depthfirst announced that their production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, the ubiquitous media processing library. The system produced concrete, reproducible proof-of-concept inputs at roughly $1,000 total cost—a fraction of traditional security analysis expenses. Several flaws had remained hidden for 15 to 20 years, including one dating back to 2003.

FFmpeg processes media across browsers, streaming platforms, and infrastructure worldwide, handling roughly 1.5 million lines of C code that parse hundreds of complex formats. Recent work by Google's Big Sleep team (13 vulnerabilities) and Anthropic's Mythos model demonstrated advanced reasoning through dense codebases. These efforts made finding new bugs increasingly difficult, prompting depthfirst to build their own agentic system using publicly available models.

The security agent differs from coding agents by focusing on adversarial inputs rather than application development. It begins with threat modeling, identifies exposed parsers, traces data flow, and validates whether attackers can actually reach vulnerable code paths. Unlike theoretical reports, the system automatically generates reproducible inputs that confirm each finding.

Eight vulnerabilities received CVE assignments, including CVE-2026-39214—a stack buffer overflow latent since 2003 in the SDT implementation. The remaining issues cover heap overflows in TS demuxer, VP9 decoder, and RTP depacketizers. This demonstrates that specialized autonomous agents can systematically uncover critical security flaws in hardened, widely-deployed software at dramatically reduced costs.