Static analysis won't develop a one click exploit that works end to end for you.

I'm at a FAANG and even our static analysis tools are not great at identifying how many issues are actually reachable.

Ideally you use both. An AI model that has static analysis as part of the harness, so it can evaluate each potential finding.

▲

nozzlegear an hour ago | parent [-]

> Ideally you use both. An AI model that has static analysis as part of the harness, so it can evaluate each potential finding.

Ideally the static analysis tools are improved so that we don't need to piss away yet more tokens like we're competing on Mark's leaderboard just to find vulnerabilities.

	▲	solenoid0937 an hour ago \| parent [-]
		When you reach that ideal world, let me know. My company has thrown a decade+ and multiple teams at the idea you've described. We still aren't there yet. Your proposal of relying purely on static analysis is over-idealistic and just not feasible for large, diverse codebases in the real world. That's where AI comes in.