How to Run a Security Review With Cursor (Agent-Driven)

Treat the agent like a fast, fallible delegate. Four tenets carry most of the practice: give it real context (be clear about the work and what good looks like, but you no longer burn hours on prompt engineering); assume it can be wrong and build the workflow around any single fact being false; ask for proof when you doubt a claim; and ask anything, because agents are unmatched at ramping you into an unfamiliar system fast.

The payoff is structural, not just speed. Tireless agents let you run deep review on every change, not a sampled few. Threat-modeling every PR used to be untenable; now it is tenable. The practitioner who built this workflow self-assessed roughly 5x more effective on older models and 7.5–10x now — self-reported, and your mileage will vary, but the direction is the point.

Hand the agent a pointer to the repo and ask the questions a security reviewer asks on day one. How old is the repo? Who are the top contributors, with contribution counts and tenure? What are the project's goals? Is there a security policy, CI, a defined development process? What is the top-level architecture? You get back a digest that would take a long time to assemble by hand — and you can keep asking follow-ups until you actually understand the system.

1. 1Give the agent the repo pointer (a GitHub URL is enough).
2. 2Ask for repo age and a top-10 contributor list with counts and tenure.
3. 3Ask for the project goals, security policy, CI setup and dev process.
4. 4Ask for a top-level architecture summary, then an actual architecture diagram.
5. 5Read the disclosure policy: what is in and out of scope, is there a bug bounty.

For most review work, yes — emphatically. The trouble with static rules is that they are static: a rule can't trace context through the codebase the way an agent can, so writing a good one that follows the full data flow is very hard. In a vuln scan the agent drives the linter-style checks intelligently, picking the right ones on the fly. The viable hybrid is to feed linter and scanner output into the agent and have it triage.

Agents add one new failure mode: they make things up. That gives you two problems to manage. False negatives — the agent misses something you cared about. False positives — it confidently flags a non-issue. Each has a specific countermeasure, below.

Kick off one agent and have it spawn sub-agents grouped by vulnerability class — infrastructure, AppSec, prompt injection, XSS, dependency and SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems.. Each sub-agentA child agent a main agent spawns to work in parallel with its own context window, handing results back so the parent's context stays clean. produces a table of findings. For every finding it then has to show the full attack chain with code snippets and write a simulated proof of concept. Running it this way, sub-agents routinely realize a chunk of their own findings were wrong. Sub-agents earn their keep here for two reasons: the validation loop, and keeping each vuln class in its own isolated context.

Run a validation loop on anything that looks alarming. When the agent reports a finding — say it calls something a P0 — copy it back and, in effect, tell it you don't believe it: "Explain this in depth including the attack chain and relevant code snippets, tell me in detail how it would be exploited, and prove that the exploit works." The agent re-investigates and often concludes it is not a vulnerability at all — for example, an intentional feature the user invokes themselves. Push findings down to docs and code until model and human reach ground truth.

Hallucination is normal, not a reason to stop. In one session the agent claimed a doc line cut off mid-sentence; a quick "check GitHub, here's the actual text" produced "You're right, I was wrong." Assume the model can and will fabricate, make it show you docs and code, and you reach ground truth far faster than reviewing alone.

Match the mode to the task shape. Ask when you just want a question answered and don't want the agent touching code. Agent mode for quick changes. Plan modeA mode that makes no edits: it researches the codebase and produces an editable plan you review before any code changes. for anything net-new or non-trivial, because in plan the agent aggressively farms context up front — finding the injection points ahead of time, forming context more comprehensively, and staying on track during execution. Debug modeA mode that diagnoses a failure: it reproduces the issue, adds instrumentation and watches the logs, rather than reviewing a pull request. is worth keeping in the rotation too. The honest advice: play with all of them.

On models, be a daily driver rather than a constant switcher: you build an intuition for how a model approaches problems and where it gets stuck. A current Opus 4.x model works well as a security daily driver. Some GPT-5.x models are very strong on hard problems but slower, so reach for them when you want depth over speed. Let Auto modeA router that reads your prompt and picks a model for you, defaulting to Composer; you steer it with cues like "quickly" or "carefully". route by task when you're undecided. This is a personal observation, not the official Cursor ranking — try models yourself and form your own view.

