Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools
TL;DR · AI Summary
Arm open-sourced the AI security framework Metis, claiming superior performance over traditional SAST—but the article lacks technical details, benchmarks, or code links, making it a low-density press release.
Key Takeaways
- Arm announced Metis as an 'agentic security' framework, yet disclosed no archite
- No quantitative metrics (e.g., false positive rate, detection coverage, scan lat
- The body is fragmented by cookie banners, newsletter forms, and ads; actual tech
Outline
Jump quickly between sections.
Arm announced Metis, an AI-driven security framework aiming to replace traditional static application security testing (SAST) tools.
The article states Metis 'outperforms traditional SAST tools', but offers no benchmarks, test environments, or comparative data.
No model type, training data, integration method, supported languages, or GitHub repository link is provided—hindering reproducibility.
Over 60% of the page consists of non-editorial elements like consent banners and promotional CTAs, reducing technical value.
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- Arm Metis AI Security Framework Announcement
- Claimed Advantage
- Outperforms SAST
- Agentic security paradigm
- Missing Evidence
- No benchmark data
- No GitHub link
- No model details
- Content Quality Issues
- High ad-to-content ratio
- No author byline
- Generic press-release tone
Highlights
Key sentences worth saving and sharing.
Metis is described as an 'agentic security' framework that outperforms traditional SAST tools—but no benchmarks, datasets, or code are provided.
The article contains zero technical specifications: no architecture diagram, no supported programming languages, and no link to the open-source repository.
Over 60% of the page consists of cookie consent banners, newsletter signup forms, and certification ads—not original reporting.
Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools - InfoQ
Your choice regarding cookies on this site
We use cookies to optimise site functionality and give you the best possible experience.
I Accept I Do Not Accept Settings
[BT](https://www.infoq.com/int/bt/ "bt")
InfoQ Software Architects' Newsletter
A monthly overview of things you need to know as an architect or aspiring architect.
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
Close
Online InfoQ Architect Certification (June 10): This is where senior engineers pressure-test real architecture decisions.Register Now
Close
Toggle Navigation
Facilitating the Spread of Knowledge and Innovation in Professional Software Development
English edition
[Write for InfoQ](https://www.infoq.com/write-for-infoq/ "Write for InfoQ")
Search
Unlock the full InfoQ experience
Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources.
or
Don't have an InfoQ account?
- Stay updated on topics and peers that matter to youReceive instant alerts on the latest insights and trends.
- Quickly access free resources for continuous learningMinibooks, videos with transcripts, and training materials.
- Save articles and read at anytimeBookmark articles to read whenever youre ready.
NewsArticlesPresentationsPodcastsGuides
Topics
[Development](https://www.infoq.com/development/ "Development")
- [Java](https://www.infoq.com/java/ "Java")
- [Kotlin](https://www.infoq.com/kotlin/ "Kotlin")
- [.Net](https://www.infoq.com/dotnet/ ".Net")
- [C#](https://www.infoq.com/c_sharp/ "C#")
- [Swift](https://www.infoq.com/swift/ "Swift")
- [Go](https://www.infoq.com/golang/ "Go")
- [Rust](https://www.infoq.com/rust/ "Rust")
- [JavaScript](https://www.infoq.com/javascript/ "JavaScript")
Featured in Development
Dany Lepage discusses the architectural journey of porting a hit VR title to seven non-VR platforms. He explains how his team solved the challenges of cross-progression, diverse input paradigms, and maintaining release velocity across Steam, iOS, and PlayStation. Beyond the tech, he shares candid lessons on the "product fit" gap when translating immersive social presence to 2D screens.
All in developmentFollow Topic
[Architecture & Design](https://www.infoq.com/architecture-design/ "Architecture & Design")
- [Architecture](https://www.infoq.com/architecture/ "Architecture")
- [Enterprise Architecture](https://www.infoq.com/enterprise-architecture/ "Enterprise Architecture")
- [Scalability/Performance](https://www.infoq.com/performance-scalability/ "Scalability/Performance")
- [Design](https://www.infoq.com/design/ "Design")
- [Case Studies](https://www.infoq.com/Case_Study/ "Case Studies")
- [Microservices](https://www.infoq.com/microservices/ "Microservices")
- [Service Mesh](https://www.infoq.com/servicemesh/ "Service Mesh")
- [Patterns](https://www.infoq.com/DesignPattern/ "Patterns")
- [Security](https://www.infoq.com/Security/ "Security")
Featured in Architecture & Design
- #### Context is the Key to the Agentic Architecture Revolution: a Conversation with Baruch Sadogursky
Michael Stiefel spoke to Baruch Sadogursky about software architecture in the age of agentic AI. LLM can function, albeit stochastically, as reasoning machines capable of interpreting human ambiguity. With the appropriate rigorous context artifacts to control the LLM’s reasoning, software specifications can become the source of truth, while the code becomes a disposable intermediate language.
