Evals

Security AI needs evals, not vibes.

A finding is only useful if a developer or security reviewer can reproduce it. That’s why everything Composed produces is verified against ground truth.

Precision-first

We measure precision, recall, and false positive rate against known ground-truth datasets before we ship a new detector. If we can’t measure it, we don’t ship it.

Reproducible evidence

Every finding includes a reproduction path. If a reviewer can’t verify it in their own environment, we don’t report it.

Verified, not probabilistic

Traditional scanners produce lists of potential vulnerabilities. Composed only surfaces findings it can exploit or prove—eliminating the noise that teams learn to ignore.

Continuous improvement

Our evaluation framework captures every false positive and missed finding. Each one becomes a test case for the next iteration.

What we track

Precision What fraction of our findings are real and exploitable
Recall What fraction of real vulnerabilities we catch before merge
FP Rate How often we flag something that isn’t exploitable

Benchmarks against specific datasets are published as we validate across enough real-world repositories.

See how your code measures up

Run it on 10 PRs →