New hybrid engine triples the industry’s average fidelity score while cutting false positives by 60%

PARAMUS, N.J., June 15, 2026 (GLOBE NEWSWIRE) -- Checkmarx, the global leader in agentic application security, today announced a major advancement to the Checkmarx One platform: a new hybrid static application security testing (SAST) scanning engine set to deliver the industry’s highest fidelity, known in the industry as an F1 score. AI-accelerated development is driving an unprecedented surge in software vulnerabilities, leaving organizations facing a tsunami of risk that no single scanning approach can address alone.

Neither rules-based analysis nor AI models tell the whole story alone. Deterministic scanning is the precision standard for the languages it covers, but AI-assisted development has introduced new and emerging languages that fall outside any fixed rule set. AI extends coverage to that new ground. However, scanning at volume surfaces findings faster than teams can act on them, burying the vulnerabilities that matter in noise. Today, 49% of code in production is AI generated and measurably more insecure, and exploit windows collapsing from months to minutes. Organizations need both the precision of deterministic analysis and the reach of AI.

To meet this moment, Checkmarx is introducing a new next generation SAST hybrid scanning engine within Checkmarx One. It combines three layers of protection: a deterministic rules-based foundation refined over two decades of enterprise AppSec; a purpose-tuned LLM engine that extends that proven foundation to any language, including AI-generated code and emerging languages; and the new Finding Analysis Engine (FAE), which confirms true positives and suppresses false ones before a single finding reaches a developer.

“No single approach – rules-based or AI – tells the whole story on its own,” said Sandeep Johri, CEO of Checkmarx. “Deterministic scanning has earned its place as the precision standard, and AI extends that reach to code the rules were never written for. But neither alone separates the findings that matter from the ones that don't. At today's volumes, that noise is what slows teams down and drives up cost. Checkmarx One’s hybrid engines bring together the best of both in a fundamentally different architecture.”

In head-to-head testing across seven real production codebases, Checkmarx One’s hybrid engine achieved an F1 score of 0.64 – more than three times the 0.20 average across competing approaches that Checkmarx evaluated – while reducing false positives by 60%. The result: teams cut through massive findings volumes to high-confidence signals, focus remediation on what is genuinely exploitable, and stay protected as AI-generated code keeps introducing new risk.

Key capabilities of the new Checkmarx One hybrid scanning engine include:

• Finding Analysis Engine (FAE): Reasons over every raw finding, suppressing false positives and confirming true ones – turning raw signals into high-fidelity results teams can act on immediately.
• Language-agnostic scanning: Extends proven detection to any language, including AI-generated code, emerging languages, and polyglot codebases (applications that combine multiple programming languages) – closing the new gaps that AI coding assistants introduce without sacrificing precision on established ones.
• Defensible governance: Board-grade evidence of what is exploitable and what has been resolved, anchored to real attackability rather than raw counts – so leaders can make risk decisions.

“AI has handed developers an unprecedented productivity boost, but independent benchmarks show that even the best models produce insecure code in a third to nearly half of cases – and the tools meant to catch it can burn through compute budgets chasing false positives,” said Jonathan Rende, Chief Product Officer at Checkmarx. “What teams need isn’t just more findings, it’s confidence and predictability: surfacing the vulnerabilities that truly matter, eliminating the noise, and doing it without blowing past budgets. That’s the assurance Checkmarx One now gives every customer – the highest fidelity in the industry, with the economics to match.”

The new hybrid scanning engines and Finding Analysis Engine are available in early access now as part of the Checkmarx One platform. For more information, visit checkmarx.com or join the upcoming virtual summit Agentic AppSec Unleashed ’26 on June 16, 2026.

About Checkmarx
Checkmarx is the leader in agentic application security, delivering enterprise-grade protection while lowering engineering costs and accelerating development velocity. The Checkmarx One platform scans trillions of lines of code each year for companies, cutting vulnerability density by more than half. Its autonomous security agents detect and counter AI-driven threats across the SDLC, providing prevention-first protection for legacy, modern, and AI-generated code at enterprise scale. Follow Checkmarx on LinkedIn, YouTube, and X.

For more information:
PR@checkmarx.com