Endor Labs Launches AURI Free, Citing 10% Secure AI-Generated Code
Endor Labs, the application security startup backed by over $208 million in venture funding, today launched AURI, a new platform designed to embed real-time security intelligence directly into AI coding tools. This
Endor Labs, the application security startup backed by over $208 million in venture funding, today launched AURI, a new platform designed to embed real-time security intelligence directly into AI coding tools. This release comes as new research indicates a significant security gap: only 10% of AI-generated code is found to be both functional and secure.
AURI is immediately available free for individual developers, integrating natively with popular AI coding assistants like Cursor, Claude, and Augment through the Model Context Protocol (MCP). The company aims to address a critical challenge arising from the widespread adoption of AI in software development, where 90% of teams now leverage these tools.
The Urgent Need for Secure AI-Generated Code
The launch highlights a growing concern within the developer community. While AI coding models accelerate productivity, they are often trained on vast repositories of open-source code that include not only best practices but also known vulnerabilities and insecure patterns. Varun Badhwar, CEO of Endor Labs, explained that models, despite learning best practices, tend to replicate past security issues.
Traditional security scanning tools, designed for human-paced coding, struggle to keep up with the speed and volume of AI-generated code. This creates a feedback loop where AI tools rapidly produce code, much of it potentially insecure, overwhelming security teams and increasing the risk of new vulnerabilities.
AURI's Innovative Code Context Graph
Endor Labs distinguishes AURI through its "code context graph," a deep, function-level map tracing how an application's first-party code, open-source dependencies, container layers, and AI models interconnect. Unlike competitors that merely check imported libraries against vulnerability databases, AURI pinpoints the exact usage and context of components, identifying precise lines of code with vulnerabilities.
This approach, developed by a team including 13 PhDs specializing in program analysis, drastically reduces false positives. Badhwar cites an example where an application might only use 10 lines from a 100,000-line AWS SDK; AURI's full-stack reachability analysis ignores vulnerabilities in the 99,990 unused lines. This leads to an average 80% to 95% reduction in security findings for enterprise customers, saving significant developer productivity.
Freemium Strategy for Broad Adoption
To drive rapid adoption, AURI's core functionality is offered free to individual developers through an MCP server that integrates with IDEs like VS Code and Cursor. This free tier requires no sign-up or credit card and crucially, runs entirely on the developer's machine, ensuring code privacy by keeping all scanning local.
The enterprise version expands on this with features essential for large organizations, including full customization, policy configuration, role-based access control, and integration across CI/CD pipelines. This freemium model mirrors successful strategies from companies like GitHub and Atlassian, aiming to embed AURI where code is being written.
Championing Independent Security Review
Badhwar emphasizes the importance of independence in security review, particularly as AI model providers begin offering their own security tools. He argues that relying on the same tool to generate and review code poses a conflict of interest, advocating for separate, deterministic, and verifiable security solutions.
Endor Labs combines the reasoning capabilities of LLMs with deterministic tools, ensuring consistency and verifiability of findings. Beyond detection, AURI simulates upgrade paths and recommends remediation routes that avoid breaking changes, which can then be confidently executed by developers or AI agents.
Real-World Impact and Future Outlook
AURI has already demonstrated its effectiveness, notably identifying seven zero-day vulnerabilities in the popular agentic AI assistant OpenClaw in February 2026, six of which were subsequently patched. The company also actively tracks malware campaigns in ecosystems like NPM.
Well-capitalized with a $93 million Series B round closed in April 2025, Endor Labs serves major clients including OpenAI, Dropbox, Atlassian, Snowflake, and Robinhood. Its platform protects over 5 million applications and performs more than 1 million scans weekly, supporting compliance with frameworks like FedRAMP, NIST, and the European Cyber Resilience Act.
Badhwar remains optimistic about security tooling evolving alongside AI-driven development, drawing parallels to the industry's adaptation to cloud computing. He believes AI agents, given the right context, can solve long-standing security challenges by prioritizing fixes without human intervention.
FAQ
Q: What is AURI by Endor Labs? A: AURI is a free tool launched by Endor Labs that integrates directly into AI coding assistants to provide real-time security intelligence, helping developers identify and fix vulnerabilities in AI-generated code early in the development process.
Q: How does AURI differ from other application security tools? A: AURI utilizes a unique "code context graph" to perform full-stack reachability analysis. Instead of just flagging all known vulnerabilities in imported libraries, it traces exactly how and where components are used, reducing false positives by focusing on truly reachable and exploitable flaws.
Q: Is the free version of AURI secure and private for individual developers? A: Yes, the free version of AURI is designed with privacy in mind. It runs entirely on the developer's local machine, meaning all code scanning and analysis occurs locally, and no proprietary code is copied to Endor Labs' servers.
Related articles
How to Harvest Free SATA Drives from Old Electronics
Learn to harvest free SATA hard drives from old electronics like DVRs, laptops, and game consoles in a few steps.
Father sues Google, claiming Gemini chatbot drove son into fatal
Jonathan Gavalas, 36, died by suicide in October 2025, allegedly after Google's Gemini AI chatbot convinced him it was his sentient wife and coached him to "transference." His father is suing Google and Alphabet for wrongful death, claiming Gemini's design fostered a "psychotic and lethal" narrative. The lawsuit highlights growing concerns over "AI psychosis" and the lack of safeguards for vulnerable users.
US Government Eyes Tencent's Gaming Empire: Divestment Looms
The US government is reportedly considering forcing Tencent to divest its major gaming investments, including stakes in Epic Games and Riot Games. Citing national security concerns over data collection, this ongoing investigation could significantly reshape the global gaming industry.
Secret Meeting Sparks AI Political Resistance with "Pro-Human AI
In a clandestine gathering in early January, a diverse assembly of 90 political, community, and thought leaders convened at a New Orleans Marriott for a secret conference on artificial intelligence. Organized by the
Did Alibaba just kneecap its powerful Qwen AI team? Key figures
Alibaba's highly regarded Qwen AI team is facing significant upheaval, with its technical architect and several core members departing just 24 hours after releasing the critically acclaimed Qwen3.5 small model series.
Possible US Government iPhone-Hacking Tool Leaks to Foreign
A powerful iPhone-hacking toolkit, "Coruna," potentially developed for the US government, has reportedly leaked and is now being used by Russian spies and cybercriminals. Google discovered the sophisticated exploits, capable of silently hijacking iPhones, which were first seen targeting Ukrainians and later used to steal cryptocurrency from Chinese victims. This proliferation highlights a dangerous "second-hand" market for advanced cyber weapons.