AI coding assistants have created a verification problem that nobody fully anticipated. Developers are now merging more code in a single sprint than they could write in a month just two years ago. The volume is real, the productivity gains are real, and the security gap it opens is equally real.
The problem is not that AI writes bad code. The problem is that AI writes access control logic, permission flows, and business workflows at a pace no human reviewer can keep up with. The vulnerabilities that live in that layer—broken access control, business logic flaws, and authentication and session management flaws—are exactly the kinds of issues traditional automated scanning struggles to catch. These flaws do not live in a code pattern. They live in the gap between what a system is supposed to do and what it actually does. A scanner cannot see that gap. An attacker can.
This is the verification challenge of the AI development era: more code, more business logic, more access control decisions, and no scalable way to check whether any of it enforces the right rules.
Security teams have historically relied on manual whitebox code audits to close this gap. These audits mean working through a codebase with full access to the source: reasoning about authorization logic, tracing permission flows, and identifying where enforcement breaks down. This kind of review surfaces what automated scanners miss. But it does not scale, and it happens after the code has already been written and reviewed, which means it’s too late.
SonarQube Hunter Agent brings the same depth of reasoning—a structured, whitebox analysis of authorization logic and business rules—to the moment a developer writes the code. That is the shift. And that shift changes what you can actually do about a finding.
Beyond structure- where logic vulnerabilities live
Sonar's SAST engine is exceptionally good at what it was built to do. It catches SQL injection, cross-site scripting, path traversal, and hundreds of other vulnerability classes with precision and speed, finding structural flaws in code before they can be exploited. For these issues, static analysis is fast, scalable, and highly accurate.
But there is a class of vulnerability that lives outside the reach of any structural analysis, not because of a limitation in the tool, but because of the nature of the problem itself.
Is this endpoint supposed to be accessible by any authenticated user, or only the account owner? Does the application verify that the user requesting /invoices/8472 has the right to see that invoice, or does it just return it? These are questions of intent and business logic, and answering them requires a different kind of analysis on top of what SAST already provides.
SAST catches structural flaws. SonarQube Hunter Agent catches logic flaws. Together, they cover the full picture.
What SonarQube Hunter Agent actually does
SonarQube Hunter Agent is a new AI-powered security agent built on top of Sonar's existing analysis infrastructure that targets logic-level vulnerabilities. Hunter Agent works through structured multi-step analysis flows called Playbooks. A single Playbook covers the following three classes of vulnerabilities:
- Broken access control: Issues such as IDOR, missing/incorrect authorization checks, privilege escalation, sensitive data exposure, CSRF
- Business logic vulnerabilities: Skipping required workflow steps, abusing repeatable actions, missing rate limits
- Authentication & session management flaws: Broken auth, session fixation, non-expiring sessions, weak password recovery, missing MFA, brute-force gaps
It does not ask a model a single question and wait for an answer. It runs through a deliberate sequence: discovering endpoints, mapping the access control and authentication logic, reasoning about behavioral intent, verifying whether enforcement matches that intent, and finally confirming the finding. Each finding includes the full discovery path so you can see exactly how the agent reached its conclusion. No black box, no single-shot inference.
Because Hunter Agent is built on Sonar's Foundation Agent harness rather than a raw LLM call, its results are consistent from run to run. This matters more than it might seem. An AI scanning tool that produces 47 findings on Monday and 14 findings on the same codebase on Wednesday cannot be operationalized. Security programs need results that can be triaged, escalated, and reported. Reproducibility is not a nice-to-have—it’s a design requirement.
Why security agents matters now
Agent-driven development has changed the math .. AI coding assistants are generating endpoints, access control logic, and permission flows at a pace no security team can manually review. The attack surface is expanding in every sprint. The vulnerability classes that are hardest to catch automatically are exactly the ones that AI-generated code tends to get wrong, not because of a flaw in the AI, but because business logic correctness requires context that no code generator fully has.
Hunter Agent brings the structured code-audit reasoning that security teams have always relied on human experts to provide, and it applies that reasoning at the moment the code is written, inside the workflow developers already use.
How to access SonarQube Hunter Agent
The SonarQube Hunter Agent beta is now available to SonarQube Cloud customers with the Enterprise plan. Findings surface in your existing SonarQube workflow, tagged with "hunter-agent" for easy triage, with no new tool to learn. No waitlist, no approval process. Access opens today. Once you log into your SonarQube Cloud, you will see the option to enroll directly within the product.
Ready to join the beta? Sign up using your existing SonarQube Cloud Enterprise plan.

