Revelio: Cost-Efficient Agentic Memory Safety Vulnerability Detection For Repository-Scale Codebases

Revelio is a new AI-powered framework that detects memory safety vulnerabilities in large codebases using large language models combined with executable proof-of-concept generation and deterministic sanitizer verification. The system discovered 19 previously unknown vulnerabilities in production projects while maintaining cost-efficiency, addressing the hallucination problem endemic to LLM-based security analysis.

Memory safety vulnerabilities represent a persistent security challenge that traditional testing methods struggle to eliminate at scale. Revelio addresses this by combining LLM-based hypothesis generation with deterministic validation, creating a feedback loop that prevents the false positives plaguing existing LLM security tools. The framework's innovation lies in requiring executable proof-of-vulnerability confirmation rather than relying on model predictions alone, fundamentally shifting from probabilistic to verifiable detection.

The broader context reflects growing recognition that LLMs excel at exploring large solution spaces but require grounding mechanisms to produce reliable security outcomes. Organizations have invested heavily in fuzzing campaigns lasting years without catching all vulnerabilities, creating demand for complementary detection approaches. Revelio's ability to operate on repository-scale codebases addresses a critical limitation of previous LLM security tools, which struggled with context windows and cost constraints.

For the security and development communities, this work demonstrates that cost-effective vulnerability detection at production scale is achievable through intelligent system design rather than simply scaling compute. The $300 total cost across multiple projects and discovery of 19 novel vulnerabilities suggests favorable economics compared to manual auditing. The framework's superiority over frontier coding agents at comparable token costs indicates efficiency gains that could reshape how organizations approach continuous security monitoring.

Future developments will likely focus on expanding Revelio to other vulnerability classes beyond memory safety and integrating the system into CI/CD pipelines. The methodology could accelerate vulnerability disclosure timelines and reduce the gap between LLM capability and practical security deployment.

• →Revelio discovered 19 previously unknown vulnerabilities in mature, heavily-fuzzed codebases using a cost-effective agentic framework
• →The system eliminates LLM hallucination by requiring executable proof-of-vulnerability confirmation through deterministic sanitizer validation
• →Total cost of $300 across multiple production-quality projects demonstrates viable economics for repository-scale vulnerability detection
• →Framework outperformed frontier coding agents on benchmarks while using comparable token budgets, indicating superior efficiency
• →Approach combines lightweight static analysis with inexpensive LLMs to generate and rank vulnerability hypotheses before confirmation