Snyk Blog In this article The four agents: what's strong, what's missing Agentic Security Review: the PR gatekeeper Vuln Hunter: scanning the existing codebase Anybump: automated dependency patching Invariant Sentinel: compliance drift detection This is still CI, and CI is not where security should start Why CI is too late for security What shifting left actually looks like IDE-first security vs CI-first security Why layered security is necessary Validation, not competition (and we're already integrated) How Cursor and Snyk work together The two-tier security architecture The agentic supply chain is the new attack surface What's next: the questions this raises Try it yourself I Read Cursor's Security Agent Prompts, So You Don't Have To Written by Randall Degges March 17, 2026 0 mins read TL;DR: Cursor's security team built four autonomous agents that review 3,000+ PRs per week, catch 200+ vulnerabilities, and open fix PRs automatically. The engineering is impressive, and the prompts are shockingly simple. But there's a meaningful gap between "LLM agents reviewing PRs" and "enterprise security program," and that gap is exactly where things get interesting. This is the prompt – the whole thing: You are a security reviewer for pull requests. Goal: Detect and clearly explain real vulnerabilities introduced or exposed by this PR. Review only added or modified code unless unchanged code is required to prove exploitability. 1. Inspect the PR diff and surrounding code paths. 2. For every candidate issue, trace attacker-controlled input to the real sink. 3. Verify whether existing controls already block exploitation: auth or permission checks, schema validation or type constraints, framework escaping, ORM parameterization, allowlists or bounded constants. 4. Report only medium, high, or critical findings with a plausible attack path and concrete code evidence. Prioritize: injection risks, authn or authz bypasses, permission-boundary mistakes, secret leakage or insecure logging, SSRF, XSS, request forgery, path traversal, and unsafe deserialization, dependency or supply-chain risk introduced by the change. It's the core of Cursor's Agentic Security Review automation, the one that's been reviewing 3,000+ internal PRs per week and catching 200+ real vulnerabilities. A role assignment, a goal, a four-step methodology, and a priority list. No elaborate chain-of-thought scaffolding. No pages of few-shot examples. No complex JSON output schemas. If you'd told me two years ago that a prompt this concise could run at that scale and produce results worth blocking CI on, I would've been skeptical. We've all been conditioned to think AI prompting requires elaborate engineering: pages of instructions, carefully crafted examples, detailed output specifications. Cursor's open-sourced templates suggest that for security review, a clear role definition and a structured methodology might be all you need. That's a remarkable signal about where frontier models are right now. The model already "knows" what SQL injection looks like, how authentication bypasses work, and what unsafe deserialization means. It just needs a framework for applying that knowledge systematically. If models can do this much with so little instruction today, the trajectory over the next six to twelve months is genuinely exciting. Of course, the prompt is just the tip of the iceberg. The real engineering achievement here isn't the 15 lines of instructions; it's everything underneath: the custom MCP server handling persistence and deduplication, the Terraform-managed deployment pipeline, the webhook orchestration that knows when to trigger which agent, and the state management that lets agents compare findings across runs. The prompt is simple because the surrounding infrastructure is not. That's an important distinction, and it's actually the more interesting story: Cursor didn't just write clever prompts; they built a production-grade agent orchestration platform and then put simple prompts on top of it. But before we get ahead of ourselves, let's look at the full picture of what Cursor built, what's impressive about each piece, and where the gaps are. To do that, it helps to have a framework for thinking about security in agentic development environments. The three dimensions of agentic security At Snyk, we think about securing agentic development across three dimensions: the code the agents generate , the supply chain the agents depend on , and the behavior of the agents themselves . The code dimension is the one most people focus on: is the AI writing secure code, and are we catching vulnerabilities before they ship? The supply chain dimension is newer and less obvious: MCP servers, automation templates, agent skills, and plugins are all components your agents depend on, and they carry the same risks as any third-party dependency. The behavior dimension is the most nuanced: are the agents acting within their intended scope, are they making decisions they