Qianxin releases code security intelligent agent, creating a closed loop of "expert level brain multi-agent collaboration"

On March 12th, Qianxin officially launched its first code secure intelligent agent——Qcode AgentsAs the first landing result of its newly established AI company, this product focuses on the intelligent transformation of code security detection.

Unlike traditional tools, Qcode Agents emphasizesMulti agent collaborationBy virtue ofExpert level reasoning, multi capability integration, and multi scenario coverageDeeply embedding security checks into the R&D process significantly improves delivery efficiency and promotes the official entry of domestic code security checks'All scenario intelligent agent'The closed loop.

Qianxin stated that it has innovatively planned and developed an AI security product matrix, which will be gradually introduced to the market in the future to provide higher-level intelligent security solutions for industry customers.

　　What is Qcode Agents? Using expert level brains to crack AI illusions and logical blind spots

Since the beginning of the year, from Anthropic launching Claude Code Security to OpenAI releasing Open Code Security, they have successively sparked strong reactions in the industry, fully demonstrating the enormous potential of big models in code semantic understanding, security detection assistance, and other aspects.

However, in the era of AI, the core contradiction of application security has shifted fromRule matching speedsteeringThe depth of logical understandingRelying solely on automated validation driven by large models or scanning for new elements of AI applications is still insufficient. The industry urgently needs a "brain" that can think like a senior expert, possess deep practical experience and logical reasoning ability.

The birth of Qcode Agents is precisely to empower AI with thisExpert level brainThis product not only comprehensively covers new elements of AI supply chain, but also encodes more than ten years of frontline practical experience, allowing intelligent agents to truly "understand" the business logic behind the code and solve AI "illusions" and logical blind spots from the root.

　　Ten years of practical experience, achieving a leap from "universal model" to "domain expert"

The reason why many AI security tools on the current market are 'inaccurate' is rooted inLack of genuine logical support for attack and defenseThe "core intelligence" of Qcode Agents is unique to Qianxin and has been tested in practice for over a decadeExperience in vulnerability miningandHigh value testing rulesTrained. This ability has been fully internalized into the MCP tool calling, professional skill execution, detection script orchestration, and standardized workflow of the platform, forming the cornerstone of Qcode Agents' accurate judgment.

　　Standardization of processes:Solidify key processes such as scanning initialization, vulnerability localization, and path generation into standard actions of the intelligent agent to ensure that the detection process is systematic and traceable.

　　Knowledge Resource Utilization:Structurally reconstruct tens of thousands of high-quality detection rules, establish a dynamically callable resource library, and enable intelligent agents to have clear detection paths and rigorous logical judgments.

This marks that Qcode Agents no longer rely on "blind guessing", but instead accurately trace their origins like senior security experts, fundamentally solving the pain points of traditional AI detection that are "directionless and logically weak".

　　Fully automatic safety closed-loop: covering the entire development lifecycle scenario

Qcode Agents has createdPerception Analysis Verification Repair ResponseThe fully automated secure closed loop seamlessly embeds developers in every aspect from coding, submitting, merging requests to continuous integration/deployment.

　　Perception:Real time monitoring of code changes and immediate initiation of analysis.

　　Analysis:Call expert level detection engine to accurately locate risks.

　　verificationBy dynamically simulating and reproducing the vulnerability trigger path, false positives can be eliminated.

　　Fix:Provide code level repair suggestions to guide developers in quickly closing the loop.

　　Response:After confirming the vulnerability, the repair process is automatically triggered, and the repaired code version is generated synchronously and its effectiveness is automatically verified to ensure that the risk is completely eliminated.

This closed loop has completely changed the situation where security lags behind development, making security truly an endogenous capability of DevOps.

　　Breaking through the blind spots of business logic vulnerabilities: Empowering accurate detection with massive cases

Business logic vulnerabilities, such as unauthorized access, competitive conditions, and process bypassing, have always been a "blind spot" for traditional tools and a high-risk area for hacker attacks.

Qcode Agents has accumulated a massive number of real attack and defense cases toHorizontal/vertical unauthorized access, inconsistent concurrent data, business flow bypassingDecompose complex scenarios into quantifiable onesSkill instruction.

