Blitzy logo
OverviewUse-casesSecurity
Company
DocsBlogVideos
Pricing
OverviewUse-casesSecurity
Company
DocsBlogVideos
Pricing

Dynamic Discourse: Security, AI & Open Source

Jul 02, 2026 • Carly Levinsohn • 3 min read

Dynamic Discourse: Security, AI & Open Source

"Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software… We All Depend on Open Source. We Will Defend It Together."

Announced on June 25, 2026, the Linux Foundation started Akrites: an initiative to identify and address critical security vulnerabilities in open source software. The above excerpt succinctly diagnoses the impact. Supported by technology companies, financial institutions, and research laboratories, organizations are rallying behind the open source projects that make up the silent backbone of their applications.

Two days prior to launch, we published a Blitzy blog called "Open Source in the Age of AI" about the relationship between open source contributions and artificial intelligence. We will now focus on the security angle and what the evolving open source and AI relationship means for how engineering will be done going forward.

AI & Security: How Capability Becomes Vulnerability

Jim Zemlin, Executive Director of the Linux Foundation, said the average time it takes to exploit a vulnerability is negative seven days. Flaws can be weaponized before defenders know they exist.

Open source absorbs a large portion of that risk. A joint Linux Foundation and OpenSSF report found that 96% of modern codebases contain open source components, so one unpatched library can ripple through banking, healthcare, and energy infrastructure at once.

Discovering vulnerabilities outpaces remediation. Endor Labs, a founding member of Akrites, reported that less than 5% of recently validated open source vulnerabilities had been patched.

Akrites targets the gap directly. A shared Security Incident Response Team takes in reports, deduplicates them, and coordinates a single disclosure instead of a hundred scattered ones. For critical packages that have outgrown their maintainers, Akrites can even step in as a last resort.

The distance between finding a flaw and fixing it does not lie just in processes. The problem is also a cognitive one — for which psychologists already have a name.

System 2 AI & Linus Torvalds

In Thinking, Fast and Slow, psychologist Daniel Kahneman splits human cognition into two modes. System 1 is the fast, automatic machine for instant pattern recognition. System 2 works deliberately, approaching problems by tracing, testing, and resolving conflicts properly.

Most AI vulnerability scanning falls in the System 1 category. These tools are very fast and effective at detecting bugs.

What happens when System 1 technology attempts System 2 tasks? Linus Torvalds has spent the past few months battling the kernel's now-unmanageable private security mailing list. The inbox drowns under duplicate reports from researchers running the same tools against the same code.

The system distinctions Torvalds draws are rooted in understanding and context:

"People who know what they're doing to understand systems will be able to prompt tools to write good code."

With one comes the inverse: "people who don't understand the complexity of systems will also prompt systems and write processes that will fail".

This philosophy of shared expertise is exactly why the Linux kernel's new contribution policy requires an "Assisted-by" tag for AI-generated code rather than treating it the same as a human sign-off.

True open source contributions come from verified, working fixes. Tools can write the pattern, but a person still has to own what the code means.

Blitzy's Position

Akrites is building a coordination layer that this critical junction between agentic and human engineering needs. By developing a shared process, maintainers face one trusted partner rather than separate reporters.

Blitzy is built to operate at the layer underneath, doing the System 2 work that coordination alone cannot replace. This claim is not theoretical but directly supported by all of the open source projects Blitzy has contributed to in our Open Source Enhancement Initiative: dnsmasq, curl, zlib, WebVella, HeavyThing, and WordPress.

The founding members of Akrites — Anthropic, AWS, Google, Microsoft, OpenAI, and others — are effectively agreeing that AI-native discovery needs an AI-native, System 2 partner.

In only one week, the open source landscape has changed. Akrites gave the industry a coordination layer, and Linus Torvalds set the standard. Blitzy builds for enterprises as a System 2 AI, maintaining the open source standard for technical excellence.

