Arm just handed you the security reviewer it uses on its own code. Metis — named for the Greek goddess of wisdom — is an open-source, agentic AI framework for deep security code review, released under an Apache 2.0 license by Arm's Product Security Team. If you ship software and have no security team, this is one of the more interesting things to land on GitHub this year. It's also not magic, and the fine print matters.

What it actually is#

Traditional static analysis (SAST) works like a very literal grep: it matches code against a fixed library of rules and patterns. That's why your last scanner run buried three real bugs under two hundred "issues" nobody had time to read.

Metis takes a different route. It's built on a retrieval-augmented generation (RAG) architecture: it constructs a project-specific knowledge base from your source code, build files and documentation, then uses an LLM to reason about the code in context rather than pattern-match it. Because it treats the project as a system, it can follow a vulnerability across functions, components and workflows — the cross-component bugs pattern matchers structurally can't see. It explains each finding in plain language instead of spitting out a rule ID.

You point it at a whole repository, a directory, a single file, or a diff. Per the README, the review commands are review_code for a full codebase, review_dir, review_file <path>, and review_patch <patch.diff> for a pull-request diff.

The numbers, and who's saying them#

Here's where to stay skeptical. Arm reports that Metis delivers up to 10x higher true-positive rates and roughly 50% fewer false positives than leading static analysis tools, and says it's already running across more than 130 software projects internally, with Arm-wide adoption planned for late 2026.

Those are Arm's own figures, on Arm's own codebases, measured against unnamed "leading" tools. Read them as a vendor's directional claim, not an independent benchmark. "Up to 10x" is doing a lot of work in that sentence — and the repository itself states no benchmark numbers at all. The performance claims live in the announcement, not the code.

Every vendor security number is a marketing number until someone outside the building reproduces it. Run it on your own code and count for yourself.

The non-obvious part: it triages its own findings#

The detail worth your attention is that Metis doesn't hand you the LLM's raw first pass. The framework ships a separate triage <findings.sarif> command that takes the findings and works them over before they reach your queue.

That triage step is the honest tell about the whole category. You only build a second stage to sort real findings from noise if you know the first stage hallucinates. It does. So treat Metis output as a prioritized list of leads — a sharp junior reviewer pointing and saying "look here" — never as a verdict you ship on. (The same "verify before you trust it" rule governs the LLM red-teaming tools like garak, PyRIT, and promptfoo you'd point at the model itself.) The lower false-positive rate isn't the model getting things right the first time; it's the model's guesses getting filtered before you see them.

How to try it#

Setup is standard Python tooling. Per the README, you need Python 3.12+ and uv:

git clone https://github.com/arm/metis.git
cd metis
uv venv
uv pip install .          # or '.[all-providers]' for every model backend
export OPENAI_API_KEY="your-key-here"

Then run the review commands against whatever scope you want:

review_code                    # scan the whole codebase
review_file path/to/file       # scan one file
review_patch changes.diff      # scan a PR diff
triage findings.sarif          # sort the findings it produced

Crucially, Metis works with any OpenAI-compatible model — a cloud API or a local runner via your own endpoint. If sending proprietary source to a third-party API is a non-starter, pointing it at a local model keeps everything on your hardware.

The cost nobody puts on the badge#

"Open-source" here means the framework is free. The reasoning isn't. Metis calls an LLM you supply, and a full-repo review means tokenizing and reasoning over your entire codebase — potentially many times as the agent works. On a large monorepo with a frontier API model, that's a real bill, and it scales with your code, not your team size. This is the trade solopreneurs miss: you've swapped a SAST license fee for a metered inference cost. Budget it. Or point it at a local model and pay in GPU time and slower runs instead.

What it means for you#

If you're a founder or CTO shipping code with nobody whose actual job is security, Metis is worth an afternoon. The pragmatic move: wire review_patch into your PR flow so every change gets a contextual second read, rather than running full-repo scans that burn tokens and attention. Keep a human in the loop on anything it flags as serious. Don't quote the 10x number to your board — quote what it finds in your repo after you've verified it.

It won't replace a security hire. It might do a passable impression of the one you can't afford yet — as long as you remember it's an intern with a confident voice, not an auditor with a signature.