Semgrep shifts AppSec spend to developers

This points to net new security budget, not a feature bake off inside SAST. Business logic flaws like IDOR and multi step authorization bugs are usually found by humans tracing real user flows, changing IDs in requests, and trying actions out of order. That work has lived in pentests and bug bounties because classic scanners look for code patterns, while these flaws require understanding what the app is supposed to allow.

• Semgrep is trying to pull that spend left into the developer workflow. Its code scanner already runs in pull requests and CI, and its new multimodal detection pairs code parsing with LLM reasoning to look for broken authorization and workflow abuse before release.
  1 sacra 4 semgrep
• That is different from Semgrep's earlier expansions into SCA and secrets, which fit existing AppSec line items. Business logic testing has historically depended on manual tester creativity, and OWASP describes it as hard to find automatically because it involves legitimate application behavior and business context.
  1 sacra 2 owasp 3 owasp
• The comparable set shifts when the budget shifts. In this lane, Semgrep is competing less with rule based SAST alone and more with AI native review tools like DryRun and Endor that also claim to catch logic heavy findings in pull requests, while the incumbent alternatives remain pentests and bug bounty programs.
  1 sacra 5 sacra 6 sacra 7 cobalt

If this works, AppSec buying moves from occasional human audits toward continuous pre merge testing for the highest value logic bugs. That would expand Semgrep from a scanner budget into a broader vulnerability discovery budget, and make the platform more central to how security teams decide what gets tested, fixed, and blocked in software delivery.