Use Plan modeA mode that makes no edits: it researches the codebase and produces an editable plan you review before any code changes. whenever you're shipping infrastructure, so you see the agent's thinking before it acts. For a worked example: deploying a third-party AI tool for a coworker, the safe-but-usable landing spot was to keep it off the public internet and reach it over a Tailscale connector (which the tool's own docs recommended), so it's locked down yet reachable from a phone. In plan, the agent writes Terraform into an infra/ directory with good defaults from the docs, explicitly not open to the internet, with reasonable plugins so it isn't trivially prompt-injected.

Read the generated plan carefully — that's the moment to give feedback. Ask the adversarial question directly in plan: "What if somebody sends my boss something that says to ignore previous instructions and fire me?" Then have a security sub-agentA child agent a main agent spawns to work in parallel with its own context window, handing results back so the parent's context stays clean. look for risks in the implementation before you open a PR. You want to know about real issues before the PR exists, not after.

Start from the root cause: in today's models there is no separation of control and data. The model doesn't understand different trust levels of whoever is feeding it information — instructions and untrusted content arrive on the same channel. Security has made this mistake before, and AI makes it again. That single fact is why prompt injection is the spectre hanging over every agent system.

Mitigate with exposure and capability limits, not cleverness. Don't expose the tool to the public internet. Put it behind a private network like Tailscale. Add reasonable plugins and guardrails so it isn't trivially injected. Then run the adversarial scenario explicitly: "what if an email tells the agent to ignore its instructions and take a harmful action?" If your design can't answer that, it isn't done.

Never hand the agent your credentials, even when you're a GitHub and AWS admin. Use a helper script the agent calls — you type something like creds prod, and the script sets environment variables in the shell the agent drives but cannot itself read. The agent can then run elevated AWS commands without the credentials ever being exposed to it. Architecturally, the agent drives a terminal through a tool; it sees terminal output, but the shell's env properties are not exposed to it. The same pattern works for any privileged system.

Approve every state-mutating and network command; let reads run free. Reading files is fine almost full-stop. Mutating state or anything needing network access asks for approval every time, because your user has more permissions to systems than you're comfortable handing the agent. Writing outside the workspace is a non-issue when you run in git workspaces — if the agent changes something, reset it. Approval isn't friction: the agent writes a complex aws ... | jq command faster than even a CLI expert could, so spending a second to read it and confirm it's sane is cheap. If the agent does something wrong, that's on you.

Layer the controls across the lifecycle. Cursor hooks plus Cursor rules run validation while the agent is performing actions, in-flight. BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. runs at PR time as the last gate before merge. And you manually drive the agent in between, periodically telling it to go find its own bugs as you develop. Hooks are specifically powerful for that in-flight validation; rules pin codebase truths the model keeps getting wrong — for example, a rule that the service runs on port 40001, not the 3000 the model kept hallucinating.

Merging stays human. The agent finds, proves and proposes; you read every line you'd ship and own the outcome. Don't accept "the model thinks it's a vulnerability, therefore it is" — or the inverse. For penetration testing, the workflow already finds bugs and writes PoCs, so running the PoC as a live exploit isn't a giant leap, and teams are chaining it. But validated-from-source-of-truth (perfect visibility of code and config) is often enough without a live exploit, and you should never warranty offensive work you haven't done yourself.

A few honest limits. Effectiveness multipliers here are self-reported, not measured. Context-window management used to dominate the workflow; modern compaction is good enough that a roughly 9-hour session ran without a single reset — but when an agent goes off the rails, the recovery is still manual: have it summarize, copy that out, spin up a fresh agent, paste it in. Some teased sandbox and PR-security-loop features aren't announced yet, so don't plan around them. And enterprise-wide controls — MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. governance, org-level policy — are a separate topic from this single-reviewer workflow.