AI Security's Cost Bottleneck Isn't Tokens, It's Validation
SC World, Monday, June 1st, 2026
Contrast Security finds the real cost of AI vulnerability scanning is human triage and validation, not API tokens.
Research from Contrast Security argues that the dominant cost of using AI to scan code for vulnerabilities is not the token bill but the labor of triaging and validating thousands of findings, including many false positives.
In one example, scanning 1.8 million lines of code with Claude Sonnet 4.6 surfaced 3,560 findings for just $315 in tokens, yet validating them at half an hour each by a $150K/year engineer would cost roughly $128,000.
AI scanners are also non-deterministic: rerunning the same scanner three times on a 50,000-line sample produced only about 17% agreement with its own prior findings, making prioritization harder. The takeaway is that the best ROI comes not from replacing deterministic security with AI but from combining the two, since validation, not tokens, is the hidden bottleneck.