All in architecture-designFollow Topic
[AI Infrastructure](https://www.infoq.com/ai-ml-data-eng/ "AI Infrastructure")
- [Big Data](https://www.infoq.com/bigdata/ "Big Data")
- [Machine Learning](https://www.infoq.com/machinelearning/ "Machine Learning")
- [NoSQL](https://www.infoq.com/nosql/ "NoSQL")
- [Database](https://www.infoq.com/database/ "Database")
- [Data Analytics](https://www.infoq.com/data-analytics/ "Data Analytics")
- [Streaming](https://www.infoq.com/streaming/ "Streaming")
Featured in AI, ML & Data Engineering
Mallika Rao discusses the hidden risk of evaluation debt in production AI systems, drawing on her experience at Twitter, Walmart, and Netflix. She explains why traditional metrics fail modern architectures, breaks down a five-layer evaluation stack spanning infrastructure and UX, and shares a diagnostic maturity model to help engineering leaders eliminate silent semantic failures.
All in ai-ml-data-engFollow Topic
[Culture & Methods](https://www.infoq.com/culture-methods/ "Culture & Methods")
- [Agile](https://www.infoq.com/agile/ "Agile")
- [Diversity](https://www.infoq.com/diversity/ "Diversity")
- [Leadership](https://www.infoq.com/leadership/ "Leadership")
- [Lean/Kanban](https://www.infoq.com/lean/ "Lean/Kanban")
- [Personal Growth](https://www.infoq.com/personal-growth/ "Personal Growth")
- [Scrum](https://www.infoq.com/scrum/ "Scrum")
- [Sociocracy](https://www.infoq.com/sociocracy/ "Sociocracy")
- [Software Craftmanship](https://www.infoq.com/software_craftsmanship/ "Software Craftmanship")
- [Team Collaboration](https://www.infoq.com/team-collaboration/ "Team Collaboration")
- [Testing](https://www.infoq.com/testing/ "Testing")
- [UX](https://www.infoq.com/ux/ "UX")
Featured in Culture & Methods
Trisha Ballakur discusses her journey from a backend software engineer to CTO and CEO, using her startup Pointz as a case study. She explains how to implement bottom-up customer discovery to find product-market fit, effectively delegate to global contractors to reduce build times, customize open-source repos like Valhalla, and apply engineering test-case models to business development.
All in culture-methodsFollow Topic
- [Infrastructure](https://www.infoq.com/infrastructure/ "Infrastructure")
- [Continuous Delivery](https://www.infoq.com/continuous_delivery/ "Continuous Delivery")
- [Automation](https://www.infoq.com/automation/ "Automation")
- [Containers](https://www.infoq.com/containers/ "Containers")
- [Cloud](https://www.infoq.com/cloud-computing/ "Cloud")
- [Observability](https://www.infoq.com/observability/ "Observability")
Featured in DevOps
Joseph Stein discusses engineering an enterprise AI-as-a-Service platform within a private cloud data center. He explains how to maximize underutilized GPU pools via multi-namespace scheduling, leverage Valkey and Lua for atomic priority queuing and backpressure management, mitigate OWASP Top 10 LLM risks via central proxy gateways, and scale batch pipelines using a custom S3-to-Kafka proxy.
All in devopsFollow Topic
[Events](https://events.infoq.com/ "Events")
Helpful links
- [About InfoQ](https://www.infoq.com/about-infoq "About InfoQ")
- [InfoQ Editors](https://www.infoq.com/infoq-editors "InfoQ Editors")
- [Write for InfoQ](https://www.infoq.com/write-for-infoq "Write for InfoQ")
- [About C4Media](https://c4media.com/ "About C4Media")
- [Diversity](https://c4media.com/diversity "Diversity")
Choose your language
[InfoQ Homepage](https://www.infoq.com/ "InfoQ Homepage")[News](https://www.infoq.com/news "News")Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools
[DevOps](https://www.infoq.com/Devops/ "DevOps")
Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools
May 30, 2026 2 min read
by
- Sergio De Simone
Follow
#### Write for InfoQ
Feed your curiosity.Help 550k+ global
senior developers
each month stay ahead.Get in touch
Log in to listen to this article
Loading audio
0:00 0:00
Normal 1.25x 1.5x
Like
Arm has open-sourced Metis, an agentic AI security framework designed to autonomously uncover complex software vulnerabilities. Unlike traditional pattern-based tools, Metis applies semantic reasoning to analyze cross-component dependencies and provides clear, natural language explanations for its findings.
