The frontier labs have recently entered AI code security and shaken the AppSec market. Anthropic launched Claude Code Security in February, and OpenAI responded days later with Codex Security. Google DeepMind has not shipped a commercial product yet but will most likely announce at Cloud Next in April. Now Cursor is entering too.

AI coding assistants drove Cursor's internal PR volume up 5x in nine months. They responded with four autonomous security agents on Cursor's Automations platform and open-sourced the reference implementation. The agents review 3,000+ internal PRs and catch 200+ vulnerabilities per week.

Highlights:

  • Four agents, four jobs. Agentic Security Review scans every PR using a prompt-tuned threat model and can block CI. Vuln Hunter partitions the codebase and scans each segment for vulnerabilities. Anybump patches dependencies with reachability analysis, test execution, and canary gates. Invariant Sentinel re-checks the repo daily against declared security and compliance properties to catch drift.
  • A Lambda-based MCP (Model Context Protocol) server coordinates all four agents. Gemini Flash 2.5 deduplicates semantically similar findings across agents. Results go to Slack with dismiss and snooze controls.
  • Progressive enforcement: Slack alerts first, then inline PR comments, then CI gates that block merges.
  • Cursor open-sourced the coordination layer: the MCP server, Slack notification service, and Terraform configs. The four scanning agents themselves are proprietary Cursor Automations templates, not part of the open-source release.

My take:

  1. Cursor is where 1M+ daily active users write code, so built-in code security was expected. The timing matters: Cursor's installed base is massive, but developer sentiment is shifting toward Claude Code.
  2. The economics are harder for Cursor than for frontier labs. Everyone passes inference costs to customers through usage pools, but the token economics differ. Frontier labs run their own inference infrastructure and optimize at a level Cursor cannot. Four security agents on every PR burn through tokens fast. Cursor either absorbs some cost, compressing its margins, or passes it through to customers already frustrated with rising bills. Users were already unhappy when Cursor switched to usage-based credits last year.
  3. Cursor is shipping DIY; Codex Security and Claude Code Security ship integrated experiences. Cursor security requires Lambda, DynamoDB, and Gemini deduplication, costing users additional ~$22/month.
  4. Cursor and Windsurf should expect additional pressure as OpenAI sharpens its focus on Codex and enterprise customers. Their user bases are easier acquisition targets than Claude Code's loyal following.
  5. The AppSec wars are not over, but the endgame scenarios are becoming clear. Code security is moving from a standalone cybersecurity vertical to a default feature of coding environments. Frontier labs have the upper hand. Claude has developer love, OpenAI is doubling down on Codex adoption, and Google will likely play its cards at Cloud Next.
  6. The next major shakeup will come after a serious incident involving AI-written, AI-reviewed, and still-exploitable code. Do not write off the SAST incumbents yet.

Sources:

  1. Securing our codebase with autonomous agents (Cursor blog, Travis McPeak, March 16, 2026)
  2. cursor-security-automation reference implementation (GitHub)
  3. OpenAI releases Codex Security days after Anthropic announced Claude Code Security