shouldn't, and do you have visibility into what they're actually doing across your organization? Cursor's security agents primarily operate in the first dimension, catching vulnerabilities in code. That's valuable and necessary work. But as you'll see in the walkthrough below, the other two dimensions matter just as much, especially at enterprise scale. And the organizations getting the best results, like Labelbox , which cleared a multi-year vulnerability backlog by running Cursor and Snyk together, are the ones addressing all three. The four agents: what's strong, what's missing Today, Travis McPeak published a blog post detailing how Cursor's security team built four autonomous security agents on top of Cursor Automations (their cloud agent platform) and open-sourced the templates for anyone to use. Their PR velocity had increased 5x over nine months, and traditional static analysis couldn't keep up. So they built agents that could. The whole system sits on a foundation that's worth noting: a custom MCP (Model Context Protocol) server deployed as a serverless Lambda function. It provides persistent state tracking, a deduplication layer powered by Gemini Flash 2.5 (so different agents don't file the same finding using different words), and consistent Slack output formatting with dismiss/snooze actions. Everything is managed through Terraform. Solid engineering. Here's each agent, along with what I think is genuinely impressive and what an enterprise security team should be thinking about. Agentic Security Review: the PR gatekeeper What it does: Reviews every pull request against Cursor's specific threat model. Posts findings to a private Slack channel, comments directly on PRs, and can block the CI pipeline on security findings. The key differentiator from a general-purpose review bot like Cursor’s Bugbot is the ability to prompt-tune specifically for security without blocking on every code quality nit. What's impressive: The results speak for themselves. In the last two months, this agent has run on thousands of PRs and prevented hundreds of issues from reaching production. And as I showed above, the prompt driving all of this is remarkably concise. The signal-to-noise ratio, for an LLM-based reviewer, is genuinely surprising. What to think about: LLMs can confidently flag a "critical SQL injection" in a parameterized query that's perfectly safe, because the model misread the data flow. They can also miss a real vulnerability because attention drifts across a large codebase. In a security context, both failure modes are expensive: false positives erode developer trust, and false negatives leave real vulnerabilities in production. When your detection layer is entirely probabilistic, you're accepting both risks. The principle here is simple: the agent cannot mark its own homework. You need an independent validation layer confirming what the LLM found. That's why layering deterministic SAST analysis (like Snyk Code ) underneath the LLM review matters. The deterministic engine catches known patterns with mechanical precision; the LLM catches the novel, cross-file logic bugs that rule-based tools miss. You want both. Also worth noting: look at the end of the prompt template. Post a short Slack summary with the overall outcome and the top findings, if any. Do not push changes or open fix PRs from this workflow. The review agent explicitly does not push fixes. It finds, it reports, it blocks, but a human still decides what to do. Even Cursor's own security team keeps humans in the loop for their own tooling. That should tell you something about where autonomous AI security actually stands today: it's a powerful accelerator, not a replacement for human judgment. At least not yet. Vuln Hunter: scanning the existing codebase What it does: Instead of watching new code come in, Vuln Hunter scans the existing codebase. It divides the repo into logical segments, searches each one for vulnerabilities, and the security team triages findings from Slack. They often use @Cursor directly from Slack to generate fix PRs. What's impressive: Pointing LLM reasoning at legacy code is smart. This is where AI shines: understanding complex, undocumented codebases and identifying vulnerabilities that static rules would miss. Cross-file logic bugs, broken access control patterns, and authentication bypasses buried in years-old code. Traditional scanners struggle here because they need well-defined patterns to match against. What to think about: This is the agent most likely to produce false positives at scale. Scanning an entire codebase (rather than a focused PR diff) means the model is working with a much larger context, and that's where LLM attention drift becomes a real concern. BaxBench, a benchmark from ETH Zurich, UC Berkeley, and INSAIT, found that 62% of solutions generated by even the best models are either incorrect or contain security vulnerabilities. When the model is reasoning about large, complex codebases, the "agent can't