According to Arm, the growing complexity of modern codebases makes it challenging for traditional static application security testing (SAST) tools to detect vulnerabilities across multiple function boundaries or libraries without generating high false-positive rates. Instead of relying on fixed rules and pattern matching, Metis employs "agentic" AI to identify security issues across large-scale codebases:
By combining advanced analysis techniques with AI-enabled workflows, Metis identifies more sophisticated security vulnerabilities that are difficult to detect using existing approaches, as well as identifying them earlier in the process.
Metis uses retrieval-augmented generation (RAG) to enhance a base large language model with project-specific context derived from source code, build files, and documentation, giving it a clearer picture of the system design and intended behavior. With this approach, Arm says, Metis can analyze entire repositories, individual files, pull requests, or recent code changes delivering up to 10x higher true positive rates and approximately 50% fewer false positives compared to leading static analysis tools.
False positives consume valuable engineering time and can reduce trust in automated tooling. By reducing false positives, Metis helps engineering teams focus on the issues that matter most, accelerating remediation and reducing wasted effort during validation and review.
Metis can also operate alongside external SAST tools and validate their findings to help reduce the number of false positives. In Arm's internal benchmarks using GPT-5.5-Cyber as the base model, Metis achieved 98% accuracy in identifying vulnerabilities, compares to just 6% for traditional SAST, according to the company.
Beyond simply flagging vulnerabilities, Metis can also explain its findings with clear, actionable summaries, giving developers and engineers the context they need to understand and address issues quickly.
Metis can be used with any OpenAI-compatible LLM and supports a wide range of programming languages, including C, C++, Python, Go, TypeScript, Rust, and others. Its plugin-based architecture also allows developers to easily extend support for additional languages, models, and custom prompts.
Metis supports both Ollama and vLLM deployments, which are configured in metis.yaml. For example, to use Llama 3.1 with Ollama on a local machine:
llm_provider:
name: "ollama"
base_url: "http://localhost:11434/v1"
model: "llama3.1:8b"
code_embedding_model: "nomic-embed-text:v1.5"
docs_embedding_model: "nomic-embed-text:v1.5"For vLLM deployments, Arm recommends using LiteLLM as a frontend for the LLM provider and configuring Metis to route requests through it. A typical setup includes one vLLM instance serving a chat model, another serving the embedding model, and a LiteLLM router to coordinate traffic between them.
While the current release focuses on vulnerabilities in software system, Arm is working to extend Metis to support hardware vulnerability verification.
Arm says that Metis is currently monitoring over 130 software projects within the company. The code is available under an Apache 2.0 license on GitHub.
About the Author
#### Sergio De Simone
Sergio De Simone is a software engineer. Sergio has been working as a software engineer for over twenty five years across a range of different projects and companies, including such different work environments as Siemens, HP, and small startups. For the last 10+ years, his focus has been on development for mobile platforms and related technologies. He is currently working for BigML, Inc., where he leads iOS and macOS development.
Show more Show less
#### This content is in the DevOps topic
Follow Topic
##### Related Topics:
Followers: 4111
Follow Topic
Followers: 5080
Follow Topic
Followers: 5929
Follow Topic
Followers: 4
Follow Topic
Followers: 729
Follow Topic
Followers: 74
Follow Topic
Followers: 7
Follow Topic
Followers: 143
Follow Topic
Followers: 53
Follow Topic
Followers: 36
Follow Topic
* #### Related Editorial
* #### Related Sponsors
* #### Related Sponsor
- July 9, 2026, 12 PM EDT
##### Rethinking Logs in the Age of AI Analysis
Presented by: Nicolas Jung - Product Manager, Logs at Datadog
SPONSORED BY DATADOG Save your seat
Related Content
May 04, 2026
Mar 30, 2026 
Mar 27, 2026 
- Icon##### Panel: Security against Modern Threats
Mar 25, 2026 
Mar 02, 2026 
May 27, 2026
May 17, 2026
May 26, 2026
May 25, 2026
Related Sponsors
- #### Rethinking Logs in the Age of AI Analysis (Live Webinar July 9, 2026) - Save Your Seat
Logs have long been a reactive slog during incidents. AI is making telemetry volumes explode — but also offers a solution. Learn how to advance from fragmented logging to AI-powered platforms with faster investigations and smarter spend.
