Reinforcement learning has been applied to software security research for over a decade, yet almost none of that work targets the hardest part: finding real vulnerabilities.
Researchers conducting a PRISMA 2020-compliant review of the field examined 21 studies published between 2015 and 2026, drawn from major scientific databases. Of those, 15 focused on fuzzing and guided program exploration - the comparatively approachable task of generating inputs that crash software. Only 3 studies tackled direct vulnerability detection, and just one attempted to pinpoint the exact line of code where a flaw lives. The review also found that structurally rich code representations - Control Flow Graphs and Abstract Syntax Trees - are rarely used as inputs to RL agents, despite being standard tools in traditional static analysis.
This matters because C and C++ still underpin most operating systems, embedded firmware, and performance-critical infrastructure. Manual memory management in these languages creates an entire class of bugs - buffer overflows, use-after-free errors - that automated tools have struggled to catch reliably for years. If RL is going to close that gap, it needs to work at the source-code level, not just throw random inputs at a binary.
The review proposes a taxonomy to bring some order to a field where benchmarks are inconsistent enough that comparing results across papers is nearly impossible - which is itself a sign that the research is still in early-stage scatter, not convergence.