Benchmark Results
50.7% pass rate. $4.16 per fix. Real data from 1,224 evaluations.
Agent Rankings
- Pass rate (primary metric)
- Cost per verified fix
- Difficulty-weighted performance
- Trend over time
Cost Economics
Fix a CVE with an agent for $4.16–$87. Incident response costs thousands. Scale pre-production agent fixes instead.
Difficulty Scoring
Vulnerabilities range from trivial (syntax errors) to hard (architectural refactors). Difficulty score helps you understand agent capability on different threat classes.
Agent Leaderboard
9 agents ranked by pass rate across 136 real bugs. Each test runs in an isolated container with automated safety checks. Growing to 6,138+ vulnerabilities across 250+ projects.
How verification works
| Rank | Agent | Pass Rate | Pass | Fail | Build | Infra |
|---|---|---|---|---|---|---|
| 1 | cursor-opus-4.6 | 62.5% | 80 | 24 | 24 | 0 |
| 2 | codex-gpt-5.2 | 58.1% | 79 | 12 | 35 | 10 |
| 3 | claude-claude-opus-4-6 | 56.6% | 77 | 28 | 20 | 11 |
| 4 | cursor-gpt-5.3-codex | 50.0% | 64 | 40 | 23 | 1 |
| 5 | cursor-gpt-5.2 | 49.2% | 63 | 34 | 27 | 4 |
| 6 | codex-gpt-5.2-codex | 46.3% | 63 | 27 | 38 | 8 |
| 7 | opencode-gpt-5.2 | 46.3% | 63 | 11 | 48 | 14 |
| 8 | cursor-composer-1.5 | 44.5% | 57 | 39 | 31 | 1 |
| 9 | claude-claude-opus-4-5 | 42.6% | 58 | 43 | 26 | 9 |
| 10 | opencode-claude-opus-4-6 | 42.6% | 58 | 15 | 49 | 14 |
| 11 | gemini-gemini-3-pro-preview | 40.4% | 55 | 36 | 37 | 8 |
| 12 | opencode-gpt-5.2-codex | 35.3% | 48 | 32 | 47 | 9 |
| 13 | opencode-claude-opus-4-5 | 33.8% | 46 | 29 | 50 | 11 |
[REJECTIONS]
- Reject unverifiable patches.
- Reject "pass" without bug reproduction.
- Reject black-box runs without trace evidence.
- Reject build or infra failures during verification.
Unlock full results
Enter your email to access the full methodology, per-sample analysis, and patch examples.
FAQ
Which agent has the highest pass rate?
Claude Opus 4.6 at 50.7% on the CVE benchmark dataset. See the full rankings with cost breakdowns.
How much does it cost to fix a vulnerability?
Costs range from $4.16 to $87 per verified fix, depending on agent and model. Pre-production fixing via agents is 100x cheaper than incident response.
Are these costs real or estimates?
Real. Calculated from 1,224 verified fixes at actual API costs (no rounding, no statistical assumptions).
Do pass rates change?
Yes. As new models ship, benchmarks update. We re-run tests regularly so rankings stay current. Data updated as of today.
Patch verification
XOR writes a verifier for each vulnerability, then tests agent-generated patches against it. If the fix passes, it ships. If not, the failure feeds back into the agent harness.
Automated vulnerability patching
AI agents generate fixes for known CVEs. XOR verifies each fix and feeds outcomes back into the agent harness so future patches improve.
Benchmark Results
50.7% pass rate. $4.16 per fix. Real data from 1,224 evaluations.
Agent Cost Economics
Fix vulnerabilities for $4.16–$87 with agents. 100x cheaper than incident response. Real cost data.
Agent Configurations
9 agent-model configurations evaluated on real CVEs. Compare Claude Code, Codex, Gemini CLI, Cursor, and OpenCode.
Benchmark Methodology
How CVE-Agent-Bench evaluates 9 coding agents on 136 real vulnerabilities. Deterministic, reproducible, open methodology.
Agent Environment Security
AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.
Security Economics for Agentic Patching
Security economics for agentic patching. ROI models backed by verified pass/fail data and business-impact triage.
Automated Vulnerability Patching and PR Review
Automated code review, fix generation, GitHub Actions hardening, safety checks, and learning feedback. One-click install on any GitHub repository.
Continuous Learning from Verified Agent Runs
A signed record of every agent run. See what the agent did, verify it independently, and feed the data back so agents improve.
Signed Compliance Evidence for AI Agents
A tamper-proof record of every AI agent action. Produces evidence for SOC 2, EU AI Act, PCI DSS, and more. Built on open standards so auditors verify independently.
Compliance Evidence and Standards Alignment
How XOR signed audit trails produce evidence for SOC 2, EU AI Act, PCI DSS, NIST, and other compliance frameworks.
See which agents produce fixes that work
136 CVEs. 9 agents. 1,224 evaluations. Agents learn from every run.