When security researchers first ran Anthropic's and OpenAI's new code analysis tools against repositories they'd already swept with Semgrep or Veracode, the results were uncomfortable. Both companies have released AI-powered scanning utilities free of charge — tools that, unlike conventional SAST scanners, don't match code against libraries of known patterns but instead reason about what the code actually does.
That distinction matters most for the vulnerability classes that rule-based systems struggle with. Authentication bypasses that emerge from how two separate modules interact, business logic flaws buried in conditional branching, insecure object references that only become dangerous in a specific call sequence — these aren't exotic edge cases. They're the bugs that show up in breach post-mortems, the ones that SAST tools have been quietly missing for years while generating confident-looking reports.
Security practitioners have known about these gaps for a long time. What's changed is that a free tool is now surfacing them visibly, in production codebases, without requiring a research team or a consulting engagement.
The decision to price these tools at zero is as deliberate as anything else here. Anthropic and OpenAI aren't security companies, but they have every reason to embed Claude and GPT-4o into developer workflows before those workflows ossify around someone else's stack. A scanning tool that AppSec teams actually find useful — and that makes their licensed SAST scanner look incomplete by comparison — is a more effective capability demonstration than any published benchmark.
The incumbents aren't finished. Semgrep, Checkmarx, Veracode, and Snyk built their positions on speed and determinism: fast pattern matching that slots cleanly into CI/CD pipelines, consistent results that satisfy compliance requirements, and audit trails that hold up under scrutiny. LLM-based scanning is slower, can produce different results on identical code across runs, and gets expensive when you're scanning millions of lines daily. Those aren't trivial problems.
What's emerging in practice is a two-layer approach. Existing SAST tools continue handling high-velocity scanning for known vulnerability signatures in automated pipelines. AI-powered analysis runs as a deeper, slower pass — pre-release sweeps, periodic audits, the kind of review where you want semantic reasoning rather than pattern matching. Several teams have already settled into this split informally, though purpose-built tooling around that workflow is still thin.
The longer-term question isn't whether traditional SAST survives — it will — but whether vendors can integrate enough LLM reasoning to stay relevant for the category of bugs that increasingly defines serious security work. The free tools from Anthropic and OpenAI have made that problem concrete in a way that whitepapers and conference talks never quite managed.