Sandyaa: The Open-Source Autonomous Security Bug Hunter - News Directory 3

Sandyaa: The Open-Source Autonomous Security Bug Hunter

May 13, 2026 Lisa Park Tech
News Context
At a glance
  • SecureLayer7 released Sandyaa on April 20, 2026, an open-source autonomous source code auditor designed to identify and validate security vulnerabilities.
  • The tool analyzes entire codebases to understand context and trace execution paths.
  • Sandyaa utilizes Recursive Language Models (RLM) to handle large codebases, a method based on the research detailed in arxiv.org/html/2512.24601v1.
Original source: helpnetsecurity.com

SecureLayer7 released Sandyaa on April 20, 2026, an open-source autonomous source code auditor designed to identify and validate security vulnerabilities. Unlike traditional security scanners that flag potential flaws, Sandyaa is built to determine if a vulnerability poses a real-world risk by generating exploitable proof-of-concepts for its findings.

The tool analyzes entire codebases to understand context and trace execution paths. This process allows the system to map identified issues directly to specific files and lines of code, providing structured reports that include runnable proof-of-concepts as evidence.

Technical Architecture and Recursive Language Models

Sandyaa utilizes Recursive Language Models (RLM) to handle large codebases, a method based on the research detailed in arxiv.org/html/2512.24601v1. Rather than relying on a single large context window, the system drives a Python REPL to manage the analysis programmatically.

Through this REPL, the model can write regex filters, chunk files, and spawn sub-LLM queries. The system then aggregates these results in code to build a comprehensive understanding of the target codebase.

The Autonomous Audit Pipeline

The auditing process consists of eight recursive passes designed to refine findings and prove exploitability. These passes include:

The Autonomous Audit Pipeline
Integration and System Requirements Sandyaa
  • Call-chain tracing
  • Data-flow expansion
  • Self-verification
  • Vulnerability chaining
  • POC refinement
  • Contradiction detection
  • Assumption validation
  • Exploitability proof

To reduce false positives, Sandyaa incorporates attacker-control analysis. This feature allows the tool to drop findings that are not reachable from untrusted input, ensuring that the reported vulnerabilities are actually accessible to an attacker.

Integration and System Requirements

Sandyaa is designed to integrate with existing developer environments. It operates by piggybacking on a user’s Claude Code session, which removes the need for a separate ANTHROPIC_API_KEY or additional billing configuration.

The tool currently supports macOS, where it is actively tested. While Linux is expected to work, SecureLayer7 has noted that it has not yet been actively tested on that platform.

Native Windows support is not currently available because Sandyaa uses Unix-only commands and invokes the Claude CLI without a shell wrapper. Users on Windows can run the tool via WSL2 using a Linux environment.

SecureLayer7 has released Sandyaa in alpha status, noting that users should expect rough edges and potential false positives as the tool continues development.