Boundary integrity · sealed
v 8.2.1
Deva
A secure development bulletin

Bulletin · Engineering Note

Code as if
someone were
watchingbecause
someone is.

Deva is an AI-native development environment for the rooms where cloud AI cannot follow: classified networks, hospital subnets, defense primes, regulated banks. It catches insecure or non-compliant code as it is written, explains the clause it violates, and writes the fix -entirely against models running inside your boundary.

Download DevaWatch the field report

Deployed against government cyber/intel · medical research · defense primes

0+
CWE security rules
25 hybrid detectors · AST + taint tracking · 14 languages
0
Active user teams
Government cyber/intel · medical/health research
0
Compliance frameworks
CMMC · FedRAMP · HIPAA · PCI-DSS · NIST · SOC 2 · GDPR +
0 dy.
Time to ship core product
Scanning engine + AI fixes + compliance mapping
Startup Tuneup · Launch///Cyber Venture Forum 2026 · Blu Ventures///NVIDIA Inception///AWS Activate · $10K///Techstars · Pitch Series Invited///Defense Tech DC · Private Meetings///MACH37 · Summer Cohort Invited///npm · 2k+ downloads in one day///Deva Security · 600+ installs in a week///Startup Tuneup · Launch///Cyber Venture Forum 2026 · Blu Ventures///NVIDIA Inception///AWS Activate · $10K///Techstars · Pitch Series Invited///Defense Tech DC · Private Meetings///MACH37 · Summer Cohort Invited///npm · 2k+ downloads in one day///Deva Security · 600+ installs in a week///

Try the scanner

Lite edition

A lightweight tester -not the full IDE. The complete platform with 970+ rules, compliance mapping, AI fixes, and local model deployment is available through the full product.

$npm install -g @devseccode/scanner
$devseccode hunt .
Documentation

The Platform

One platform.
Everywhere cloud AI cannot go.

Write-time detection, compliance-aware fixes, and local AI -sealed inside your boundary.

i.

Local models, inside your boundary

Runs against an on-prem or air-gapped model. Ships with Deva Coder; bring your own if you prefer. No outbound model calls, ever.

On-prem · dedicated · air-gapped

ii.

Write-time detection

Findings surface while the code is being typed -not at commit, PR, or the nightly scan. The difference between preventing and remediating.

25 hybrid detectors · 14 languages

iii.

Compliance at the clause level

Every finding maps to the exact control clause it violates, not just the framework. The output mirrors what an auditor expects on a System Security Plan.

17 frameworks · 6 export formats

Field Report · Product Demo2:47
Explore all features

The Deva Model Family

The local models.
Run entirely inside your boundary.

Purpose-built models trained on domain-specific data. No outbound model calls. No third-party provider dependencies. Source code and patient data never leave the environment.

A.
Your hardwareRun on a dev machine or bare-metal server inside your network.
B.
Dedicated serverWe provision and manage the inference host on your behalf.
C.
Fully air-gappedOffline classified environments. No outbound traffic.

deva-coder-v8 · benchmarks

H200 · 2026-04-29
MBPP syntax pass rate99.7%
Tool-use compliance93.3%
SecurityEval CWE acc.87.5%
Fix generation rate100%
First-token latency≈ 1.3 s
Air-gapped

Operating dossier

DEVA · Q2 · 2026
Detection model··································································deva-coder-v8
CWE rule coverage··································································970+ across 14 langs.
Compliance frameworks··································································17 mapped · clause-level
SecurityEval · CWE acc.··································································87.5%
HumanEval pass@1··································································94.8%
First-token latency··································································≈ 1.3 s · Apple Silicon
Deployment surfaces··································································On-prem · dedicated · gapped
Code egress··································································Zero. Always.

the deva model family

Compute via NVIDIA Inception

Deva Coder

Live

Security-focused coding agent. CWE detection, CVE patching, secure code generation. Excelling on SWE-Bench, HumanEval, SecurityEval.

Local · on-prem · gapped

Deva Medical

In training

HIPAA-aware clinical AI. De-identification of all 18 PHI categories, clinical summarization, ICD-10 coding, FHIR resources.

