On May 30, 2026 Arm published Metis as an open‑source security framework under the Apache 2.0 license and posted the code on GitHub. The company says Metis is already monitoring more than 130 internal software projects and is intended as a production‑ready vulnerability discovery tool that development and security teams can run locally or inside CI pipelines.
Metis is built as an “agentic” system that pairs retrieval‑augmented generation (RAG) with semantic reasoning over source code, build files and documentation. It can analyze entire repositories, single files, pull requests or recent changes and returns natural‑language explanations and actionable summaries. The framework supports plugin extensions for additional languages and prompts, and can be used to validate findings from external SAST tools to help triage false positives.
Arm contrasts Metis with traditional static application security testing tools, arguing that pattern‑based analyzers often miss vulnerabilities that span function or component boundaries and produce high false‑positive rates. Rather than relying on fixed rules, Metis injects project‑specific context into a base LLM so the model can reason about design intent and expected behavior across components.
In internal benchmarks using GPT‑5.5‑Cyber as the base model, Arm reports Metis achieved up to 10× higher true positive rates and roughly 50% fewer false positives versus leading static analysis tools. The company also cites a 98% accuracy figure for Metis compared with 6% for traditional SAST in those tests, crediting the combined RAG/LLM workflow and the explanatory output that helps developers trust and act on findings more quickly.
From a deployment perspective, Metis is compatible with any OpenAI‑compatible LLM and includes targeted support for Ollama and vLLM. Example configurations live in metis.yaml; one sample shows using Llama 3.1 via Ollama with nomic‑embed‑text:v1.5 for code and documentation embeddings. For vLLM setups Arm recommends using LiteLLM as a router and running separate instances for chat and embedding workloads.
For engineering teams, Metis’ plugin architecture and language coverage — including C, C++, Python, Go, TypeScript, Rust and more-let organizations extend models, prompts and language support to match their stacks. Arm says it is working to add hardware vulnerability verification next, and the open‑source release lets practitioners inspect the code, reproduce benchmarks, and integrate Metis into CI, pull‑request workflows or existing SAST toolchains.
Sources
Replies (0)
No replies in this topic yet.
