# Your AI security engineer, Cygent | Walkthrough

## Метаданные

- **Канал:** Patrick Collins
- **YouTube:** https://www.youtube.com/watch?v=90MxNlRUwTw
- **Дата:** 15.04.2026
- **Длительность:** 13:47
- **Просмотры:** 1,274

## Описание

https://www.cygent.dev/

😸😸Follow Patrick!😸😸
Cyfrin: https://www.cyfrin.io/
YouTube: https://www.youtube.com/@PatrickAlphaC/videos
Twitter: https://twitter.com/patrickalphac
Medium: https://medium.com/@patrickalphac
TikTok: https://www.tiktok.com/@patrickalphac

All thoughts and opinions are my own.

## Содержание

### [0:00](https://www.youtube.com/watch?v=90MxNlRUwTw) Segment 1 (00:00 - 05:00)

Hello, my name is Patrick Collins, co-founder and CEO of Cyfrin, and I'd like to introduce you to Cygent, your dedicated AI security engineer. For the longest time, the security industry has been trying to push security left, or push security into the hands of the software engineers, builders. This way, as you're building your protocols and apps, you can have security baked in from day one. You can kind of think of this as building a house with the foundations in mind from day one. You wouldn't build a house and then look to check your foundations after the house is done. You want to get it right the first time. With Cygent, you can finally do that. Cygent isn't just an AI model, it's a security engineer that lives and breathes in your work, exactly where you do. Let me show you what I mean. To get started, we tell our Cygent where we want to get connected. We are building a borrowing and lending financial application using Slack as the way we communicate with each other, so we're going to go ahead and connect with Slack. We're going to invite Cygent to our Slack application to work on Ghostland. We're also going to then connect Cygent to our GitHub. We've started with a skeleton of the code here. However, you can also use Cygent to build this from day one. And let's create the agent. Now we can work with Cygent in our Slack as if it was just another member of the team. And that's what we should do. So we have our demo code set up, but we don't know how good it is. Let's go ahead and just get started by running an audit of our code base. Just like you'd ask any member of the team, we'll just go ahead and ask Cygent to run an audit on our code base. Cygent says, "Sure, you want me to run a full audit? " And we say, "Absolutely. " Then it'll give you real-time updates on how it's doing in this audit. This will run an end-to-end security review of your code base. And this works for both Web 3 and Web 2 code bases. So if you're working with Go, Rust, Solidity, you can run a security review. If we flip back over to the dashboard, we can scroll down and we can see the recent activity where we asked Cygent to go ahead and run an audit on this code base. At Cyfrin, we've been at the forefront of training both users and machines to make your code as secure as possible. We've been the number one education site for smart contract developers and security researchers in Web 3, and we've been taking that training of humans and using it to teach us to also train your AIs to make them better and smarter. As developers of security education tools like Solidified and security tools like Adaren, and also being security researchers for top projects like MetaMask, zkSync, and Secure Tides, we've taken all these learnings, combined them together to build Cygent to have it have the most context for finding bugs and vulnerabilities on the market. With all our domain expertise and massive back end that we've been building out, we outperform even the top models alone and use some combination of different models put together with our domain expertise injected. And after some time, we will get a full security audit report of what we have so far. This is also a great way to give our Cygent some context for the future. More on that later. If we select hit all issues, it we can create GitHub issues on the GitHub repo for all the issues that it found. We can also drop back to the UI, and we can see there's a couple different classes of issues that it has created: active, invalid, and resolved. Obviously, nothing has been resolved yet because we haven't fixed anything. Now you might be wondering why there's still issues that it reported if it considered those invalid. The active ones are going to be the issues that it actually found and are active. It looks like it found an issue with our Oracle freshness. We are allowing for stale Oracle prices in our lending protocol. This is no good. So, this Oracle freshness bug is definitely something that should be fixed, but so is this transient storage bug that it found as well. Certain versions of Solidity have an issue with transient storage, and Cygent was able to find this in our code base. The reason it also includes invalid findings and in this all finding section is because this can be important context for both you and for new developers and for the AI agent itself. For example, if we look in the code base, this might be a familiar no-no setup that you see here. We have this safe transfer function here, which occurs before some state is changed. This is a classic violation of CEI and is a reentrancy vulnerability. Typically, somebody would automatically call this out in an audit. "Hey, you need to fix that no matter what. " Now you still might want to fix that. However, we can actually see that Cygent caught this issue and then invalidated it for you. And the reason it invalidated this is because the supported tokens for this protocol, WETH and USDC, don't have or don't use callback functions. So that can't actually be exploited on this code base. However, this is still good context to have in case you go ahead and improve the code base to allow for more different types of tokens. That is something that should be looked at, and the AI agent can revisit this list of invalidated issues and call that out as an actual vulnerability. Now obviously, like any other AI agent, you can ask it questions about why the vulnerability exists and clarify things, but even better, you can just say, "Okay, Cygent. " Just like any other AI agent, we can also just say, "Okay, Cygent, please make two PRs to fix the Oracle staleness bug and transient storage bug. " It'll then ask some clarifying questions that we'll follow up with, give you a plan, and then if we're happy, just say, "That looks good. " And

