What it is
DepthFirst describes its platform as an autonomous system for finding vulnerabilities in low-level code, including C and C++ systems where ordinary scanners often miss stateful memory-corruption paths.
For Bugflation, the current public evidence centers on NGINX Rift: a May 2026 disclosure where DepthFirst says its system analyzed the NGINX source code, identified multiple memory-corruption issues, and produced proof material that was reported to NGINX/F5 through coordinated disclosure.
What is verified
The ledger indexes one DepthFirst entry:
- CVE-2026-42945, CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934, a four-CVE NGINX cluster led by the critical NGINX Rift rewrite-module heap overflow. DepthFirst says its autonomous platform found the issues; NVD and F5-linked CVE records corroborate the public vulnerabilities and fixes.
Attribution boundary
This is not labeled as direct upstream AI attribution. The CVE records credit DepthFirst researchers and link the disclosure material, but the autonomous platform claim is made by DepthFirst itself. That makes the current Bugflation attribution self-reported: public vulnerability records corroborate the bugs, while DepthFirst supplies the AI-system narrative.
Why it matters
The NGINX cluster is notable because it targets a mature, internet-facing codebase and includes a critical memory-corruption issue with a published technical exploitability path. It is a concrete example of agentic analysis moving beyond toy programs into infrastructure software where validation, coordination, and patch timing matter.