More from the blog

View all
How I Made Blitzy More Secure In My First Week

How I Made Blitzy More Secure In My First Week

Jun 30, 2026 • Alex Gardiner • 3 min read

Blitzy Scores a Record 84.95% on SWE-Bench Pro

Blitzy Scores a Record 84.95% on SWE-Bench Pro

Jun 26, 2026 • Dr. Neeraj Deshmukh • 4 min read

Frequently asked questions

What is Blitzy?

toggle button

Blitzy enables development teams to transform six-month software projects into six-day turnarounds using Blitzy OS, an agentic platform that enables thousands of AI Agents to 'think' and cooperate for hours to bulk build software with precision. The platform builds everything AI can deliver in a precise manner, around 80% of any roadmap or new product, supplemented with a human engineering guide to complete the remaining 20% needed for production. With over 27 patents and counting, Blitzy is actively hiring PhDs and senior developers in Cambridge, MA who have a passion for building AI that leverages 'System 2 Thinking' to solve problems at inference.

Who is Blitzy for?

toggle button

Enterprises that aim to dramatically accelerate their software development velocity, development agencies with enterprise clients, development teams with complex existing products, and individuals looking to accelerate their own velocity on complex builds.

How does Blitzy's technology work?

toggle button

Our patent-pending code ingestion framework maps a curated selection of robust, reliable, and secure open source software libraries that we track by version and update frequently. Combined with our proprietary code generation technology that specializes on enforcing enterprise-class software policies, Blitzy far exceeds the utility of typical chatbots and co-pilots in creating production-ready software at scale.

Is Blitzy a coding co-pilot?

toggle button

Nope. Blitzy surpasses traditional co-pilots with its ability to autonomously generate nearly-complete code repositories, not just snippets. It features a daily-refreshed knowledge base, avoiding the pitfalls of outdated information. Blitzy's proprietary codebase representation system enables deep understanding of generated code, offering highly contextual and relevant suggestions for your entire repository.

What's my role in Blitzy's development process?

toggle button

Your team is responsible for bringing the requirements, and as an approver during the technical specification stage. We ask you to edit/approve the Technical Specification. The document is editable, so you can edit and approve to get exactly what you had in mind.

How does Blitzy decide which tasks to delegate to human developers?

toggle button

Blitzy's multi-agent system is meticulously and rigorously trained to know what it can accomplish, and what needs to be left for the human engineers. This ensures you only receive quality code and have a clear picture of remaining tasks.

Does Blitzy do more than just autonomous code generation?

toggle button

Yes. Blitzy is a comprehensive platform that provides end-to-end development assistance. We support the entire development lifecycle by taking descriptive inputs and generating software requirements documents, technical design, code structure, and generative code within repos for your product.

Is this high quality and secure?

toggle button

Quality and security matter deeply to us — and they were our biggest frustration with the copilots already on the market. That frustration is what led us to build something different: a system designed to meet enterprise standards from the start. Every piece of work passes through multiple QA agents that review each other's output before any code reaches you, so what you receive is held to a consistent quality bar rather than the variable output typical of single-pass code generation. We deliver production-grade code repositories. As with any code entering your environment — written by humans or AI — your team should still run its own QA, QC, and security testing before deployment. We build to a high standard and give your reviewers a strong starting point; final validation stays with the team that owns the production environment.

What is the typical cost of your solution?

toggle button

Blitzy uses a two-phase pricing model: evaluation followed by deployment. This structure lets enterprises validate ROI at their preferred scale before committing to organization-wide implementation. The evaluation phase provides three options. Reverse Engineer ($0) offers an initial assessment with complete codebase reverse engineering and understanding up to 100K lines of code; Proof of Concept ($50K for a 2-month term), where Blitzy delivers a guided POC to demonstrate value; or Structured Pilot ($250K for a 6-month term), which fully deploys Blitzy in your environment with 5M lines onboarding and 1.25M lines generation to prove production readiness. Following successful evaluation, organizations choose between three deployment paths. Commercial ($500K typical investment per year) adopts Blitzy on one team to accelerate a defined initiative: the first 20M lines onboarded are included, with additional onboarding at $0.10 per line and generation at $0.20 per line starting at 2.5M lines, plus dedicated infrastructure and SAML-SSO. Enterprise ($5M typical investment per year) rolls Blitzy out across your engineering organization, with onboarding billed at $0.10 per line across the full codebase — a typical engagement onboards 50M lines — and generation at $0.20 per line as needed, adding a Dedicated AI Solutions Consultant, 2 Forward Deployed Engineers, org-wide onboarding and certification, and priority support. Transformation ($50M typical investment per year) supports your largest codebases, with a typical engagement onboarding 500M lines at the same per-line rates, custom deployment, and embedded teams including a Field CTO, a Dedicated AI Solutions Consultant, 6 Forward Deployed Engineers, and 2 Forward Deployed Designers for complete digital transformation. All tiers maintain SOC 2 Type II compliance, ISO 27001 certification, and guarantee no training on your code. Pricing follows a transparent two-rate model: $0.10 per line onboarded for reverse engineering and $0.20 per line generated for forward engineering. Because reverse engineering also produces complete technical documentation of your codebase, onboarding-only engagements are fully supported, and in every tier costs align directly with the value delivered.