### [5:00](https://www.youtube.com/watch?v=90MxNlRUwTw&t=300s) Segment 2 (05:00 - 10:00)

we can see now on the GitHub repo, it has the two commits to fix both of those issues, the Oracle lib and the reentrancy guard. After reviewing the code base, I think it looks good, so I'm going to go ahead and merge it in. Okay, but you're just getting started on this code base, and you're looking to add features. So your co-founder or your frog friend just added a feature to add more token support where they've added a function called add supported token to enable your protocol to have more functionality. We can grab that pull request and say, "Hey, Cygent, can you review this pull request? " And after a brief delay, it'll give us its assessment of the pull request. Which it found a critical issue, to no surprise, because that feature was terrible. It commented directly on the lines that it had issues with, so the people know exactly what's going on. Now this is nice, but I don't want to have to ask Cygent every time somebody makes a pull request, so we can just ask Cygent to turn on automatic pull request reviews. And it'll update its settings to automatically review these pull requests. So now these reviews will happen automatically. Now what's extra special about having Cygent in your Slack is if you're having a conversation with somebody else, that'll add context to your security researcher for future projects and for future features. And not only that, but Cygent is proactive in these conversations. So in our chat here, I said, "Hey, our liquidation math must follow the AAVE 3 approach, and we should be flagging any deviations because we're deploying to the Arbitrum L2. " We didn't tag Cygent here, but Cygent read this and said, "Oh, this is actually really important for us for future audits. " So I've left a note for future audit to make sure to check out the liquidation model and the deployment target. This isn't something that we directly asked Cygent to do, but just by having conversations in the Slack and in Google Meets, Cygent will be a better security engineer exactly as a human would normally be in your conversations here. Now it's great to talk in Slack about these features and improvements so that your AI agent has access to these tools. However, a lot of times you're going to jump on a call and talk to another human being about some feature or some security feature. Historically, it has been quite cumbersome to take the context derived via communication, via talk, and give it to your AI to build the next tool or security feature. Now what we can do is if you're in a Google Meet or some other type of call, what we can do is we can copy our link here and ask our agent to join. Cygent will ask to go ahead and join the meeting, and on the Google Meets, we will get a pop-up from Cygent saying, "Hey, they would like to join the meeting. " This way, whatever you talk about, our agent will have context going into building new features. So I'm going to go ahead and admit Ghostland AI into our Google Meet here, and now Ghostland AI is listening to our conversation for important aspects as a security researcher or security engineer should. We can even come up with action items that Cygent will go ahead and record and give us a summary transcript for it to do those actions. For example, let's say we wanted to add wrapped Bitcoin and USDT as collateral tokens to our Ghostland protocol. And that's the feature that we ended up deciding to come to. Cygent will take this and go ahead and make an action item board itself to both review that and then add that feature in for us. Hey, Cygent, before we jump off, I wanted to ask a question. What do you think of adding wrapped Bitcoin as collateral? Sure, let me think that through. Yes, you can add wrapped Bitcoin as collateral, but the big trade-off is that wBTC adds a custodial trust dependency because you're relying on the wrapper's bridge and custodian. So if that gets compromised, the backing can disappear. You'd also want to be careful with the BTC price oracle and set liquidation thresholds for BTC's higher volatility. And on the contract side, wBTC is an ERC-20 with eight decimals instead of 18. So Ghostland's collateral math needs a careful check for any precision issues. So you can ask Cygent questions right in the call as if they're another person working with you. Thanks, Cygent. And just like that, you can have a call with your co-workers and have your AI agent giving you feedback real-time. Now back in our Slack, it has a summary of the call, and it has our decisions and our action items. Then we can just ask Cygent to make a PR with those action items, and it'll make a pull request as we've seen before. Now not only can you interact with your agent in Slack and on calls, having it make pull requests and do audits for you, but you can also have it schedule tasks for you, especially when it comes to your security parameters. For example, the default scheduled task that your AI instance will come with is a daily DeFi threat monitor. This is an example of a scheduled task you can use to help keep your code base secure. For example, this one will get today's date and fetch any recent attacks that have been reported on Rekt News. We love Rekt News here at Cyfrin. It'll go through any new type of exploit that has been found and see if our code base is vulnerable to that threat. You can obviously update this to run more frequently, check Twitter, or check other alerting methodologies to help keep your code base safer, faster. We could be even more explicit and ask Cygent to run a weekly threat scanning

