SecureFalcon: Are We There Yet in Automated Software Vulnerability Detection with LLMs?
Mohamed Amine Ferrag, Ammar Battah, Norbert Tihanyi, Ridhi Jain, Diana Maimut, Fatima Alwahedi, Thierry Lestable, Narinderjit Singh Thandi, Abdechakour Mechri, Merouane Debbah, Lucas C. Cordeiro
TL;DR
SecureFalcon presents a compact 121M-parameter LLM derived from Falcon-40B to detect software vulnerabilities with high accuracy. By fine-tuning on FormAI and FalconVulnDB, it attains 0.94 binary and 0.92–0.92 multiclass accuracy, outperforming several LLMs and traditional methods while offering near real-time CPU inference. The work combines a well-engineered architecture—word embeddings, RoPE-enhanced transformer layers, and a dedicated scoring head—with curated data strategies, including bias mitigation and CWE mapping, to cover the Top 25 CWEs. It also benchmarks against C/C++ static analyzers and bounded model checkers, highlighting practical deployment potential and outlining future directions for multi-language support, Agentic RAG, and generation-based vulnerability reporting.
Abstract
Software vulnerabilities can cause numerous problems, including crashes, data loss, and security breaches. These issues greatly compromise quality and can negatively impact the market adoption of software applications and systems. Traditional bug-fixing methods, such as static analysis, often produce false positives. While bounded model checking, a form of Formal Verification (FV), can provide more accurate outcomes compared to static analyzers, it demands substantial resources and significantly hinders developer productivity. Can Machine Learning (ML) achieve accuracy comparable to FV methods and be used in popular instant code completion frameworks in near real-time? In this paper, we introduce SecureFalcon, an innovative model architecture with only 121 million parameters derived from the Falcon-40B model and explicitly tailored for classifying software vulnerabilities. To achieve the best performance, we trained our model using two datasets, namely the FormAI dataset and the FalconVulnDB. The FalconVulnDB is a combination of recent public datasets, namely the SySeVR framework, Draper VDISC, Bigvul, Diversevul, SARD Juliet, and ReVeal datasets. These datasets contain the top 25 most dangerous software weaknesses, such as CWE-119, CWE-120, CWE-476, CWE-122, CWE-190, CWE-121, CWE-78, CWE-787, CWE-20, and CWE-762. SecureFalcon achieves 94% accuracy in binary classification and up to 92% in multiclassification, with instant CPU inference times. It outperforms existing models such as BERT, RoBERTa, CodeBERT, and traditional ML algorithms, promising to push the boundaries of software vulnerability detection and instant code completion frameworks.