After submitting my prompt, Blitzy added functionality in my tech spec that I did not expect. What do I do?

toggle button

The system defaults to taking advantage of all technology upgrades when modernizing or upgrading to the latest technology stack. For example, if you specify an upgrade to Java 21, the system will by default implement virtual threads, as it's generally seen as a superior technical approach. If you do not want this, you must simply tell the system to 'make as few changes as possible to achieve the desired request'. Being as specific as possible about what functionality is (and is not) desired helps yield results that will align with expectations.

What do Blitzy agents rely on as a source of truth to represent my existing codebase?

toggle button

Blitzy agents rely on the actual source code of your existing codebase—not the Tech Spec documentation—when performing refactors or extending functionality. However, an accurate Tech Spec significantly aids the system's efficiency in querying the underlying representation of the code. Therefore, investing time to ensure the Tech Spec reflects the core features of the application will yield expectation-aligned results and will save time with last-mile development.

Can Blitzy work with existing products and code bases?

toggle button

Yes! Blitzy excels at working with existing codebases, using them as a foundation to ensure consistent, high-quality development. The platform enables you to add new features to existing products, generate comprehensive documentation, and tackle technical debt by upgrading legacy systems to state-of-the-art technologies or refactoring complex codebases. Our platform deploys dedicated AI agents that map and understand your codebase before generation, ensuring intelligent, contextualized development that aligns with your existing patterns and standards.

What programming languages does Blitzy support?

toggle button

Blitzy's AI platform works with all programming languages.

How should I structure my prompts for Blitzy?

toggle button

Structure and organization are crucial when prompting Blitzy. The most effective prompts follow our prompting template with clear sections for WHY (vision & purpose), WHAT (core requirements), and HOW (technical details, user experience & implementation priorities). Each section should be detailed but concise, focusing on essential information while providing relevant context. Including structured frameworks and concrete examples - like data models, user stories, or feature templates - helps Blitzy deliver more precise and purposeful solutions.

What information does Blitzy need to compile and run my code?

toggle button

During code generation, Blitzy compiles your codebase and performs runtime validation to ensure the generated code works correctly. To enable this, we require: (1) Internal dependencies - any private packages, libraries, or binaries not publicly available that your code needs to build and run, (2) Environment variables and secrets - API keys, credentials, and configuration values required for compilation and runtime (shared securely through our encrypted UI, never exposed to AI agents), and (3) Build instructions - the specific steps or scripts needed to compile your code, typically found in your README or setup documentation. This information allows Blitzy to replicate your development environment and verify that all generated code functions properly before delivery.

How can I exclude certain files or folders from Blitzy's code generation?

toggle button

Create a .blitzyignore file in your repository's root directory to specify which files or paths Blitzy should exclude during tech-spec generation and code generation. This works similarly to .gitignore - simply list the file patterns, directories, or specific files you want Blitzy to skip, using standard gitignore syntax like *.log, /build/, or config/secrets.json. To ensure Blitzy respects these exclusions, mention in both your codebase context prompt and target state prompt that Blitzy should reference the .blitzyignore file and exclude those paths from processing.

Can I cancel my project/job (code gen) once in progress?

toggle button

At this time, jobs are not cancelable. Once you submit, it consumes the assigned quota.

Build enterprise software in days, not months.

Start buildingTalk to an expert
Blitzy

Blitzy

One Kendall Square,

Cambridge,

MA 02139

© 2026 Blitzy. All rights reserved

Product

  • Overview
  • Use-cases
  • Security
  • Pricing

Company

  • About us
  • Careers

Support

  • Help
  • Service status
  • Trust center

Resources

  • Docs
  • Blog
  • Videos

Social

  • YouTube
  • LinkedIn

Legal

  • Terms of use
  • Privacy policy