What it is

Kundal is an automated secure code analysis system designed to identify, validate, and prioritize security vulnerabilities in large-scale source codebases under realistic time and compute constraints.

Instead of relying on a single heavyweight model or shallow pattern matching, Kundal uses a multi-stage intelligence pipeline that combines ultra-fast keyword heuristics, contextual code locality analysis, and parallel model-based reasoning to triage vulnerabilities efficiently.
The system is built to operate at scale. It is capable of scanning repositories ranging from a few megabytes to hundreds of megabytes, while preserving traceability, explainability, and defensible security findings rather than noisy or speculative alerts.
Kundal focuses on precision-first detection, locality-aware analysis, and structured reporting aligned with industry vulnerability standards such as CVE and CWE.

Why I'm building it

Kundal was originally built because I felt that current security scanners, despite being effective for day-to-day use, are insufficient for industry-level use-cases.
I wanted a system that acted more like a human reviewer: Narrowing scope quickly, validating context locally, escalating the good parts, and not restrained by heuristics.

How it works(High-Level)

Kundal is also an experiment in pragmatic AI security. It prioritizes speed, controllability, and epistemic honesty over overconfident “AI verdicts.” Every detection is designed to be explainable, reproducible, and auditable.

• Keyword and heuristic pre-scan:
  A high-speed static analysis phase scans the codebase using language-aware keyword heuristics and scoring rules to identify potentially risky files.
  This phase aggressively filters safe code to minimize unnecessary compute.

• Second stage of the pre-scan:
  The "safe" files are sent to multiple 7B worker LLM models trained on CVE data to try and find the false-negatives and flag them as well.

• Locality-aware context extraction:

  Rather than analyzing entire files, Kundal isolates precise vulnerability localities. Only the most relevant code segments are forwarded for deeper inspection, dramatically reducing inference time while preserving context.

• Parallelized model-based validation:
  Multiple lightweight models operate concurrently across GPUs to confirm whether flagged localities represent real vulnerabilities. Each locality being classified as vulnerable and passed to the enricher, or discarded.

• Standards-Aligned Enrichment:
  Validated findings are enriched post-analysis using retrieval-based matching against curated CVE and CWE datasets, ensuring standardized classification.

Status:

Kundal is an active research and engineering prototype, with a POC ready, that has shown promising results. The most recent tests have displayed extreme speed and accuracy, with 100k files being scanned in under 2 hours, compared to a few days with basic LLM-based scanning with the same hardware.