed ruleset. It uses a hybrid approach, combining established static analysis tools such as Semgrep and HoundDog.ai with an agent layer that reviews and interprets findings.

The setup reflects a broader shift in how static analysis is used. Rather than running as standalone tools, these systems are being treated as inputs to AI agents, which can filter out false positives and prioritise issues more effectively. Replit points to recent research suggesting that agent-based systems can significantly reduce noise in traditional security scans.

From a project’s Security panel, developers can select “Run Scan with Agent” to initiate a full review.

Zoom

The agent then maps the application’s architecture, analyses routes and APIs, and checks for vulnerabilities such as SQL injection, cross-site scripting, and request forgery, while also assessing whether those issues are exploitable in practice.

For larger projects, the process can take up to 15 minutes. Once complete, the agent produces a report of identified risks, which can be reviewed, ignored, or refined.

Zoom

Approved issues are then passed to Replit Agent for remediation, with vulnerabilities broken into separate tasks so fixes can be handled in parallel.

Proposed patches are surfaced for review before being applied to the main branch. Once changes are made, projects need to be republished to reflect the updates in production. Replit recommends running the Security Agent after major changes to ensure new vulnerabilities are identified and addressed.

A response to growing risks around autonomous coding

The timing of the launch reflects a growing reality: as AI agents take on more of the development process, the consequences of mistakes increase.

That concern has become more visible in recent months. With its latest model, Claude Mythos, Anthropic says it has demonstrated the ability to identify and exploit vulnerabilities at an unprecedented level, drawing attention from governments and security researchers – though not all are in agreement about how “dangerous” the new Mythos model really is.

The broader implication, ultimately, isn’t just that AI can help defend systems, but that it can also accelerate the discovery of weaknesses.

Replit’s approach fits into that dynamic. By embedding a security-focused agent directly into the development loop, it attempts to catch issues at the point where they are introduced, rather than after code is written or deployed.