Deep Scan
Deep Scan removes every per-scan cap — file count, candidate count, LLM calls, graph depth, time — for Enterprise customers running on their own infrastructure.
Deep Scan is the Enterprise scan mode. It runs the same pipeline as a SaaS full scan but lifts every per-scan budget that exists to protect SaaS infrastructure from runaway cost. If you have the compute, Secbez will use it — and produce the most complete result the deterministic engine and the invariant agents can produce.
What Deep Scan removes
| Budget | SaaS default | Deep Scan |
|---|---|---|
| File budget | Capped per plan | Unlimited (limited only by parser throughput) |
| Per-file byte budget | 1 MB | Configurable; default 16 MB, can be unbounded |
| Candidate budget | Capped per scan | Unlimited |
| LLM-call budget | Capped per scan | Configurable, including unbounded |
| Per-agent context budget | Capped to fit hosted models | Configurable per agent |
| Graph node ceiling | 250k nodes | Unlimited (subject to your hardware) |
| Graph BFS depth | Default 4 hops | Configurable per detector / per agent |
| Time budget | Bounded for fairness | Unlimited |
| Per-detector time budget | Bounded | Configurable; can be disabled |
| Concurrent scans per worker | 1 | Configurable |
The deterministic core (idempotency, secret redaction, evidence-first finding origin) is unchanged. Deep Scan does not bypass safety invariants — it only removes resource caps.
What Deep Scan changes for the result
- No truncation banner. SaaS scans surface a "truncated due to budget" reason when a budget hits. Deep Scan can run to completion.
- Full candidate evaluation. Every candidate emitted by every detector is evaluated by the relevant invariant agent. Nothing is dropped because it didn't fit.
- Deeper graph traversal. Cross-file evidence is gathered to whatever depth the agent requests. Caller chains are not capped at 4 hops.
- More expensive agent runs. Agents can request additional context for
inconclusivecandidates rather than emitting an inconclusive verdict because they ran out of context budget. - Stable rule output. Rule IDs, finding fingerprints, severities, and confidence levels are identical to SaaS — so baselines, suppressions, and history move 1:1 between modes.
When to use Deep Scan
- Initial baseline scan on a large monorepo where SaaS would truncate.
- Pre-release or pre-audit security passes where you want every candidate evaluated.
- Periodic deep audits scheduled outside business hours.
- Regulated environments where the scan must be exhaustive for compliance.
For routine work, the standard full scan is usually the right default — it doesn't need Deep Scan's resource profile. Most teams run Deep Scan weekly or monthly on the default branch and rely on the standard full scan otherwise.
Running Deep Scan
Deep Scan is a per-scan mode. You can trigger it from the dashboard, the API, or the CLI; operators can also configure deployment-level defaults so that, for example, every scheduled full scan runs in Deep Scan. The exact API and CLI surface is part of the deployment bundle's connection guide.
Cost and capacity planning
Deep Scan has no built-in caps but it is not free — it consumes whatever GPU, CPU, and LLM-call capacity you've allocated to the deployment. For large monorepos, plan for:
- Graph indexing — peak graph-engine memory scales with repository size. Allocate accordingly; the engine target is one snapshot per scan with strict cleanup of stale ones.
- LLM calls — analysis may issue an order of magnitude more calls than a SaaS scan when caps are lifted. If you are running on a hosted provider, pre-purchase capacity or rate-limit at the routing layer.
- GPU throughput — when running open-source models locally, latency-per-call dominates. The pipeline is concurrent; sizing the GPU pool is the main lever for throughput.
See BYO GPU for capacity sizing examples.
Failure semantics
Deep Scan uses the same failure handling as the rest of the pipeline:
- A failing detector or agent produces a
completed_with_errorsrun, never a silent drop. - LLM outages degrade to deterministic fallback explanations; gating decisions are unaffected.
- Cancellation is supported; partial results are persisted and clearly labeled.
The promise of Deep Scan is "no caps," not "no failures." When something fails, you find out about it, with evidence.