AI for Security

How Xint’s Predictable Pricing Solves the Token Burn Problem for AI in AppSec

Linear increases in code are leading to exponential token burn increases. Xint's orchestration brings clear, predictable pricing.
Hector Leano's avatar
Hector Leano
Apr 09, 2026
How Xint’s Predictable Pricing Solves the Token Burn Problem for AI in AppSec

Linear increases in inputs are leading to exponential increases in costs

The more context fed into an LLM query, the less predictable pricing can be. For AI-native autonomous code scanners, linear increases in the number of code lines can lead to exponential increases in tokens consumed due to how reasoning models work. So for example, doubling the number of codelines analyzed could lead to 4-10x increases in token burn even with strict output guardrails in place. 

In response, AI services are shifting away from per-seat or lines-of-code pricing and instead pricing based on token consumption. Unfortunately this has become an obstacle for product security teams to adopt AI-native application security since it is difficult to forecast token costs upfront. 

The problem for AI AppSec is architecture, not AI

At Xint, however, we found this was an architecture problem. When agents are improperly scoped, they tend to perform tasks that were not needed or desired but that burn tokens nevertheless. 

Our team of offensive security engineers understood the best way to automate breaking the code into intelligent chunks to optimize for model attention (see more about the lost in the middle problem for LLMs), and how to divide the labor of scanning code line by line, with parallel workflows for potential threat analysis, path assessment, and threat modeling (see Figure 1 below for our multi-agent, multi-phase approach below). Additionally, because our architecture is model agnostic, we are able to use the best frontier model (looking at performance and price) for each task instead of relying on a single model for all agents in the workflow.

Figure 1: Xint Code’s multi-agent, multi-phase approach for codebase analysis at any scale (thousands, hundreds of thousands, or millions of lines of code)

 

So while Xint is using the same generally available US frontier models (OpenAI, Claude, etc), what makes Xint Code successful in finding a broader class of bugs in less time while keeping costs predictable is our orchestration engine…all while still being less expensive and delivering findings faster than a human pentest.  

As a result, if a customer gives us 2 million lines of code, they know the costs will be double what it was for 1 million lines of code (and technically it would be less given volume discounts). Besides the quality of the findings, predictable costs is why enterprises with large legacy codebases are turning to Xint Code. 

The bad guys are starting to figure this out

AI is bringing down the time and costs to find severe bugs in large codebases, which benefits both malicious hackers as well as defenders. Scanning entire codebases with AI will become the norm as these attacks become more common. The question will be not be if code maintainers will do this, but if they are getting the right coverage, using the best models for the task, integrating the larger vulnerabilities found into workflows that can address them, and generating less false positives that take resources away from addressing real vulnerabilities.


Share article

Theori © 2025 All rights reserved.

RSS·Powered by Inblog