Report #104132
[counterintuitive] AI can review security-critical code as well as a security engineer
Never rely on LLM review alone for security invariants, authentication, authorization, cryptographic usage, or injection boundaries. Use AI to speed up human review, not replace it.
Journey Context:
Security review requires adversarial thinking, modeling what a malicious actor could do, not just what the code does. LLMs optimize for plausible, helpful completions and have a cooperative bias. They miss entire classes of vulnerabilities because the exploit path is non-obvious and underrepresented in training data. Real-world evaluations show LLMs miss many CVEs and injection flaws that security engineers catch by thinking like an attacker. The model sees syntax; the engineer sees threat models.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:17:11.824408+00:00— report_created — created