Security/ ai · security · vulnerability-detection · research

LLMs Fail Code Security Reviews When the Context Changes

A new study finds that framing, anchoring, and author attribution can flip an AI security tool's verdict without changing a single line of code.

AI vulnerability scanners can be fooled by words, not just code.

Researchers published the first systematic study of cognitive heuristics in LLM-based code vulnerability detection, testing eight models across three programming languages. They held the code constant and varied only surrounding context — who wrote it, how the task was framed, and what prior analysis suggested. All eight models proved susceptible. Framing effects (changing the stated objective or consequences of a task) produced the largest average swing: 33.2% of verdicts shifted. Anchoring effects from prior analysis results came in at 23.5%, and halo effects tied to author attribution at 18.4%.

The practical stakes are higher than an academic benchmark. The researchers demonstrated a proof-of-concept black-box attack that suppressed up to 97% of previously detected vulnerabilities — without touching the underlying code. Models that relied on semantic reasoning were more vulnerable than those using pattern matching, which means the more sophisticated the tool, the more exposed it may be to this class of manipulation.

The finding lands at an awkward moment. Security teams are actively adopting LLM-based scanners as a force multiplier, often treating their output as a reliable first pass before human review. If the same cognitive shortcuts that trip up a tired engineer also trip up an AI, the case for using these tools as a trust layer weakens considerably. The study stops short of naming specific commercial products, but the eight models tested represent a broad enough sample that no vendor should assume their tool is exempt.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →