English

SastBench: A Benchmark for Testing Agentic SAST Triage

Cryptography and Security 2026-01-07 v1 Artificial Intelligence Computation and Language

Abstract

SAST (Static Application Security Testing) tools are among the most widely used techniques in defensive cybersecurity, employed by commercial and non-commercial organizations to identify potential vulnerabilities in software. Despite their great utility, they generate numerous false positives, requiring costly manual filtering (aka triage). While LLM-powered agents show promise for automating cybersecurity tasks, existing benchmarks fail to emulate real-world SAST finding distributions. We introduce SastBench, a benchmark for evaluating SAST triage agents that combines real CVEs as true positives with filtered SAST tool findings as approximate false positives. SastBench features an agent-agnostic design. We evaluate different agents on the benchmark and present a comparative analysis of their performance, provide a detailed analysis of the dataset, and discuss the implications for future development.

Keywords

Cite

@article{arxiv.2601.02941,
  title  = {SastBench: A Benchmark for Testing Agentic SAST Triage},
  author = {Jake Feiglin and Guy Dar},
  journal= {arXiv preprint arXiv:2601.02941},
  year   = {2026}
}
R2 v1 2026-07-01T08:52:30.136Z