　　Deep modeling:The intelligent body can understand the business intent, data flow, and permission control behind the code.

　　Evidence generation:Not only can it identify risks, but it can also generate reproducible vulnerability trigger paths.

Practical verification has shown that Qcode Agents' performance in detecting business logic vulnerabilities has increased exponentially, truly filling the gap in this critical area of the industry.

　　Reshaping the Security Boundary of AI Application Supply Chain: From Model to MCP Full Factor Protection

Currently, the supply chain of AI applications has far exceeded the scope of traditional open source components - new elements such as model files, MCP (Model Context Protocol), Skill, etc. have become the focus of attack surface extension. Traditional SCA tools often suffer from serious false positives and false negatives when faced with these new objects due to a lack of detection, validation, or domain knowledge, resulting in the ultimate risk misjudgment.

Qcode Agents has built a detection capability that covers all elements of the AI supply chain, incorporating model dependencies, MCP tools, and Skill call links into the analysis perspective. Combining the profound domain knowledge base and accurate correlation modeling accumulated by Qianxin in the software supply chain field over the past 10 years, Qcode Agents can automatically generate software material lists for AI applications, clearly trace the use of open source models, accurately identify various "invisible dependencies" in AI applications, and make various supply chain security risks in AI applications nowhere to hide.

　　Strength verification: Reproduce known cases and discover potential vulnerabilities in mainstream projects

The detection capability of Qcode Agents has been demonstrated in multiple testsPerfect verificationAchieve unexpected performance:

　　Reproduce industry benchmarks:Fully reproduce the three typical security vulnerabilities disclosed when Claude Code Security was released, accurately restore the trigger conditions, utilization paths and potential hazard scenarios of vulnerabilities, and prove the progressiveness of its detection logic.

　　Deep Inspection of Open Source Projects:We selected well-known open source projects such as apache-obiz, apache-log4j, libpng, gpac, etc. that are widely used, and conducted targeted deep detection. Not only did we successfully reproduce the corresponding CVE vulnerabilities, but we also comprehensively investigated business logic defects and high-risk vulnerabilities such as stack overflow. For example, when detecting Apache OFBiz, Qcode Agents discovered a bypass vulnerability caused by an incomplete login verification mechanism, which is a semantic loophole that cannot be identified by traditional static analysis. And Qcode Agents, with their internalized practical experience, accurately understood the verification semantics of login scenarios and successfully captured this hidden flaw.

　　Major discoveries during the internal testing phase:Qcode Agents has identified over 10 potential security vulnerabilities in mainstream open source systems and frameworks such as OpenSSL, TensorFlow, OpenCV, Memcached, and RuoYi, and has completed preliminary validation and risk level assessment.

The outstanding performance of Qcode Agents is not a castle in the air, but is built on QianxinMore than ten years of deep cultivation in code securityOn a solid foundation.

　　Deep accumulation:Qianxin is one of the earliest manufacturers in China to implement enterprise level SAST (Static Application Security Testing) productization. The flagship product "Code Defender" supports dozens of languages, covers thousands of vulnerability types, serves over 1000 large government and enterprise clients, and has accumulated tens of thousands of high-quality rules that have been verified through practical experience.

　　Benchmark verification:The "AI+Code Defender" released in early 2025 has been implemented among top financial clients such as Bank of Beijing and PICC Technology. Data shows that it has shortened the code audit cycle by over 83%, reduced labor costs to 1/6 of traditional models, and achieved a high-risk vulnerability interception rate of over 95%.

　　Conclusion

From "Code Defender" to "AI+Code Defender", and now to the "Qcode Agents" intelligent agent, every time is a continuous improvement and iteration closely related to practical needs. The release of Qcode Agents by Qianxin is not a simple upgrade of the product, but rather a transformationTechnical accumulation, offensive and defensive experience, customer practiceIntegration not only enables AI to 'understand code', but also to 'understand business',' empower experience ', and' handle in a closed loop ', building a secure, efficient, and reliable code security system for enterprises.