On June 5, at the 2026 Tencent Cloud AI Industrial Application Conference, Tencent Cloud launched its code security product CodeBuddy Security. This product combines Tencent Cloud's self-developed AI deep audit engine from the Yun Ding Lab with the static analysis tool Xcheck, addressing the pain points of a surge in vulnerabilities in the AI era and the limitations of traditional code auditing.

image.png

AI capabilities have soared, but using AI to find vulnerabilities still faces several challenges

This year, AI has made continuous breakthroughs in the field of vulnerability discovery. A major model company found a 27-year-old vulnerability and discovered over 10,000 high-risk vulnerabilities in the first month of its AI cybersecurity project, with a true positive rate of over 90% after manual review. Large models are good at finding deep logical vulnerabilities that traditional static analysis (SAST) can't see, but directly using large models for enterprise-level code scanning doesn't yield ideal results. According to comparative tests by Tencent Cloud's Yun Ding Lab, feeding the entire codebase into the model dilutes attention due to a large amount of irrelevant code, increasing costs and leading to more omissions; running the same repository ten times results in significant variations in detection outcomes, making it unsuitable for release pipelines that require stability. More importantly, "finding a vulnerability with AI takes 3 minutes, but verifying it takes 3 days," meaning the burden on security personnel hasn't been reduced.

Tencent's self-developed AI deep audit engine combined with Xcheck builds a closed loop for vulnerability discovery and verification

To address the issues in AI-based vulnerability discovery, CodeBuddy Security's solution is "dual-engine collaboration + engineering constraints." By combining Tencent Cloud's self-developed AI deep audit engine with the static analysis tool Xcheck, the AI deep audit engine, based on CodeBuddy, focuses on cross-module memory safety defects, protocol state machine issues, and business logic vulnerabilities that SAST struggles to track. Xcheck supports private deployment and keeps source code offline, quickly identifying known characteristic vulnerabilities with deterministic results. Both engines scan independently and then merge and deduplicate the results.

In terms of scanning strategies, the system first identifies high-risk modules within the code repository and historical commits. The AI engine processes one module and its related hotspots at a time, gradually covering all areas in multiple rounds to avoid diluting attention. In the verification phase, the system introduces an independent secondary validation, re-verifying whether the vulnerable code truly exists and whether the trigger path is feasible, filtering out "self-confirmation" hallucinations from a single analysis. Finally, in an isolated sandbox environment, the target environment is built, and the AI engine writes a PoC and executes it practically. Security personnel receive confirmed vulnerabilities with PoCs, not potential findings that need further investigation. Vulnerability paths confirmed by AI are automatically stored as Xcheck detection rules, so they can be analyzed directly by the static engine next time without consuming computing power repeatedly.

image.png

Currently, CodeBuddy Security has been validated in many mainstream open-source infrastructure, deep learning frameworks, and underlying system modules. It has reported multiple effective vulnerabilities to companies and communities such as NVIDIA, Google, Meta, Apache, Mozilla, and OISF, and assisted in their fixes, receiving official confirmation and thanks. Meanwhile, this solution has gradually been integrated into Tencent's internal release pipeline, helping to avoid security risks before code goes live.

Currently, CodeBuddy Security is available for enterprise trial use, providing a more efficient solution for enterprise code security audits.