Cursor's security team built and open-sourced four AI agents that run on its Cursor Automations platform to continuously monitor and secure its codebase. The agents — Agentic Security Review, Vuln Hunter, Anybump, and Invariant Sentinel — handle PR security reviews, daily codebase vulnerability scanning, dependency patching with reachability analysis, and compliance drift monitoring respectively. Unlike traditional static analysis tools, these agents reason semantically about code changes, reducing false positives and enabling high-confidence merge blocking. In two months, the PR review agent blocked hundreds of issues. Cursor is releasing the prompt templates and Terraform so other security teams can adapt them to their own threat models, partly in response to attackers increasingly using AI to find vulnerabilities.
Table of contents
Four security agentsWhat the agents foundWhy release the templates?What does this mean for security startups?Sort: