Search papers, labs, and topics across Lattice.
VULNSCOUT-C, a 693M parameter transformer, was developed and fine-tuned for C code vulnerability detection using a new 33,565-sample dataset (VULNSCOUT) generated via a multi-agent pipeline with formal verification. The model achieves state-of-the-art performance on a standardized C vulnerability detection benchmark, surpassing larger LLMs and commercial static analysis tools. This demonstrates the potential of task-specialized compact architectures for efficient and accurate vulnerability detection in real-world development workflows.
A task-specific, lightweight transformer can outperform state-of-the-art reasoning LLMs and commercial tools in C code vulnerability detection, at a fraction of the inference cost.
Vulnerability detection in C programs is a critical challenge in software security. Although large language models (LLMs) achieve strong detection performance, their multi-billion-parameter scale makes them impractical for integration into development workflows requiring low latency and continuous analysis. We introduce VULNSCOUT-C, a compact transformer architecture with 693M total parameters (353M active during inference), derived from the Qwen model family and optimized for C code vulnerability detection. Alongside the model, we present VULNSCOUT, a new 33,565-sample curated dataset generated through a controlled multi-agent pipeline with formal verification, designed to fill coverage gaps in existing benchmarks across underrepresented CWE categories. Evaluated on a standardized C vulnerability detection benchmark, VULNSCOUT-C outperforms all evaluated baselines, including state-of-the-art reasoning LLMs and commercial static analysis tools, while offering a fraction of their inference cost. These results demonstrate that task-specialized compact architectures can match or even outperform the detection capability of models orders of magnitude larger, making continuous, low-latency vulnerability analysis practical within real-world development workflows.
