Announcing Xint Code

We just debuted Xint Code, our new code analysis tool building on our success at the AI Cyber Challenge (AIxCC) in August.

With zero human intervention, Xint Code found critical 0day RCE bugs in Redis, PostgreSQL, and MariaDB – sweeping the database category at ZeroDay Cloud and beating out every human team. These vulnerabilities are currently going through responsible disclosure with the relevant maintainers.

What Xint Code does

Xint Code analyzes arbitrary collections of source code, configuration files, and even binaries; there are zero packaging or harnessing requirements. The outputs are actionable: you receive a human-readable report for each vulnerability, including a context-aware assessment of the impact and severity. Compared to traditional static analysis tools, Xint Code produces dramatically fewer false positives while finding significantly more real vulnerabilities, sometimes including issues missed by humans for decades.

Finding these three RCE vulnerabilities at ZeroDay Cloud was as simple as dropping in the entire git repo of each project and letting Xint Code run. For each of the three targets, Xint Code correctly identified the highest severity vulnerability (our demo exploits used the top result from each report). This required no manual setup, no special harnesses, and no humans in the loop during analysis.

How Xint Code works

Using our decades of experience in securing software and leveraging advances in AI, we have automated the human bug finding workflow. Our solution autonomously maps out the project and attack surfaces, deeply analyzes every line of code in its relevant context, and identifies vulnerabilities that have real security impacts.

This allows Xint Code to scale our security researcher’s leading expertise across large, complex codebases, finding flaws that standard tools completely miss.

What we’re doing next

ZeroDay Cloud 2025 had an extremely high bar for eligible bugs: RCE in default configurations of widely used OSS. Xint Code found these highly critical bugs in all three of the targeted databases. Considering security impact more broadly, Xint Code has produced at least one high-severity vulnerability in nearly every open source project it has analyzed.

We believe we can make a real security impact by running Xint Code on projects from the Open Source community. The ZeroDay Cloud prize money will fund more analysis runs on critical software powering the modern world.

We’re looking for partners

Xint Code finds real world vulnerabilities, and we're excited about its growing role in securing the world's software. At the same time, tools that reliably surface high-impact vulnerabilities need to be deployed responsibly, so we’re being deliberate about how we roll it out.

For early engagements, we’re seeking a small number of partners who will use Xint Code in real security workflows. We’ll work closely with you to run analyses on your codebases and validate findings.

If you’re interested in collaborating, please visit our website to get in touch.