The largest Russia-based classified Avito has integrated generative AI into its code protection system. It automatically identifies potentially sensitive data in program code that could pose a security threat, including database passwords, API keys, and access tokens.
AI scans code before it’s published, increasing the efficiency of threat prevention, speeding up such checks fivefold, Avito said. While a cybersecurity specialist would need almost six months to sift through 50,000 threat scanner alerts, AI needs only 6-8 hours, according to Avito.
The system detects 99% of all threats and instantly removes them from the code. This saves up to 25% of the on-duty cybersecurity specialist’s time, allowing them to focus on more complex tasks. The company plans to integrate AI into other areas of cybersecurity, such as risk assessment and threat modeling.
Avito’s system automatically analyzes code for sensitive data that could be exploited by attackers. Its proprietary A-Vibe model, trained on thousands of vulnerabilities, checks the code and identifies actual threats. The system works with the local DeepSecrets scanner, available on GitHub. It finds 99 out of 100 vulnerabilities, taking into account the code’s context. To ensure reliability, a multi-layered approach with additional algorithms and random checks by engineers is used, eliminating human error and making the system more effective than manual verification, said Andrey Usenok, head of information security at Avito.
“This technology fundamentally changes the allocation of resources—instead of spending hours checking false positives, our specialists can focus on architectural decisions and strategic defense planning. In the future, generative AI will allow us to model attack chains that haven’t yet occurred, predict critical vulnerability combinations, and create defenses that evolve in real time along with the threat landscape,” Usenok said.
Avito plans to expand the use of AI to other areas of cybersecurity, including automated risk assessment and threat modeling. This will enable code changes to be analyzed for new risks and potential attack vectors to be identified even at the design stage, before the code is written.
