A finding is only useful if a developer or security reviewer can reproduce it. That’s why everything Composed produces is verified against ground truth.
We measure precision, recall, and false positive rate against known ground-truth datasets before we ship a new detector. If we can’t measure it, we don’t ship it.
Every finding includes a reproduction path. If a reviewer can’t verify it in their own environment, we don’t report it.
Traditional scanners produce lists of potential vulnerabilities. Composed only surfaces findings it can exploit or prove—eliminating the noise that teams learn to ignore.
Our evaluation framework captures every false positive and missed finding. Each one becomes a test case for the next iteration.
Benchmarks against specific datasets are published as we validate across enough real-world repositories.