depthfirst labs is a security research organization that uses AI agents to discover vulnerabilities in open-source software. The platform performs automated vulnerability discovery, risk assessment, and patch generation for security flaws in codebases. The research team has discovered and disclosed multiple CVEs across various open-source projects, including RCE vulnerabilities, sandbox escapes, XSS bugs, authorization flaws, and path traversal issues. Their work covers vulnerabilities in widely-used tools like esbuild, Netty, Langfuse, Sandboxie, and AI assistants. depthfirst follows a coordinated vulnerability disclosure process, working with maintainers to ensure issues are patched before public disclosure. The platform integrates with GitHub repositories to scan code for security issues. Their research demonstrates capabilities in finding critical vulnerabilities that have survived billions of downloads and remained undetected for years. The platform achieved a 90% improvement on the CyberGym vulnerability-exploitation benchmark by implementing multi-agent architecture with runtime instrumentation and contextual analysis. The labs publish detailed technical writeups of discovered vulnerabilities, including exploitation techniques, root cause analysis, and automated patch generation. Their work spans multiple vulnerability classes including RCE, XSS, authorization bypass, integer overflow, and path traversal attacks.