AI Learns the Language of Code to Outsmart Cyber Threats 

High-profile cyberattacks, such as the one that compromised British retailer Marks & Spencer’s customer data in April 2025, highlight the need for better ways to detect software vulnerabilities in the computer systems that increasingly control everything, from oil pipelines to hospital records.  

To help, an international research team including Khalifa University’s Merouane Debbah, has developed SecureQwen, a smart software checker that automatically detects and flags vulnerabilities for repair. Powered by an AI model trained in the language of computer code, SecureQwen could even identify weaknesses that it had not explicitly been taught or come upon before.  

“The scale of the problem is overwhelming the conventional approach of detecting vulnerabilities by using human experts to find flaws in the code,” says computer scientist Debbah, director of the 6G Research Center at Khalifa University that focuses on sixth generation wireless technologies.  

Previous AI-powered software checkers only detected security flaws that they had explicitly been trained to recognize, leaving them one step behind in the cybersecurity arms race. To overcome that limitation, the Debbah team investigated large language models (LLMs) that are trained on vast amounts of text to power tools such as ChatGPT.  

“One big advantage of LLMs is their capacity for generalization,” Debbah says. When faced with situations that they have never met before, LLMs can extrapolate from their training to successfully respond. 

First, the team fine-tuned an LLM called Qwen, which is like ChatGPT but ‘speaks’ English, Mandarin, and a computer language called Python. “Python has become the most common computer language because it is tailored to machine learning applications, which all software developers are now incorporating,” Debbah says. Programmers also share large amounts of Python code in open access depositories, including to flag code that contains known vulnerabilities. 

“The scale of the problem is overwhelming the conventional approach of detecting vulnerabilities by using human experts to find flaws in the code.” 

Merouane Debbah 

Drawing on these Python depositories, the team curated a collection of known vulnerabilities, and then finetuned Qwen LLM on this dataset. The resulting AI software vulnerability detection model— SecureQwen —could find vulnerabilities in Python code with 95% accuracy, according to Debbah. Beyond detection, the tool also categorizes each vulnerability, enabling coders to find and patch the most critical security risks. “SecureQwen works as an efficient software audit tool,” Debbah says. 

The team is aiming to develop the software into an autonomous cybersecurity reasoning system (CRS) that not only detects vulnerabilities but automatically repairs them. “CRS is the big target for the entire cybersecurity community, and that’s the next step for us,” Debbah says. 

Reference

Mechri & A., Ferrag, M. A., Debbah, M. SecureQwen: Leveraging LLMs for vulnerability detection in python codebases. Comput. Secur. 148, 104151, 2025. | Article