Ward is security review infrastructure. Every finding ships with a deterministic evidence chain, a calibrated probability, and a signed witness — replayable bit-for-bit and verifiable by a third party without trusting Ward. Runs in your environment.
We ran Ward and the tools teams most commonly rely on over the same corpus of 3,408 entries grounded in historical CVEs across five ecosystems. A finding only counts when it flags the vulnerable code targeted by the patch and disappears on the fix commit.
▸ Paired scoring: a finding is “real” only if present on the vulnerable commit, localized to the code the patch fixed, and absent on the fix commit. CodeQL precision is extremely high (98.8%, only 3 false positives after paired reclassification) but recall is 14.5% — missing 85.5% of CVEs. These figures are consistent with independent published benchmarks; see methodology for citations. Read the methodology →
A typical scanner emits an alert and a severity. Ward emits a deterministic record: the source-to-sink trace, the calibrated probability, the signed evidence chain that produced the decision, and a hermetic capsule a third party can replay bit-for-bit. Verifiable, not trust-me.
Ward treats a finding as a verifiable record, not a flag in a dashboard. The pipeline is deterministic, the evidence chain is signed, and the inputs and tools are pinned — everything needed to reproduce the result, including a skeptic.
The scanner remains the base layer. On top of it, Ward runs an investigation loop that carries each finding from candidate signal to a decision a reviewer can defend — with the trace, repro, and provenance attached.
input
…
action
Reasons across files to surface vulnerable flows that single-file pattern matching often misses.
Investigation runs inside a capability-restricted sandbox. Every step — model call, repro execution, patch attempt — is captured in a signed witness with provenance pinned to specific tool and model versions. Reproducible, auditable, attributable.
Each finding carries an explicit grade. The block / warn / allow decision is driven by a versioned loss function, not a static threshold — auditable and policy-controlled.
The benchmark matters. So do its limits. Here’s what we count, what we compare, and where the current pre-release claims stop.
For each CVE we have a repo and two SHAs: vuln_sha (the commit the CVE was filed against) and fix_sha (the merge that closed it). We run the scanner on both and call the finding “real” only if it fires on vuln_sha at a location whose scope includes the code the patch fixed, and does not fire on fix_sha. Any other pattern is not credited. Raw alert counts across scanners aren’t comparable; paired scoring is.
No. Static analysis is the entry point, not the whole story. Ward is verifiable security review infrastructure: deterministic scanner output, signed evidence chains, hermetic replay capsules, calibrated probabilities, and a sandboxed investigation layer on top. The scanner is farther along than the investigation layer today.
The static pipeline runs entirely in your environment with no external calls. The investigation layer can use pinned model providers; a fully self-hosted variant for air-gapped deployments is on the near roadmap. In every mode, code only enters declared, sandboxed surfaces, and every model interaction is captured in the signed witness chain.
Each run produces a hermetic replay capsule and a signed evidence chain anchored to an external transparency log. A third party can re-derive the same findings from the capsule and verify the attestations independently — no Ward cooperation required. Anchor staleness and verification failures explicitly downgrade the run’s trust state.
The current comparison includes Semgrep and CodeQL. Both were run over the same 3,464-entry corpus under the same paired-scoring harness. CodeQL was run at full-corpus scale (2026-05-01) using CodeQL CLI 2.24.3 with the javascript-security-extended and equivalent language query suites. We’ll publish the exact versions, configurations, and harness details alongside the benchmark methodology.
The recall figures we observe for CodeQL (~14%) and Semgrep (~25%) are consistent with the published academic literature. Independent evaluations report CodeQL at 20–22.5% recall on Java-only CVE corpora (Bennett et al., EASE 2024; IRIS / CWE-Bench-Java, ICLR 2025), and lower still on Go and Rust where query coverage is thinner. Semgrep off-the-shelf is reported at 17–24% on real Python and JavaScript CVE datasets (RealVuln, arXiv:2604.13764; DeepSource OSS CVE benchmark). Our paired methodology — which requires a finding to be localized to the patched code and absent on the fix commit — is stricter than most published evaluations, so our numbers sit at or slightly below the published midpoints.
The gap is structural: the same EASE 2024 study attributes 76.9% of all SAST false negatives to missing or insufficient rules, not engine limitations. The tools miss what they miss because no one has written the query or sink specification for that vulnerability pattern yet — not because taint analysis fundamentally can’t reach it.
We intend to publish the methodology, scoring harness, benchmark dates, and pinned tool configurations. We have not finalized what portion of the corpus itself will be public.
Ward is pre-release and in active development. There’s no public install today. If you want to be notified when there is, leave your email below.