Russia Introduces Multi-Agent System for Code Vulnerability Protection

New Competitive Advantages

The platform is built on a Russian database management system that uses in-memory computing technology to process transactions up to five times faster within automated banking systems. The solution, targeting the InfoSec and DevSecOps markets, is designed to enhance code security in financial and enterprise software.

This innovation showcases maturity in applying AI and security analytics: it speeds up automatic analysis, reduces false positives, and minimizes the need for manual code audits.

Software developers gain more reliable products with fewer vulnerabilities, while the broader industry benefits from stronger domestic tools — a key advantage amid sanctions and import substitution policies.

Next Steps: Refining the Agents and Expanding Capabilities

In the short term (1–2 years), development will focus on pilot testing, especially in high-security sectors such as fintech. Planned improvements include integration with CI/CD pipelines and DevOps tools, enabling automatic use during builds. A major focus is enhancing zero-day vulnerability detection and improving accuracy in filtering false positives.

“We are evolving our FXL Platform within the AI-Native banking paradigm. The integration of SberTech’s SAST-AI agent into the FXL Platform has significantly increased confidence in our code base and created new AI synergy that we are ready to share with the banking community.”

Arkady Lobas

CEO of FlexSoft

In the medium term (3–5 years), the platform is expected to scale for enterprise-level adoption, potentially as a licensed or SaaS-based product. Integration with dynamic analysis tools (DAST, IAST) and attack simulation frameworks is also under consideration. Developers plan to add dependency analysis, support for third-party and open-source libraries, and compliance with international standards such as CWE, OWASP, and ISO. Under favorable conditions, export and adaptation for international clients could follow.

From Code Analysis to AI Security Recommendations

Multi-agent approaches are increasingly explored in both research and applied contexts. For instance, the EvalSVA project uses multiple autonomous agents to assess software vulnerabilities from different perspectives, helping developers prioritize mitigation efforts. Another project, AutoSafeCoder, applies a trio of agents — for code generation, static analysis, and fuzz testing — to automate secure coding and verification.

Russian initiatives in SAST and DevSecOps already employ multi-agent AI systems for code analysis and integration within corporate infrastructures. Well-known SAST tools include Cppcheck, which targets C/C++ code with a focus on minimizing false positives, and Coverity, a commercial analyzer supporting multiple languages.

In September 2025, Yandex B2B Tech released guidelines for secure AI agent and multi-agent system development, emphasizing threat modeling, access control, agent identity management, and transparent event logging.

Advancing Security Automation

The introduction of a multi-agent SAST solution represents a major step forward in automating code security with artificial intelligence. Over the next two years, pilot projects will test integration with CI/CD environments across critical sectors. Within several years, commercial deployment through licensing or SaaS models is anticipated, allowing Russian DevSecOps technologies to compete globally. Multi-agent systems combining static, dynamic, and empirical analysis — along with automated patch generation — are poised to become the new standard in secure software development.