### [10:00](https://www.youtube.com/watch?v=90MxNlRUwTw&t=600s) Segment 3 (10:00 - 13:00)

the web for all different types of exploits, not just from wrecked. news, and comparing that to our codebase. It'll ask us to confirm a scheduled task. We'll go ahead and proceed. Now we can see in our scheduled task in the dashboard, we have a new weekly threat intel briefing. You can run pretty much any type of automation you can think of. Now, of course, your protocol should have a bug bounty set up, and triaging bug bounty submissions can be quite troublesome, especially with people sending you so many fake nonsense AI generated bug bounties. So, Cygent can be your triage, and we can just ask Cygent to go through these bug bounty issues. It has all the context of your codebase already. It has conversations already, so it is very intelligent with what it's going to close and pass on to you. Our AI was smart enough to go through all the bug bounty submitted, realized that they were all spam, and just closed all of them. So, on our GitHub repo, we do a refresh, those have all now been closed as spam. Now, let's kick things up a notch. Cygent, start a battle on Ghost Land. With a battle, you can battle test your smart contracts or your environment into a true red team blue team environment. Cygent will kick off agents that are a red team and a blue team to attack and defend your contract at the same time. Let's go ahead and just do it live. For doing it live, you can deploy right to battle chain, local anvil, a fork, or whatever you choose. We're just going to do everything locally on anvil. But, yes, this would deploy contracts to battle chain if you choose to work on the battle chain attack mode. This will set up this sandbox environment, and again, all secrets are encrypted at rest when working with this as well. But still, this should be development keys when you're working in this attack mode. You scroll down in the dashboard, you can see a little bit more granular about what's actually happening here. It created some contract diagrams for it to understand how to attack the codebase. It's going to go ahead and start deploying the contracts to the chain, deploying a sub agent, which will then attack the different contracts in battle mode. You can see that the red team has identified an issue with Oracle freshness, and it's going to attempt to attack our smart contracts based off of this. Back in our Slack, we can see Cygent giving us updates about what's happening with the red teams and the blue teams. And you can see Cygent actively trying to activate and attack this exploit. This way, not only can you do a security audit, but you can also start to battle and stress test your codebase in a true red team blue team environment with agents going to town attacking your codebase. You can see the agent trying different types of attacks, and the blue team not having to do too much because it's hasn't noticed the red team actually getting through with anything substantive here. There are lots of different screens on the dashboard, and more being added every day, including activity, where you can see the conversations that you've had, planning phases, audits, pull requests, etc. Different projects are working on, the schedules, battle mode, and obviously different settings. If there's something in here that you wish to add, please reach out to the team so we can add it. And finally, we can just ask Cygent to give us the big picture of our project, and it'll give us the security rundown of where our project is so far, what's working, what's not working, and any other updates. Now, as you've seen, Cygent is incredibly powerful, especially with the battle mode that we've implemented. Because it's so powerful, we are running this on an enterprise beta plan. And if you wish to be included, please reach out to the Cypher team for us to spin you up an instance. With Cygent, we are giving you an in-house AI security researcher, where we've crammed so much of our knowledge about security, about smart contract development, about the hundreds of audits that we've done so far into this agent to help you be more secure. Reach out today to make sure your codebase is more secure in an easy-to-use interface.

---
*Источник: https://ekstraktznaniy.ru/video/49687*