Cursor Security Review is now in beta on Teams and Enterprise plans. You can run two types of always-on security agents: Security Reviewer and Vulnerability Scanner.

#Security Reviewer

Security Reviewer checks every PR for security vulnerabilities, auth regressions, privacy and data-handling risks, agent tool auto-approvals, and prompt injection attacks. It will leave inline comments at the exact diff location with severity and remediation.

#Vulnerability Scanner

Vulnerability Scanner runs scheduled scans of your codebase to check for known vulnerabilities, outdated dependencies, and configuration issues. You can configure it to send updates of its findings in Slack.

---

Customize Cursor-managed security agents by adjusting triggers, adding your own instructions, giving them custom tooling, and choosing how outputs are shared. For example, you can plug in MCP servers for your existing SAST, SCA, and secrets scanners for Cursor to use as part of the review.

We're also continuously improving the runtime, harness, and models powering Cursor Security Review for a strong out-of-the-box experience.

Security agents draw from your existing usage pool. Admins can enable Security Review in the Cursor dashboard to get started.