Knostic has released OpenAnt, an LLM-based vulnerability discovery tool that eliminates up to 99.98% of false positives by actually attempting to exploit detected vulnerabilities before reporting them. The open-source project, released under Apache 2 license in February 2026, has accumulated 133 stars on GitHub and supports Python, JavaScript, TypeScript, Go, PHP, and C/C++.
Two-Stage Attack Approach
OpenAnt uses a two-stage process that fundamentally differs from traditional static analysis tools. Stage 1 (Detection) uses aggressive detection to identify potential vulnerabilities, employing a reachability filter and flow analysis to focus on externally-exposed code. Stage 2 (Attack) actually attempts to exploit the detected vulnerabilities using LLMs to generate dynamic tests on the fly.
Only vulnerabilities that survive the attack phase are reported as real security issues. The system uses the most capable LLM within budget constraints, currently Opus 4.6, to generate exploit attempts tailored to specific code contexts.
Performance Results
OpenAnt demonstrates significant improvements over traditional SAST (Static Application Security Testing) tools:
- Eliminates as much as 99.98% of false positives on popular open source projects
- Stage 2 eliminated 92% of false positives on a 65K-star Go project
- Supports six programming languages: Python, JavaScript, TypeScript, Go, PHP, and C/C++
The tool focuses on externally-exposed code (the attack surface) rather than all code, helping manage computational costs while prioritizing real security risks.
Solving the False Positive Problem
Traditional SAST tools are notorious for high false positive rates, leading to alert fatigue where developers ignore security warnings. By actually attempting to exploit potential vulnerabilities before reporting them, OpenAnt provides a much higher signal-to-noise ratio.
The LLM-powered attack generation is particularly innovative: instead of relying on predefined exploit patterns, the system can generate novel attack attempts tailored to the specific code context. This combines the coverage of static analysis with the precision of penetration testing.
Most SAST tools report anything that could be vulnerable, leaving developers to manually verify exploitability. OpenAnt flips this by only reporting what it successfully exploited, dramatically reducing false positives while potentially missing some esoteric vulnerabilities (trading recall for precision).
Open Source Initiative
Knostic is launching a free scanning program for open source projects using OpenAnt in 2026, potentially improving security across the OSS ecosystem. The hybrid approach combines traditional program analysis (reachability, flow analysis) with LLM-generated exploit attempts, leveraging the strengths of both deterministic analysis and creative attack generation.
Key Takeaways
- OpenAnt uses a two-stage approach: aggressive detection followed by LLM-powered exploitation attempts, only reporting vulnerabilities that survive actual attacks
- The tool eliminates up to 99.98% of false positives on popular open source projects, with Stage 2 eliminating 92% of false positives on a 65K-star Go project
- OpenAnt supports Python, JavaScript, TypeScript, Go, PHP, and C/C++ and is released under Apache 2 license
- The system uses the most capable LLM (currently Opus 4.6) to generate novel exploit attempts tailored to specific code contexts, combining static analysis coverage with penetration testing precision
- Knostic is launching a free scanning program for open source projects in 2026 to improve security across the OSS ecosystem