OpenAnt iconOpenAnt

open-source Open-source Star0k

Open source LLM-based vulnerability discovery product from Knostic that helps defenders find verified security flaws while minimizing false positives and false negatives

agents python
590 GitHub Stars
6 Pipeline Stages
6 Languages
99.98% Noise Reduction*

Overview

OpenAnt is an open source LLM-based vulnerability discovery product from Knostic that helps defenders proactively find verified security flaws while minimizing both false positives and false negatives—"Stage 1 detects. Stage 2 attacks. What survives is real." It breaks code into "units" (functions plus call-graph context), filters them through free static reachability analysis, then runs LLM-powered exposure classification, vulnerability discovery, adversarial exploitability verification, and sandboxed dynamic testing. Its "Adversarial Reflexion" approach uses tightly constrained attacker personas that cannot assume server access or local shell, eliminating the class of false positives where agreeable LLMs confirm theoretical attacks. In Knostic's published OpenSSL run, 15,232 units were reduced to 3 confirmed exploitable findings (99.98% reduction) at a total cost of $442.65.

The Verdict

Who Should Use OpenAnt?

Best For

  • Open source maintainers staying ahead of AI-discovered vulnerabilities
  • Defenders wanting verified, exploitable findings rather than raw SAST noise
  • Go and Python codebases (the two stable language targets)
  • Teams with an Anthropic API budget for deep, agentic analysis

Not Ideal For

  • Cost-sensitive scanning of very large codebases (published runs cost $25–$1,081 per project)
  • Production-critical pipelines—the project is still in research phase with beta features
  • C/C++, PHP, Ruby, and JS/TS projects needing mature support (all beta)

What's Great

  • Constrained attacker personas counteract LLM agreeableness—findings must show specific inputs, endpoints, and data flows step by step
  • Free static stages (parsing, reachability) cut ~97% of units before any LLM cost is incurred
  • Sandboxed, Docker-isolated dynamic exploit testing confirms findings beyond static reasoning
  • Transparent published cost data across OpenSSL, WordPress, LangChain, Rails, and Grafana
  • Apache 2.0 licensed with a free managed scanning program for open source projects
  • Knostic is in coordinated vulnerability disclosure for the tool's real findings
GitHub README · Knostic Blog

Watch Out For

  • Requires an Anthropic API key with Claude Opus access; token costs can nearly double initial estimates
  • Complex units can hit a 20-iteration cap at ~$10.92 per unit in the classification stage
  • Dynamic test design quality is inconsistent, especially for C codebases
  • Single logical units can exceed LLM context windows in dense C projects
  • Only Go and Python are stable; four other languages are beta
Knostic Blog (Known Issues)

Pricing

Open Source
Free
Apache 2.0; you pay LLM token costs ($25–$1,081 in published project runs)
OSS Scan Program
Free
Submit your open source repo and Knostic runs the scan at no cost
View all features & details

Six-Stage Pipeline

  • Stage 1: Code parsing—functions and call graph extraction (no LLM cost)
  • Stage 2: Reachability analysis from entry points (no LLM cost)
  • Stage 3: Agentic exposure classification (Claude Sonnet)
  • Stage 4: Vulnerability discovery (Claude Opus)
  • Stage 5: Adversarial exploitability verification (Opus, agentic tool use)
  • Stage 6: Dynamic verification in Docker-isolated sandboxes

Language Support

  • Go (stable)
  • Python (stable)
  • JavaScript/TypeScript (beta)
  • C/C++ (beta)
  • PHP (beta)
  • Ruby (beta)

CLI Workflow

  • Go CLI binary with Python 3.11+ analysis runtime
  • openant init — point at a remote or local repo
  • openant scan --verify — full pipeline in one command
  • Step-by-step: parse, enhance, analyze, verify, build-output, report
  • Multi-project workspaces with active-project switching

Published Benchmark Runs

  • OpenSSL (C): 15,232 units → 3 confirmed, $442.65
  • WordPress (PHP): 12,177 units → 20 confirmed, $239.45
  • LangChain (Python): 6,701 units → 1 confirmed, $51.48
  • Rails (Ruby): 89 units → 2 confirmed, $25.18
  • Grafana (TS & Go): 18,500 units → 86 confirmed, $1,080.86

How It Compares

Feature OpenAnt RAPTOR Semgrep
Finding Validation Adversarial constrained personas + dynamic sandbox LLM multi-stage pipeline Rule-based only
False Positive Strategy Remote-exploitability constraint kills local-only findings SMT + LLM validation Manual triage
Cost Transparency Published per-stage costs Per-run budget cap Free engine
Dynamic Verification Docker-isolated exploit testing Exploit PoC generation No
Stable Languages Go, Python Multi-language via Semgrep/CodeQL 30+
License Apache 2.0 MIT (CodeQL restricted) LGPL engine

*99.98% noise reduction figure is from Knostic's published OpenSSL run: 15,232 parsed units reduced to 3 confirmed exploitable findings.

User Reviews

Loading reviews...