AI Code Review Should Operate Like an Engineer

Dan Mateer

Director of Product, Code Security

The pace of software creation has changed.

AI code review assistants are now embedded in development workflows as a best practice, and engineers are shipping code at unprecedented velocity. Code creation has expanded beyond developers. Product and design teams are producing full applications, with prototypes rapidly becoming production assets.

Meanwhile, developers are responsible for more than ever: building faster, adopting new AI tools, maintaining domain expertise, and trying to keep security in scope. But training and defenses aren’t evolving fast enough. The result: teams are running at AI speed with manual-era defenses.

Security now demands AI code review that understands intent and context, like an engineer does.

AI Broke the Old Security Playbook

Traditional AppSec can’t keep up. Research following the surge in AI code assistant adoption suggests, predictably, that cutting-edge frontier models are prone to error just as the most proficient human developers are.

A recent large-scale analysis of public GitHub repositories cited 4,241 CWE instances across 7,703 code files specifically attributed to AI code writing agents using basic static analysis.
In another 2024 study of AI-generated code, nearly 30% code snippets analyzed contained security weaknesses, spanning 38 distinct Common Weakness Enumeration (CWE) categories.

Meanwhile, traditional scanning tools, built for a slower, human-driven development era, are flooding teams with false positives and context-unaware noise.

While the standards for velocity are changing rapidly, the barriers to effective shift-left security, including organizational alignment, conflicting priorities, and inconsistent adoption, remain constant.

The next evolution of code security must be proactive, accurate, and developer-friendly, while also capable of keeping pace with AI-enabled development.

Meet HackerOne Code: AI Code Review Built for Today’s Speed

HackerOne Code is an AI code review solution that thinks like an attacker, works like a developer, and learns like a teammate.

Whether you use GitHub, GitLab, Bitbucket, or Azure DevOps, HackerOne Code plugs into your pull or merge requests and reviews every change in real time for potential risks, surfacing potential problems and why they matter within minutes and with actionable next-steps for developers.

How It Works: Multi-Agent AI with Human Expert Oversight

HackerOne Code doesn’t just scan for vulnerabilities; it analyzes execution path logic, validates exploitability, and recommends hardened fixes with the judgment of a security engineer.

At its core is a multi-agent AI system that collaborates to find and prioritize real risk:

Detection Agents identify potential vulnerabilities and anti-patterns known to lead to vulnerabilities.
Validation Agents verify which findings are real, relevant, and require attention.
Prioritization Agents evaluate impact and urgency to focus effort where it matters most.
Remediation Agents deliver precise, context-aware fix recommendations that developers can act on.

If the AI consensus isn’t strong enough, the issue is escalated to human experts to verify through our scaled human-in-the-loop validation workflow.

Code reviews and suggests fixes to submitted code, verified by a security engineer

Strong human oversight, a core tenet of responsible AI, is maintained through an extensive network of security engineers. This hybrid architecture delivers high signal, low noise, ensuring developers focus only on what matters most.

Beyond Code: Continuous Offensive Testing

Organizations are no longer interested in getting “every alert.” They want proof that the vulnerabilities they see actually matter. Proof that fixes hold and that their defenses work when and where it counts.

That’s where smarter AI code review and agentic pentesting play together, extending human-AI collaboration across the entire threat exposure lifecycle. Where HackerOne Code proactively secures what’s being built, HackerOne Agentic Pentest continuously validates what’s running by using autonomous agents that emulate real attackers in production environments.

Together, they create a continuous feedback loop of discovery, validation, and remediation that keeps pace with how modern software is built and shipped.

This is the heart of human-AI collaboration: