How Cygent Works
The shift-left philosophy, the CARA engine, and why Cygent is a remediation loop — not another scanner.
Overview
Cygent is a dedicated AI security engineer. Not a scanner that hands you a PDF. Not a chatbot bolted onto a CI pipeline. A team member that lives in Slack, GitHub, Google Meet, and your IDE, builds persistent context about your codebase, and closes the loop from "vulnerability found" to "PR merged."
This page explains the philosophy behind the product, what powers it, and where it is genuinely different from the alternatives you've already tried.
The remediation loop
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Detect │──▶│ Triage │──▶│ Fix │──▶│ Review │
└──────────┘ └──────────┘ └──────────┘ └────┬─────┘
▲ │
└──────────────── Remember ────────────────────┘
A scanner-only tool ends at "here is the list." Cygent keeps going — every stage is wired into the next, and the loop closes back on itself so context compounds.
Detect
CARA runs an audit — triggered from the dashboard, from Slack, from a GitHub webhook, or on a schedule — and produces findings with severity, location, and exploit reasoning.
Triage
Each finding has a lifecycle: Active, Resolved, Invalid, Deleted. Marking a finding Invalid is a first-class action, with a documented reason. False positives don't sit in your backlog forever.
Fix
Cygent Code — the coding agent — proposes a plan, waits for your approval, writes the code, runs the build, and opens a PR. You iterate in the same thread: "also add a natspec comment", "use a mapping instead".
Review
The next PR — whether from a human or from Cygent — gets an automatic security pass. Findings are posted inline on GitHub and categorized as New, Still Present, or Resolved. See PR review comments.
Remember
Decisions stick. Accepted risks, protocol-specific context, "we already decided WETH-only for this pool" — Cygent carries those forward into the next audit, the next PR, the next conversation.
Finding the bug is roughly 10% of the work — writing the fix safely, without introducing new bugs, is the other 90%.
Shift left
The security industry has spent a decade saying "shift left" — move security earlier in the development lifecycle, put it in front of engineers while they build, not after they ship. In practice, most tools never made it further than a CI step that prints a report nobody reads.
Cygent is built around the idea that security belongs in the same places your developers already work:
| Moment | Where it happens |
|---|---|
| Code review | On the PR, inline, the moment it opens |
| Architecture debate | In the Google Meet where it's being debated |
| Bug bounty triage | Where the submission landed |
| A fix | As a PR you can merge, not prose telling you what to do |
The guiding analogy is construction. You pour a good foundation on day one because fixing a foundation is expensive and invasive once the house is framed. Security works the same way — every day the vulnerability lives in the codebase, the cost of removing it grows.
The CARA engine
Under the hood, Cygent's security analysis is powered by CARA — the Cyfrin Audit & Review Assistant. CARA is the same engine that ships in Cyfrin's security tooling, trained on the same corpus that Cyfrin's human auditors draw on.
CARA's job is to find real vulnerabilities, reason about whether they are actually exploitable in your specific protocol, and produce a finding with the severity, root cause, recommendation, and affected code baked in. It detects the categories you'd expect — reentrancy, access control, input validation, oracle manipulation, MEV exposure, gas pitfalls — and it does so across Solidity, Rust, and Go.
But CARA is only half the product. The other half is everything that happens after a finding exists — the loop above.
Proprietary context
A question that comes up early: "Can't I just get this by pointing ChatGPT at my repo?"
The honest answer is no, and the reason is context. Cygent is built by Cyfrin, which runs four aligned businesses — each one feeds the model with material a generic LLM has never seen.
| Pillar | What it contributes |
|---|---|
| Updraft | The largest smart contract developer education platform — curriculum, exercises, common mistakes |
| Solodit | Curated database of security findings from top audit firms across the industry |
| Aderyn | Open-source Solidity static analyzer with a deep vulnerability rule set |
| Audit practice | Auditors actively reviewing protocols like MetaMask, zkSync, and many others |
Reasoning over pattern-matching
The best illustration of the difference is how Cygent handles a classic checks-effects-interactions violation.
Consider this pattern from the GhostLend demo codebase:
function withdrawCollateral(address token, uint256 amount) external {
emit CollateralWithdrawn(msg.sender, token, amount);
IERC20(token).safeTransfer(msg.sender, amount); // external call
s_collateral[msg.sender][token] -= amount; // state update after
}
A pattern-matching scanner flags this as a critical reentrancy bug every single time. It's textbook CEI violation.
Cygent marks it Invalid, with a reason. Why? Because Cygent knows the protocol only supports WETH and USDC as collateral. Neither token has callback hooks on transfer. The code is bad practice and a future-proofing hazard, but it is not currently exploitable. Cygent flags it as a warning and moves on — it does not waste an engineer's afternoon on a fire drill.
That distinction — "real bug" vs. "textbook pattern that happens to be unreachable in this protocol" — is what separates a security engineer from a linter. It is what Cygent is built to do.
Cygent builds Cygent
The ultimate stress test for a code-writing security agent is whether its output is good enough for its own team to merge.
Cygent is used internally at Cyfrin to audit its own updates, fix its own bugs, and open its own PRs against its own codebase. It is not an isolated demo that never runs in production. It is an active contributor to the product you are reading the docs for.
When a customer asks "how do I know the code Cygent writes is safe to merge?" the answer is: we merge it ourselves, every day, into the product you are using.
Enterprise posture
Cygent is designed for teams where security is a first-class concern. That implies a few non-negotiables:
| Guarantee | What it means |
|---|---|
| Isolated instances | Every customer gets their own Cygent instance — its own database, integrations, configuration. No shared tenancy. |
| SOC2 | Cygent is built to meet SOC2 standards. |
| Encrypted secrets | GitHub App tokens, RPC endpoints, Battle Mode deploy keys — all encrypted at rest. |
| Role-based access | Owners manage the instance; Members interact. Invite links expire in 7 days. |
Cygent is currently available through an Enterprise Beta waitlist. Instances are spun up per-customer by Cyfrin — there is no self-serve signup.
What's in the box
A one-screen mental model of the product:
Continuous auditing
CARA runs audits on demand, on schedule, and on webhook. Severity-graded findings with lifecycle tracking.
PR review
Inline GitHub comments on every PR. New / Still Present / Resolved categorization. Auto-review with configurable confirmation.
Cygent Code
Plan-first coding agent that fixes findings, builds features, and opens PRs from a chat conversation.
Scheduled tasks
Any prompt, on any schedule. Weekly audits, daily threat monitors, recurring health checks.
Google Meet
Joins calls as a participant. Live voice Q&A, transcription, post-meeting summaries.
Battle Mode
Red-team / blue-team sandbox that proves whether a finding is actually exploitable against your deployed contracts.
IDE via MCP
Claude Code, Cursor, Codex, VS Code, Windsurf, Zed — findings and triage inline in your editor.
Memory
Persistent context across conversations, projects, and team members. Accepted risks stay accepted.