AI coding assistants have changed how software gets written. Code is generated continuously, refactored constantly, and pushed faster than traditional application security processes were built to handle. Security teams aren’t struggling because they lack tools. They’re struggling because most tools still operate outside the developer workflow, surfacing issues late and in volumes that teams can’t realistically act on. This is the gap Black Duck Signal is aiming to close.This separation of duties mirrors how mature security teams already work, with checks and balances built into the process, and applies that discipline to AI-driven analysis.
Most “agentic AI” AppSec tools fall short
Agentic AI has become a common label in application security, but the reality behind many of these claims is underwhelming. In many cases, AI is bolted onto existing scanners or used to summarize findings after the fact. That may improve presentation, but it doesn’t change how security fits into modern development.Black Duck’s approach with Signal is more structural. Rather than treating AI as an assistant layered on top of legacy workflows, Signal is built to operate inside AI-native development environments from the start.Patrick Carey, Executive Director of Market Strategy at Black Duck, told ChannelE2E, “Black Duck Signal goes beyond ‘AI-enhanced’ scanners by combining agentic AI with the Black Duck KnowledgeBase™, a curated security intelligence source. It delivers exploitability-based prioritization, verified code fixes, and language-agnostic incremental analysis directly inside AI coding assistants—rather than relying on generic LLM prompts or post-build scans.”The practical impact of this design is that security analysis happens continuously, not at fixed checkpoints. Code is evaluated as it’s written or modified, across source, binaries, and dependencies, which better matches how AI-driven development actually works.Making noise reduction measurable, not marketing
Alert fatigue remains one of the most persistent problems in AppSec. Developers and security teams alike have learned to distrust tools that surface long lists of findings without clear guidance on what matters most.Signal’s focus on noise reduction starts with prioritization that’s grounded in exploitability rather than severity labels alone. That distinction helps teams focus on vulnerabilities that pose real risk, not theoretical exposure.Carey emphasizes that this approach has been tested in real customer environments, not just lab conditions. “Signal reduces false positives through exploitability scoring and duplicate suppression, validated in early access pilots using precision and recall metrics.”Just as important is how Signal manages the risks that come with using large language models in security contexts. Rather than allowing free-form generation, Signal enforces strict boundaries around how AI agents operate.“To prevent LLM hallucinations, Signal agents are grounded in the KnowledgeBase, operate with role separation between finding, fixing, and verifying, and enforce policy-aware verification before any remediation is surfaced.”
