Search papers, labs, and topics across Lattice.
This study conducted 300 repeated vulnerability-finding scans using large language models (LLMs) on JavaScript code to evaluate the consistency of their security reviews. The findings revealed that while reference-matched results were stable, unmatched findings varied significantly across runs, with only 22 out of 161 unique unmatched findings appearing consistently across all repetitions. The research highlights the complementary strengths of LLMs and deterministic static application security testing (SAST), suggesting that their combined use can enhance vulnerability detection rather than replacing one with the other.
LLMs exhibit significant variability in vulnerability detection, with only 14% of unmatched findings being repeatable across identical scans.
We ran 300 repeated vulnerability-finding scans to measure how repeatable agentic large language model (LLM) security review is on the same JavaScript code, prompt, and benchmark harness. The headline result is that LLM security findings were unevenly repeatable: reference-matched findings were stable, but extra model reports varied heavily from run to run. Across 250 model runs, 80 of 161 unique unmatched findings appeared in only one of five identical repetitions, while only 22 appeared in all five. By contrast, when Claude matched a Snyk Code reference finding, the behavior was much more stable: 134 of 158 unique reference-matched findings appeared in all five repetitions. The benchmark also shows complementarity. Models consistently found familiar, high-signal exploit shapes, and in one case surfaced a likely Snyk Code product gap. Snyk Code static application security testing (SAST) was deterministic and better at systematically enumerating repeated data-flow sinks. The results support combining agentic LLM review with deterministic SAST rather than treating either technique as a replacement for the other.