Clinical NLP · de-id

Deva Gov

In training

Government compliance mapping. CMMC, FedRAMP, NIST 800-53, FISMA controls. Classified-environment workflows.

Compliance · gapped

Deva Finance

In training

Financial compliance AI. PCI-DSS, SOX ITGC, SOC 2. Fraud-detection patterns, transaction security, audit evidence.

PCI-DSS · SOX · SOC 2

Compliance Coverage

17 frameworks.

Every finding maps to the exact control clause it violates -not just the framework name. HIPAA 164.312(a)(1). NIST 800-53 SI-10. PCI-DSS 6.3.2. Each control gets a verdict: covered clean, covered with violations, partially covered, not covered, or attestation-required -the format an auditor expects on a System Security Plan.

finding detected
CWE-89 · SQL Injection

src/api/users.ts:42

Violates 3 controls:

NIST 800-53SI-10HIPAA164.312(a)(1)PCI-DSS6.3.2
  • 01CWE → control mapping across 17 frameworks
  • 025 verdict levels matching SSP format
  • 036 export formats: SARIF, OSCAL, JUnit, CSV, JSON, agent-json
  • 04Compliance-aware fixes that don't re-introduce violations

DoD & Government

5 frameworks
  • 01CMMC 2.0mapped
  • 02FedRAMPmapped
  • 03NIST 800-53mapped
  • 04NIST 800-171mapped
  • 05NIST CSF 2.0mapped

Code-level mapping · exact control clauses · audit-ready evidence.

situation report · DEVA-2026-Q2 · May

Live

active user teams

10

Government cyber/intel and medical/health research -the two verticals where compliance most directly blocks revenue.

GovernmentCyber/IntelHealthcareMedical ResearchDefense
2,000+
npm installs in one day@devseccode/scanner -lightweight CLI scanner.
60days
Full-time to core product shippedScanning engine, AI fixes, compliance mapping -all live.
600+
Deva Security installs in a weekVS Code Marketplace + Open VSX Registry -extension edition.
2verticals
Where compliance blocks revenueGovernment cyber/intel and medical/health research.

recognized & backed by

Startup Tuneup····················Launch · accelerator
Cyber Venture Forum····················Blu Ventures · 2026
NVIDIA Inception····················compute for training
AWS Activate····················$10K in cloud credits
Techstars····················pitch series · invited
Defense Tech DC····················private meetings
MACH37····················summer cohort · invited
npm····················2k+ downloads in one day
Deva Security····················600+ installs in a week

investor relations

Building in, or investing in, regulated-environment AI security? We are meeting actively with teams in gov and healthcare.

Get in touch

Field Reports

Built in the open.
Updated constantly.

Core product shipped in 60 days in 2026. The full timeline follows below.

089
Jun 17, 2026
Traction

13,000+ total downloads

Over 10,700 npm downloads and 2,600+ extension downloads across the VS Code Marketplace and Open VSX Registry. Over 13,000 total downloads across all platforms.

088
Jun 12, 2026
Milestone

Deva Core -MVP readiness

Deva Core reached MVP: quickstart onboarding, built-in readiness checks, Markdown report exports, and expanded test coverage across scanning, compliance, evidence, and validation.

087
Jun 10, 2026
AI

Cloud model reliability & improvement roadmap

Hardened cloud LLM provider health checks and status reporting. Published a model improvement roadmap focused on governed adaptation, customer-local evaluation, and auditable updates.

086
Jun 9, 2026
AI

Deva Core -cloud LLM service & realtime scanning

Shipped the cloud LLM service with realtime scanning and a provider registry covering local, BYOK, Ollama, and managed cloud validation paths. Users choose where their models run.

085
Jun 8, 2026
Architecture

Deva Core -platform consolidation

Consolidated the product surface under the Deva Core name. Core is the canonical platform for scanning, compliance, SBOM, and reporting. 'Scanner' is reserved for the detection engine inside it.

84 earlier entries withheld pending access.

Sign in for the full log

Dispatch

By post.

Quarterly field reports on Deva -new detectors, frameworks, model releases, and the occasional note from a customer site. No marketing.

Index

Features

AI Models

Security

Solutions

Resources