Every serious security review hits the same wall: Grep finds what your pattern points it at; the bug lived one directory over. ArgosBrain traverses the actual call graph, surfaces every reachable call site, and keeps the findings alive across refactors. Use it alongside Semgrep / CodeQL / SonarQube — not instead. We are the memory layer; they are the dataflow engine.
During a live 1 237-turn Claude Opus 4.7 dogfood session on a production Next.js SaaS, the initial SSRF audit was scoped to src/app/api/ via Grep. ArgosBrain's call-graph traversal found four additional call sites in src/lib/services/: YouTube uploader, LinkedIn image helper, TikTok background builder, product-image URL fetcher. All four were reachable by following the causal edges from the risky pattern — edges Grep cannot see because they live outside whatever directory you pointed it at.
2× recall over the Grep-only scope, same codebase, same day. The full write-up lives in our public proof document. Reproducible from the session JSONL by running python3 scripts/analyze_session.py --redact on your own session.
Ship a curated library of dangerous-pattern idioms — dangerouslySetInnerHTML, raw exec_raw, fetch(url,, eval(, pickle.loads, AWS access-key prefixes, and twenty more — pre-scanned at ingest. Ask ArgosBrain for one category, get a grouped report: which pattern matched, why it matters, where it lives, and how many times.
Matches are candidates for review, not confirmed vulnerabilities. Substring scanning doesn't replace semantic analysis — it points you at the right files in a minute instead of an afternoon.
Legacy handlers, deprecated auth paths, emergency-bypass routes that never got cleaned up — attack surface you can't audit away because you can't prove they're unreachable. Ask ArgosBrain for a symbol's callers; a confident "nobody calls this" is an exhaustive structural negative over the ingested graph. Deletion becomes a defensive control, not a risk.
Caveat, stated plainly: this is static structural evidence. Dynamic dispatch, dependency-injection containers, and reflection are out of scope for any static tool and require human review.
"Can PatientRecord.ssn ever reach logger.info?" Name the source; name the sink. ArgosBrain enumerates every control-flow path through the call graph, capped per-query so you never wait on a combinatorial explosion. Empty result = structural evidence that no path exists. Non-empty = exactly where to look next.
Control flow, not data flow. This tells you whether the caller graph can reach the sink; it doesn't track which field travels along the path. For field-level taint analysis, pair with Semgrep Pro or CodeQL — and keep their findings alive inside ArgosBrain so the decisions they informed survive the next refactor.
Findings from Semgrep / CodeQL / SonarQube get triaged once, then get lost in a PDF nobody re-opens. Import them into ArgosBrain as attached notes on the exact code symbols they flag. Six months later, when the same file is refactored, the history surfaces automatically: "this pattern was flagged by Semgrep in 2026-03, triaged as false-positive because of context X — does that context still hold?"
Our SARIF importer (shipping in Sprint 7) turns any tool that emits SARIF 2.1 into a memory citizen. Enterprise customers get a CI wrapper that fails PRs when the triage context no longer matches the code state.
ArgosBrain doesn't do taint analysis, symbolic execution, or vulnerability classification. We don't ship a rules library that competes with Semgrep or CodeQL. We don't run fuzzers. We don't maintain a CVE feed.
We are the structural memory layer that makes your existing AppSec toolchain more useful. If Semgrep finds a SQLi, ArgosBrain keeps track of where the decision to ship (or not) came from. If your audit scoped wrong, ArgosBrain's call graph shows you the call sites Grep missed. The scanners still do the scanning.
Runs as a local Rust binary, in-process with your editor or audit tool. Nothing leaves the host unless you explicitly integrate an outbound service. For classified / air-gapped environments, that's a precondition, not a feature.
For AppSec teams sharing findings across multiple reviewers: a mutual-TLS transport for shared brains is on our Q3 roadmap. Until then, an SSH reverse-tunnel over the local socket works today for the "one reviewer, many consumers" case.
We sell directly and partner with firms delivering AppSec services. Contact [email protected] with "Security pilot" or "Security partner" in the subject. Include a two-sentence description of the codebase and the scanner stack you already run. We'll tell you plainly whether ArgosBrain adds value for your case — if it doesn't, we'll say so.