- Sponsored by
Related Content
May 25, 2026
May 22, 2026
May 21, 2026
May 21, 2026
May 16, 2026
May 15, 2026
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
- ##### [Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks](https://www.infoq.com/news/2026/05/pip-261-dependency-cooldowns/ "Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks")
- ##### [Cloudflare and Stripe Let AI Agents Create Accounts, Buy Domains, and Deploy to Production](https://www.infoq.com/news/2026/05/cloudflare-stripe-agent-commerce/ "Cloudflare and Stripe Let AI Agents Create Accounts, Buy Domains, and Deploy to Production")
- ##### [Google Introduces Cloud Fraud Defense as Successor to reCAPTCHA](https://www.infoq.com/news/2026/05/cloud-fraud-defense-recaptcha/ "Google Introduces Cloud Fraud Defense as Successor to reCAPTCHA")
- ##### [How LinkedIn Identified a Kernel Lock Contention Issue Causing Recurring System Freezes](https://www.infoq.com/news/2026/05/linkedin-kernel-lock-freeze/ "How LinkedIn Identified a Kernel Lock Contention Issue Causing Recurring System Freezes")
- ##### [Uber Improves Restaurant Recommendations Using Real-Time Signals and Listwise Ranking](https://www.infoq.com/news/2026/05/uber-eats-ranking-system/ "Uber Improves Restaurant Recommendations Using Real-Time Signals and Listwise Ranking")
- ##### [Designing a Multi-Agent System for Engineering Support at Scale: a Case Study from Grab](https://www.infoq.com/news/2026/05/grab-multi-agent-support-system/ "Designing a Multi-Agent System for Engineering Support at Scale: a Case Study from Grab")
- ##### [From Founding Engineer to CTO to CEO – At the Same Startup](https://www.infoq.com/presentations/framework-best-practices-startup/ "From Founding Engineer to CTO to CEO – At the Same Startup")
- ##### [Accountability is the Goal for AI, with EU Regulations Supporting Transparency](https://www.infoq.com/news/2026/05/accountability-AI-EU-regulations/ "Accountability is the Goal for AI, with EU Regulations Supporting Transparency")
- ##### [From Legacy to Sovereignty: Driving the Future of Insurance through Platform Engineering](https://www.infoq.com/presentations/insurance-platform-engineering/ "From Legacy to Sovereignty: Driving the Future of Insurance through Platform Engineering")
- ##### [How Meta Rebuilt Data Ingestion for Petabyte-Scale Reliability](https://www.infoq.com/news/2026/05/meta-cdc-migration/ "How Meta Rebuilt Data Ingestion for Petabyte-Scale Reliability")
- ##### [Building Evals for AI Adoption: From Principles to Practice](https://www.infoq.com/presentations/eval-ai-adoption/ "Building Evals for AI Adoption: From Principles to Practice")
- ##### [Designing AI Platforms for Reliability: Tools for Certainty, Agents for Discovery](https://www.infoq.com/presentations/ai-platforms-reliability/ "Designing AI Platforms for Reliability: Tools for Certainty, Agents for Discovery")
- ##### [Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools](https://www.infoq.com/news/2026/05/arm-metis-agentic-security/ "Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools")
- ##### [AI-Assisted Migration Tool Helps Teams Move from ingress-nginx to Higress in Minutes](https://www.infoq.com/news/2026/05/ai-nginx-higress/ "AI-Assisted Migration Tool Helps Teams Move from ingress-nginx to Higress in Minutes")
- ##### [GitHub Slashes Agent Workflow Token Spend up to 62% with Daily Audits and MCP Pruning](https://www.infoq.com/news/2026/05/github-agentic-token-savings/ "GitHub Slashes Agent Workflow Token Spend up to 62% with Daily Audits and MCP Pruning")
**The InfoQ** Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example
- Get a quick overview of content published on a variety of innovator and early adopter technologies
- Learn what you don’t know that you don’t know
- Stay up to date with the latest information from the topics you are interested in
Enter your e-mail address
Select your country - [x] I consent to InfoQ.com handling my data as explained in this Privacy Notice.
#### Events
June 10, 2026
June 19, 2026
July 25, 2026
- ##### QCon San Francisco
November 16-20, 2026
- ##### QCon London 2027
April 13-16, 2027
#### Follow us on
Youtube 232K FollowersLinkedin 26K FollowersInstagram NewRSS 19K ReadersX 57.1k FollowersFacebook 21K LikesBluesky New
#### Stay in the know
The InfoQ PodcastEngineering Culture PodcastThe Software Architects' Newsletter
General Feedback [feedback@infoq.com](mailto:feedback@infoq.com) Advertising [sales@infoq.com](mailto:sales@infoq.com) Editorial [editors@infoq.com](mailto:editors@infoq.com) Marketing [marketing@infoq.com](mailto:marketing@infoq.com)
InfoQ.com and all content copyright © 2006-2026 C4Media Inc.
Privacy Notice, Terms And Conditions, Cookie Policy
Close
[BT](https://www.infoq.com/int/bt/ "bt")