Endor Labs AURI 评测

AURI is an AI-native application security platform from Endor Labs, launched in March 2026. It performs deep code reasoning across source code, dependencies, and container images, using full-stack reachability analysis to determine whether a detected vulnerability can actually be triggered in your running application. The result is drastically fewer false positives compared to traditional scanners that flag every CVE regardless of reachability.

AURI integrates directly into AI coding agents via the Model Context Protocol (MCP), so security checks run inside Cursor, Claude Code, or OpenHands without leaving the development workflow. The free CLI tier provides vulnerability detection, secrets scanning, and malware detection with no account required. Paid plans add agentic remediation (automated patch generation), upgrade impact analysis, container scanning, and CI/CD gates. The platform supports 40+ languages with function-level reachability, which is broader than most competitors who limit reachability to Java, JavaScript, and Python.

The free tier covers the CLI, MCP plugin, and Skills integrations: useful for individual developers who want to scan code locally. Core and Pro plans are enterprise-quoted and require a sales conversation. Core adds SCA with reachability, AI model discovery, and SBOM/VEX generation. Pro extends to container scanning, binary scanning, artifact signing, and CI/CD security. Optional add-ons include automated patch application (Patches), consolidated SAST and secrets (CoDe), and first- and third-party SBOM management (SBOM Hub).

AURI is the right choice if your team is overwhelmed by false-positive alerts from tools like Snyk or Veracode, works across many languages in a monorepo, or uses AI coding agents and wants security integrated into that workflow rather than as a separate review gate. If you need a self-serve trial with transparent pricing, AURI is not the right fit today. It is best evaluated by security teams at mid-to-large engineering organizations with budget for a security platform.