Introducing the Devin Security Vulnerability Remediation Program
Attackers are using AI to discover, chain, and exploit vulnerabilities faster than traditional remediation programs can respond. At the same time, security teams already have more findings than engineering teams can safely fix.
The Devin Security Vulnerability Remediation Program helps organizations clear their vulnerability backlog and set up continuous remediation. Cognition's forward-deployed engineering team embeds with yours and deploys Devin, the AI software engineer, to find, validate, and fix vulnerabilities.
How the program works
The program is built around two pillars: clearing today's vulnerability backlog, then establishing ongoing discovery and remediation.
In the first phase, Devin resolves known vulnerabilities at scale—ingesting scanner reports, shipping fixes as PRs, and validating each one. In the second, we set up Devin Security Swarm to continuously discover the logic flaws, insecure patterns, and chainable issues traditional scanners miss.
These are pillars, not rigid phases—they can run in parallel or phased based on your priorities. Most engagements land around six weeks.
A typical program looks like this: in weeks one and two, we inventory high-risk applications, align on scope and priorities, configure Devin, and map remediation workflows. In weeks three and four, we execute remediation at scale on the highest-priority repositories and monitor PR velocity, merge rates, and backlog reduction. In weeks five and six, we use initial results to forecast Devin capacity and finalize a broad rollout plan across the org.
What you can expect
- Moving from reactive to proactive security. You can shift from triaging endless alerts to continuously finding, validating, and fixing the issues that matter most.
- Closing the gaps scanners miss. Devin helps uncover, validate, and remediate threats like business logic flaws and context-dependent exploit paths before they become breaches.
- Returning engineering capacity. You can delegate remediation work that would otherwise pull engineers away from the product roadmap, and empower your security teams to drive fixes themselves.
Devin fits into the systems your teams already use. It ingests reports from your existing scanners—Snyk, SonarQube, Checkmarx, Semgrep, Wiz, Veracode, and others—validates, and then creates PRs.
Enterprise customers deploying Devin Cloud at meaningful scale who meet the program's technical and engagement requirements can participate. Existing customers who meet the criteria can also enroll. Your account team can confirm eligibility and tailor the program to your priorities.
Get in touch