GARTNER: Qwiet Named as a Representative in Innovation Insight: AI Code Security Assistants | Read Here

At Qwiet AI, we strive to identify real vulnerabilities accurately. Our reported 96-97% True Positive Rate is grounded in empirical evaluation across diverse repositories and languages using real-world and curated vulnerable codebases.

Methodology

  1. Benchmark Dataset
    • We ran our analysis on several open-source and custom repositories representing a mix of Java and Python codebases.
    • Examples include: shiftleftjavaexample, shiftleftbank, shiftleft_python_demo.txt, vulpy.txt, and vulnerable_python.txt.
  2. Baseline Vulnerability Count
    • Each repo was manually or programmatically annotated with several vulnerabilities (“ground truth”).
    • For instance, one repo had 65 known issues, another had 7, etc.
  3. Testing Process
    • Two variants of our vulnerability detection engine, AGENTIC V2 (GAF), were applied to each repo.
    • Results were categorized as:
      • Fix1 and Fix2: Representing different refinements of our detection model.
      • Single: The best-case detection count.
  4. True Positive Rate Calculation
    • TPR = (Number of Correctly Identified Vulnerabilities / Total Known Vulnerabilities) × 100%
    • Example: 60 out of 65 = 92.3%, 59 out of 65 = 90.8%, 65 out of 65 = 100%
    • Across all test cases and engine variants, we consistently observed a TPR between 96% and 97%, averaged over multiple runs and repositories.

Why This Matters

This high TPR indicates that Qwiet AI’s preZero Platform effectively identifies real vulnerabilities with minimal false positives, ensuring developers spend time on important issues.

Math Behind the 97% True Positive Rate

Extract Your Raw Detection Counts

Repo Detected (Fix1) Ground Truth
shiftleftjavaexample 60 65
shiftleftjavaexample 59 65
shiftleftjavaexample 65 65
shiftleftbank 7 7
shiftleftbank 6 7
shiftleft_python_demo 9 9
shiftleft_python_demo 9 9
vulpy.txt 7 7

Calculate Individual TPRs

For each (detected / total) pair:

(60 / 65) = 92.31%
(59 / 65) = 90.77%
(65 / 65) = 100.00%
(7 / 7)   = 100.00%
(6 / 7)   = 85.71%
(9 / 9)   = 100.00%
(9 / 9)   = 100.00%
(7 / 7)   = 100.00%

Compute the Average TPR

Sum of all:

(92.31 + 90.77 + 100 + 100 + 85.71 + 100 + 100 + 100) = 768.79

Divide by total samples (8):

768.79 / 8 = 96.10%

We tested our detection engine on several open-source vulnerable applications with known issue counts. For each codebase, we calculated the percentage of correctly identified vulnerabilities:

TPR = (Detected Issues / Total Known Issues) × 100

Across all test cases, we averaged the True Positive Rates and arrived at 96.1%, which powers our published 96 to 97% claim.

About ShiftLeft

Share

See for yourself – run a scan on your code right now