In Legacy Codebases, AppSec AI Is Mostly a Context Problem

In large legacy codebases, AI AppSec quality depends less on finding a smarter model and more on extracting enough structure and context to avoid shallow analysis.

One practical lesson from an internal AppSec AI experiment:

In large legacy codebases, the bottleneck often is not “finding a smarter model.” It is extracting enough structure and context to avoid shallow analysis.

What worked better than I expected was a constrained workflow:

• Use inexpensive models for narrow, schema-bound extraction tasks

• Turn undocumented code relationships into usable context

• Ground analysis in that context instead of relying on generic scanning alone

• Validate findings in follow-on passes rather than trusting a single model output

The takeaway for me was not “AI replaces AppSec engineers” and not “buy the newest AI-native platform.”

The lesson was simpler:

For messy, older codebases, context extraction + decomposition + validation may improve security signal more than another round of generic scanning.

For a lot of this work, low-cost models were good enough. The quality came more from orchestration and constraints than from using the most expensive model available.

My current view is that many teams will get more value from augmenting existing workflows with targeted AI-assisted context generation than from treating AI as a fully autonomous security analyst.