Black Hat USA 2025 | Let LLM Learn: When Your Static Analyzer Actually 'Gets It'

The Black Hat presentation explored how large language models (LLMs) can be fused with traditional static analysis tools to create a new generation of vulnerability scanners. The speaker outlined three integration patterns—AI‑enhanced, where a static scanner filters LLM output; AI‑explorer, where the LLM leads discovery and the scanner validates results; and AI‑native, where the LLM functions as the scanner itself—highlighting the trade‑offs in false‑positive rates, coverage, and hallucination risk.

Key insights included the high cost of one‑by‑one AI reporting, the importance of prompt engineering, and a closed‑loop optimization framework that treats the LLM as a query‑language (QL) optimizer. By feeding generated QL rules back into a test suite, the system iteratively refines detection logic, while strict context isolation prevents compilation loops. The team also introduced a code‑block segmentation strategy that mirrors how human auditors abstract code, dramatically improving recall while keeping false positives low.

Notable examples cited were over 500 pull‑requests spent eliminating false positives in existing rule sets, a three‑fold increase in recall after relaxing rules, and an 80% catch‑rate when summarizing similar code paths. The open‑source release of the agent and its implementation allows the community to reproduce the workflow and accelerate zero‑day discovery.

The implications are clear: integrating LLMs with static analysis can slash review time, raise detection accuracy, and shift the industry toward AI‑augmented security pipelines. Organizations that adopt these closed‑loop, segmentation‑driven approaches will likely gain a competitive edge in vulnerability research and remediation.