Agentic AI-powered Arm Metis advances security vulnerability discovery in software 

In the era of AI, modern software systems are built across increasingly complex codebases, frameworks, runtimes and libraries. As these systems scale, so does the challenge of identifying security vulnerabilities before products reach customers.

To help address this challenge, Arm’s product security team has developed and open-sourced Metis, an agentic AI security framework designed to identify complex security issues across large-scale codebases. Within Arm, Metis is already running across more than 130 software projects, with plans for Arm-wide software adoption by late 2026.

Metis is an important step forward in how the industry can approach software security verification, helping engineering teams identify issues earlier, reduce development overhead and improve the overall security and performance of products.

Detecting complex vulnerabilities earlier and at greater scale

Traditional static analysis tools are often limited in their ability to identify vulnerabilities that span multiple components, systems or layers of software. By combining advanced analysis techniques with AI-enabled workflows, Metis identifies more sophisticated security vulnerabilities that are difficult to detect using existing approaches, as well as identifying them earlier in the process. This helps save time and reduce costs on engineering resources and validation cycles, while improving product quality.

Metis is improving detection quality and developer productivity, with internal Arm benchmarks that have not been trained by AI showing that it delivers:

• Up to 10x higher true positive rates; and 
• Approximately 50% fewer false positives compared to leading static analysis tools.

False positives consume valuable engineering time and can reduce trust in automated tooling. By reducing false positives, Metis helps engineering teams focus on the issues that matter most, accelerating remediation and reducing wasted effort during validation and review.

How Metis works for contextual security analysis

Metis is built on a retrieval-augmented generation (RAG) architecture that combines large language models (LLMs) with project-specific knowledge to deliver contextual security analysis. Unlike traditional static analysis tools that rely primarily on fixed rules and pattern matching, Metis understands code in context and creates a custom knowledge base using source code, build files and documentation, giving a deeper understanding of how systems are designed and intended to operate. This allows Metis to analyze entire repositories, individual files, pull requests or recent code changes, so it can identify more complex vulnerabilities across functions, components and workflows. 

In addition, Metis can validate findings from both its own analysis and external static application security testing (SAST) tools. By navigating source code, constructing detailed graphs, gathering supporting evidence and reasoning over potential security issues, Metis can distinguish likely vulnerabilities from false positives. 

In Arm’s internal deployments, Metis uses OpenAI’s GPT-5.5-Cyber through OpenAI Daybreak as a part of its defensive security workflow and pairs advanced AI reasoning with deep, respository-specific context across source code.

Metis also explains why a particular issue matters, providing developers and engineers with clear, actionable summaries that help accelerate remediation and improve secure development practices. Metis supports a wide range of programming languages, including C, C++, Python and Rust to name a few, with a full list of supported languages available here. 

Open collaboration for a more secure ecosystem

Security challenges are industry-wide challenges. This is why Arm chose to open source Metis and make it available to the broader ecosystem. The project is already seeing adoption beyond Arm, including interest from partners exploring how AI-enabled vulnerability discovery can improve their own development workflows.

While Metis is initially focusing on software vulnerability discovery, Arm is already expanding the technology into new domains. The project recently added support for Verilog and Arm is working with ecosystem partners to explore how Metis can help support more automated approaches to hardware vulnerability verification.

As AI systems, silicon and software stacks become increasingly interconnected, security analysis needs to evolve beyond isolated software scanning toward broader system-level verification. 

Building the future of AI-enabled vulnerability discovery

AI is reshaping how security teams identify and address vulnerabilities. With Metis, Arm is helping pioneer a new generation of AI-enabled security tooling designed for the scale and complexity of modern software, helping developers and engineers address vulnerabilities faster while reducing validation cost and engineering effort.

By improving vulnerability discovery, reducing developer overhead and expanding verification across software, Metis helps strengthen the foundation for the next generation of secure computing.

Learn more about Metis and explore the open-source project on GitHub or contact the Arm Product security team on metis@arm.com