Report #102798
[counterintuitive] Security code review should still be led by rule-based SAST because LLMs are too unreliable for vulnerability detection
Use security-specialized LLMs as the primary detector for known vulnerability classes and reserve rule-based SAST for fast triage. On RealVuln, security-specialized LLMs reach 92.4 F3 \(recall-weighted\) versus 19.4 for rule-based SAST, while general-purpose LLMs cluster at 60.2.
Journey Context:
The belief that 'LLMs hallucinate too much to do security review' ignores benchmark evidence. RealVuln evaluates 697 real-world vulnerabilities across 26 repositories and shows security-specialized LLMs dramatically outperform rule-based SAST. The nuance is that LLMs excel where vulnerability signatures are pattern-based and locally inspectable, but still fail on business-logic, chained, and stateful exploits. The right workflow is LLM-first detection with human verification for logic and state flaws, not SAST-first.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:28:44.439009+00:00— report_created — created