How we agentically found, validated, and patched ~100 security issues in a 1-week experiment.

Ramp Engineering's blog offers insights, tutorials, and resources for software engineers and technology enthusiasts. Readers can learn about software development methodologies, engineering culture, and industry trends. With articles, interviews, and technical analysis, Ramp Engineering provides  guidance and expertise for navigating the complexities of the tech industry.

Ramp Engineering

Ramp's security engineering team built a multi-agent pipeline that autonomously found, validated, and patched nearly 100 security vulnerabilities in their backend codebase in under a week, with no human involvement until PR review. The system used specialized detector agents for specific vulnerability classes (e.g., IDOR), adversarial manager agents to filter false positives (rejecting 40% of initial findings), a validator agent that wrote integration tests to confirm real issues, and a fixer agent that applied patches using test-driven development. The approach uncovered novel high-severity issues missed by penetration testing, bug bounties, and 10+ commercial scanning tools. The entire setup required only a four-hour hackathon and one week of work by a single engineer.

We fixed ~100 security issues in 6 days with 0 humans

How many of the PR’s needed code changes before merging?

I could do it myself if you would give me a year :)

This is one of the most impressive agent engineering posts I’ve seen. Specialized detector agents per vulnerability class + a validation loop is exactly the right architecture — avoids the false positive problem that kills trust in automated fixes.
The 0-human-until-PR-review workflow is the north star for agentic security tooling. For teams trying to figure out which agents to trust for sensitive workflows like this, we built Caliber — an open-source agent discovery and benchmarking tool: <a href="https://github.com/rely-ai-org/caliber" target="_blank" rel="noopener nofollow">https://github.com/rely-ai-org/caliber</a>. Useful for evaluating before you hand over prod-level tasks.