DREA: Decoupled Reasoning and Exploration Agents for Repository-Level Vulnerability Detection
Jul 16, 2026
DREA is a hypothesis-driven framework for repository-level vulnerability detection that separates reasoning from exploration using two collaborating agents: a planning agent (advanced LLM) that forms vulnerability hypotheses and an explorer agent (lightweight model) that retrieves relevant repository context. This approach improves Pair-Correctness from 19-26% to 30-42% and reduces API costs by 16-48 times by offloading over 93% of tokens to the local model. The paper also introduces RepoPairBench, a new benchmark, and finds that 26-55% of true positives have flawed rationales, highlighting reasoning quality as a bottleneck.
Why it matters: This work significantly advances LLM-based vulnerability detection by enabling adaptive, cost-efficient exploration of repository-level dependencies and identifying reasoning quality as a key challenge.
Full story at: arXiv Cryptography and Security ↗