Autonomous Source Code Vulnerability Discovery — From Clone to Confirmed Finding to Tested Patch

What if you could point an AI at a source code repository and get back confirmed, exploitable vulnerabilities — with patches that have been verified to actually fix the bugs? Constantine does exactly that. Inspired by the strategies that won the DARPA AIxCC competition, Constantine runs a six-stage autonomous pipeline that finds vulnerabilities, proves they're real, and generates validated fixes.

The Pipeline

Constantine mirrors how an expert security researcher works — but runs end-to-end with no human intervention:

• Ingest — Clone the repo, score every file for security relevance using LLM-based semantic analysis, and prioritize the code that matters most. Supports 18 languages and handles repositories of any size.

• Detect — Five detection modules run in parallel. The primary two-pass scanner uses Haiku for fast triage across all code, then Opus/Sonnet for deep CWE-specific validation on flagged areas. An adversarial actor-skeptic scanner adds a second perspective — one model proposes findings, another challenges them.

• Review — An agentic LLM verifier with code exploration tools autonomously reads files, searches code, and traces data flows to confirm each finding. Taint-aware verification uses tree-sitter AST parsing to pre-compute call graphs, reducing false positives further.

• Exploit — For every verified finding, an agentic LLM generates proof-of-vulnerability code and executes it in a sandboxed environment. An internal write-test-retry loop iterates until the bug is demonstrably triggered — up to 250 tool calls per finding.

• Patch — Generates fixes using a tiered strategy: dependency bumps, targeted fixes, then structural refactors. Every patch is validated by re-running the exploit. Only patches that provably fix the bug get reported.

• Report — Complete evidence chains from detection through exploitation through patching, with CVSS scores, CWE classifications, and cost breakdowns.

Benchmarked Against 28 Real CVEs

Constantine is validated against vulnerabilities including Log4Shell, Heartbleed, Dirty Pipe, Baron Samedit, regreSSHion, Psychic Signatures, Looney Tunables, and runc Container Escape — spanning memory safety, auth bypass, path traversal, cryptographic flaws, and web vulnerabilities across C, Java, Python, Go, Rust, and JavaScript.

Two Operating Modes

• Customer engagement — Connect to a client's private repository. Findings flow into Guard as Risks with full evidence chains.

• Zero-day hunting — Point at any public repository. Constantine finds vulnerabilities. A human reviews and coordinates disclosure.

Cost Control

Three pipeline tiers — Premium (250 findings reviewed), Medium (150), Basic (75) — with real-time budget tracking and configurable spend caps. Per-module, per-stage cost breakdowns in every report.

How It Fits Into Guard

Constantine runs natively inside the Praetorian Guard Platform. Findings flow directly into your Guard dashboard as Risks — complete with severity ratings, evidence chains, and validated patches. Source code security joins your attack surface management, vulnerability scanning, and penetration testing in one unified view.

Documentation

https://docs.praetorian.com/articles/1856234-constantine-locates-fatal-security-bugs-in-software