Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MultiVer: Zero-Shot Multi-Agent Vulnerability Detection

Shreshth Rajan

TL;DR

These results demonstrate that for security applications where false negatives are costlier than false positives, zero-shot multi-agent ensembles can match and exceed fine-tuned models on the metric that matters most.

Abstract

We present MultiVer, a zero-shot multi-agent system for vulnerability detection that achieves state-of-the-art recall without fine-tuning. A four-agent ensemble (security, correctness, performance, style) with union voting achieves 82.7% recall on PyVul, exceeding fine-tuned GPT-3.5 (81.3%) by 1.4 percentage points -- the first zeroshot system to surpass fine-tuned performance on this benchmark. On SecurityEval, the same architecture achieves 91.7% detection rate, matching specialized systems. The recall improvement comes at a precision cost: 48.8% precision versus 63.9% for fine-tuned baselines, yielding 61.4% F1. Ablation experiments isolate component contributions: the multi-agent ensemble adds 17 percentage points recall over single-agent security analysis. These results demonstrate that for security applications where false negatives are costlier than false positives, zero-shot multi-agent ensembles can match and exceed fine-tuned models on the metric that matters most.

MultiVer: Zero-Shot Multi-Agent Vulnerability Detection

TL;DR

These results demonstrate that for security applications where false negatives are costlier than false positives, zero-shot multi-agent ensembles can match and exceed fine-tuned models on the metric that matters most.

Abstract

We present MultiVer, a zero-shot multi-agent system for vulnerability detection that achieves state-of-the-art recall without fine-tuning. A four-agent ensemble (security, correctness, performance, style) with union voting achieves 82.7% recall on PyVul, exceeding fine-tuned GPT-3.5 (81.3%) by 1.4 percentage points -- the first zeroshot system to surpass fine-tuned performance on this benchmark. On SecurityEval, the same architecture achieves 91.7% detection rate, matching specialized systems. The recall improvement comes at a precision cost: 48.8% precision versus 63.9% for fine-tuned baselines, yielding 61.4% F1. Ablation experiments isolate component contributions: the multi-agent ensemble adds 17 percentage points recall over single-agent security analysis. These results demonstrate that for security applications where false negatives are costlier than false positives, zero-shot multi-agent ensembles can match and exceed fine-tuned models on the metric that matters most.
Paper Structure (19 sections, 1 figure, 3 tables)

This paper contains 19 sections, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Method
  4. Architecture
  5. Three-Tier Analysis Pipeline
  6. Context Extraction
  7. Ensemble Voting
  8. Self-Consistency
  9. Experiments
  10. Benchmarks
  11. Baselines
  12. Main Results
  13. Ablation Study
  14. Error Analysis
  15. Discussion
  16. ...and 4 more sections

Figures (1)

  • Figure 1: MultiVer architecture. Four agents analyze code in parallel across different dimensions. Each agent follows a three-tier pipeline (pattern matching $\rightarrow$ RAG retrieval $\rightarrow$ LLM analysis). Agent outputs combine through ensemble voting (union or weighted).