ZeroPath releases 'Zero' appsec AI

Application security tools are good at one narrow job — finding possible bugs. The ugly part comes after that. Someone still has to decide whether the finding is real, figure out which repo owns it, open tickets, chase developers, and make sure the fix actually lands. ZeroPath is trying to turn that whole backlog into something an AI agent can run, and on May 12 it launched that agent, called Zero. (businesswire.com) (zeropath.com) ### What did ZeroPath actually launch? Zero is a persistent AI agent for appsec teams, not just another scanner or chatbot. (zeropath.com) ZeroPath says it lives inside Slack, can build workflows from plain-English instructions, and learns an organization’s security environment over time so it can manage more of the day-to-day security program instead of just answering one-off prompts. ### What problem is it trying to solve? Basically, appsec has a handoff problem. SAST, SCA, secrets scanning, bug bounty intake, and ticketing all create work in different places, but very little of that work gets stitched together cleanly. (businesswire.com) Security teams end up doing coordinator labor — validating findings, routing them, explaining them, and checking whether the fix really addresses the issue. ZeroPath’s pitch is that the expensive bottleneck is not detection alone. It is the operational glue after detection. ### Why is “persistent agent” the interesting part? Because most security AI still behaves like a helper you ask questions. Zero is pitched more like a teammate with memory. (businesswire.com) That means it can keep state across tasks, remember how a company has configured its environment, and carry work from report intake to remediation. Turns out that memory is the difference between “here’s advice” and “here’s a patch and the PR is already open.” ### What can it do in practice? The clearest example comes from ZeroPath’s own demo flow. (zeropath.com) A bug bounty report arrives by email. Zero identifies the affected codebase, validates whether the issue is real, patches vulnerabilities spanning two repositories, and opens two pull requests with the right issue IDs attached so they close on merge. In another example, it reviews software-composition findings, picks the highest-priority ones, and prepares fixes automatically. ### Is this just SAST plus DAST plus ticketing? Not exactly. The company’s older pitch centered on AI-native SAST and broader code-security scanning — SAST, SCA, secrets, and IaC. (businesswire.com) Zero shifts the story up a layer. Instead of selling only better detection, ZeroPath is now selling orchestration — a system that decides what matters, coordinates the workflow, and pushes fixes forward inside the tools teams already use. ### Why does that matter for developers? Because the real cost of appsec is interruption. Developers hate giant queues of vague findings, and security teams hate babysitting those queues. If an agent can reduce false positives, rank what is actually exploitable, and hand developers a patch instead of a warning, security starts to look less like a tax on CI/CD and more like another automated engineering system. (zeropath.com) That is the promise, anyway. ### What’s the catch? The catch is trust. An agent that can patch code and open PRs is useful only if teams believe its judgment on exploitability, code ownership, and safe remediation. Security teams will also care about audit trails, approval gates, and how much autonomy they really want to hand over. (zeropath.com) ZeroPath is aiming straight at that question — not whether AI can spot bugs, but whether AI can be trusted to run the workflow around them. ### So what changed with this launch? ZeroPath moved from “AI security scanner” toward “AI security operator.” That is a bigger ambition and a more crowded one, because plenty of vendors want to automate detection. (zeropath.com) Fewer are claiming they can own the whole appsec program. If Zero works the way ZeroPath says it does, the center of gravity in appsec could shift from dashboards full of findings to agents that triage, fix, and close the loop. ### Bottom line This launch matters less for the word “AI” and more for the word “program.” ZeroPath is betting that the next appsec fight is not about who finds the most issues. (businesswire.com) It is about who can make vulnerability handling feel almost invisible.