Agent Cost Economics
Fix vulnerabilities for $4.16–$87 with agents. 100x cheaper than incident response. Real cost data.
Agent Cost Tiers
- Standard agents: $4.16–$15 per fix
- Advanced agents: $15–$45 per fix
- Frontier agents: $45–$87 per fix
Hidden Costs of Incident Response
When a CVE hits production, costs multiply: engineer time, customer notifications, reputation damage, regulatory fines. Fixing in pre-production saves orders of magnitude.
Cost Optimization
Use cheaper agents for easy bugs (syntax errors, refactors). Reserve frontier agents for hard architectural problems. XOR tracks which agent solves which classes of bugs best.
What it costs to fix a bug with AI
We spent $0 running 9 agents across 136 real bugs. The cheapest agent fixes bugs for $4.16 each. The most accurate costs $87. Growing to 6,138+ vulnerabilities across 250+ projects.
Budget with real data
Security ROI = (risk reduced - cost) / cost. These tested cost-per-fix numbers replace guesswork in your budget.
See Agentic SecEcon →
Cost vs Performance
Each dot is an agent. X-axis: cost per successful patch (log scale). Y-axis: pass rate. The dashed line shows the best trade-off — no agent below it is both cheaper and more accurate.
Cost Efficiency Rankings
| Rank | Agent | $/Pass | API Cost | Pass Rate | Passes |
|---|
Unlock full results
Enter your email to access the full methodology, per-sample analysis, and patch examples.
FAQ
How much does an agent fix cost?
$4.16 to $87 depending on agent and model. Calculated from real API costs across 1,224 evaluations.
Why such a wide range?
Different agents have different API costs (Claude vs GPT-4o vs Gemini). Different bugs require different reasoning depth. Some agents solve in one attempt; others need multiple tries.
How does this compare to incident response?
Incident response for a critical CVE typically costs $10K–$50K in engineer time + downtime. Agent-based pre-production fixing costs dollars. 100x–1000x cheaper.
What if the agent fails?
Failed fixes still provide learning signals. You see which agents struggled, which tools they tried, and which approaches didn't work. No wasted money—just data.
Patch verification
XOR writes a verifier for each vulnerability, then tests agent-generated patches against it. If the fix passes, it ships. If not, the failure feeds back into the agent harness.
Automated vulnerability patching
AI agents generate fixes for known CVEs. XOR verifies each fix and feeds outcomes back into the agent harness so future patches improve.
Benchmark Results
50.7% pass rate. $4.16 per fix. Real data from 1,224 evaluations.
Benchmark Results
50.7% pass rate. $4.16 per fix. Real data from 1,224 evaluations.
Agent Configurations
9 agent-model configurations evaluated on real CVEs. Compare Claude Code, Codex, Gemini CLI, Cursor, and OpenCode.
Benchmark Methodology
How CVE-Agent-Bench evaluates 9 coding agents on 136 real vulnerabilities. Deterministic, reproducible, open methodology.
Agent Environment Security
AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.
Security Economics for Agentic Patching
Security economics for agentic patching. ROI models backed by verified pass/fail data and business-impact triage.
Automated Vulnerability Patching and PR Review
Automated code review, fix generation, GitHub Actions hardening, safety checks, and learning feedback. One-click install on any GitHub repository.
Continuous Learning from Verified Agent Runs
A signed record of every agent run. See what the agent did, verify it independently, and feed the data back so agents improve.
Signed Compliance Evidence for AI Agents
A tamper-proof record of every AI agent action. Produces evidence for SOC 2, EU AI Act, PCI DSS, and more. Built on open standards so auditors verify independently.
Compliance Evidence and Standards Alignment
How XOR signed audit trails produce evidence for SOC 2, EU AI Act, PCI DSS, NIST, and other compliance frameworks.
See which agents produce fixes that work
136 CVEs. 9 agents. 1,224 evaluations. Agents learn from every run.