CodeMender is an AI-powered agent from Google DeepMind that automatically improves code security by patching vulnerabilities and proactively rewriting code to eliminate classes of security issues.
CodeMender is a Code Security AI agent from Google DeepMind that automatically detects, patches, and rewrites vulnerable code to eliminate entire classes of security issues, with enterprise-tier access only (no public pricing). It targets security teams, open-source maintainers, and large engineering organizations managing complex codebases.
Announced in late 2025, CodeMender is built on Google DeepMind's Gemini Deep Think reasoning models and combines advanced program analysis tooling — including static analysis, dynamic analysis, differential testing, fuzzing, and SMT solvers — with multi-agent reasoning to root-cause vulnerabilities rather than patch surface symptoms. According to DeepMind, in the six months prior to launch the agent had already upstreamed 72 security fixes to open-source projects, including codebases as large as 4.5 million lines of code. Patches are validated automatically against regression tests, fuzzers, and a self-critique LLM-based reviewer before any human researcher reviews them.
Beyond reactive fixes, CodeMender takes a proactive approach: it can rewrite existing code to apply hardened APIs and compiler-level defenses such as -fbounds-safety annotations, eliminating whole categories of bugs like buffer overflows. The team has demonstrated this on libwebp — the library at the center of the 2023 CVE-2023-4863 zero-click iOS exploit — where applying the annotations would have neutralized that vulnerability and many similar ones. Based on our analysis of 870+ AI tools in our directory, CodeMender stands out by combining autonomous patch generation with formal validation, distinguishing it from suggestion-only tools like Snyk DeepCode or GitHub Copilot Autofix. It is currently in research preview, with DeepMind gradually reaching out to maintainers of critical open-source projects rather than offering self-serve access.
Was this helpful?
CodeMender is built on Google DeepMind's Gemini Deep Think models, which apply extended chain-of-thought reasoning to security analysis. This allows the agent to plan multi-step fixes, reason about program semantics, and identify root causes rather than surface symptoms. It is one of the first applied deployments of Deep Think in a security-specific agentic workflow.
Rather than a single model, CodeMender orchestrates multiple specialized agents, including a dedicated LLM-based critique agent that reviews proposed patches for regressions and incorrect fixes. This adversarial setup catches errors before patches reach human reviewers. The critic agents have been credited with significantly improving patch quality in DeepMind's internal evaluations.
Beyond fixing individual CVEs, CodeMender rewrites existing C/C++ code to add compiler-level safety annotations such as -fbounds-safety. Applied to libwebp, this approach would have prevented the 2023 CVE-2023-4863 zero-click iOS exploit and many similar buffer-overflow vulnerabilities. This shifts the security model from reactive to preventative.
CodeMender combines static analysis, dynamic analysis, differential testing, fuzzing, and SMT solvers as tools the agent can invoke during reasoning. This lets it formally verify hypotheses about program behavior rather than guessing, producing patches grounded in concrete evidence. Few competing AI security tools integrate SMT solvers at this depth.
In the six months before its public announcement, CodeMender contributed 72 security fixes to open-source projects, including some with codebases over 4.5 million lines. Each patch was reviewed and accepted by human maintainers, providing real-world validation. This track record distinguishes CodeMender from purely benchmark-driven research projects.
Contact for access
Ready to get started with CodeMender?
View Pricing Options →We believe in transparent reviews. Here's what CodeMender doesn't handle well:
Weekly insights on the latest AI tools, features, and trends delivered to your inbox.
CodeMender was announced in late 2025 by Google DeepMind. At launch, the team disclosed that CodeMender had already upstreamed 72 security fixes to open-source projects over the prior six months, with patches accepted on codebases of up to 4.5 million lines. The agent leverages Gemini Deep Think reasoning models and demonstrated proactive hardening on libwebp using -fbounds-safety annotations, which would have prevented the 2023 CVE-2023-4863 zero-click iOS exploit. DeepMind indicated they plan to publish technical papers and gradually expand collaboration with critical open-source maintainers.
No reviews yet. Be the first to share your experience!
Get started with CodeMender and see if it's the right fit for your needs.
Get Started →Take our 60-second quiz to get personalized tool recommendations
Find Your Perfect AI Stack →Explore 20 ready-to-deploy AI agent templates for sales, support, dev, research, and operations.
Browse Agent Templates →