Google published Mantis on GitHub, a stack-agnostic toolkit of fifteen linked Skills that let coding agents such as the Gemini CLI or Antigravity CLI autonomously find, reproduce, and patch software vulnerabilities. The release matters because it packages a research-grade security workflow into something any engineering team can install and point at its own repository, at a moment when open-source maintainers already field a steady stream of low-quality, AI-generated vulnerability reports. Google frames the project as a starting point. The documentation calls it a flexible base built for adaptation, not a fixed set of steps to follow line by line.

One supervising agent, called mantis_meta_agent, runs the other fourteen stages in sequence and archives results between loops. Early stages build a persistent knowledge base of the codebase and a living threat model. A planning stage then targets specific files before a researcher agent sweeps them for flaws. Later stages merge duplicate findings, filter out false positives, confirm that a crash actually reproduces in a release build, and only then attempt a working exploit inside an isolated container. A final risk score, rated one to ten, attaches to every surviving finding before a reflection stage logs lessons for the next run.

The toolkit is not limited to conventional application code. Google’s documentation lists several other domains it can be retargeted to:

Google also recommends mixing model tiers instead of running every stage on the priciest frontier model. Cheap, fast models handle triage and deduplication, tasks that reward speed over depth. The stages that write working exploit code and patch it get the flagship models, since those steps need real reasoning. That tiering advice reads like a footnote in the announcement, but it is the difference between a scan that finishes overnight and one that never does.

Google has already shown that a single agent can find a real bug in shipped software: its own Big Sleep project, run jointly by DeepMind and Project Zero, caught a memory-safety flaw in SQLite before it reached a stable release. Mantis turns that one demonstration into a repeatable pipeline anyone can install. A tightly supervised research team finding one strong bug in code it already knows well is a different exercise than fourteen automated stages run against an unfamiliar repository with no expert watching. That gap is exactly why the project’s own documentation insists a person still has to check every result.

That insistence is the most important detail in the release. Google says outright that these agents remain non-deterministic and can invent a vulnerability that was never there, or misjudge whether a patch actually closes the hole. It also cautions teams against flooding open-source projects with AI-produced bug submissions that no human has confirmed. Running the reproduction and patching stages requires sandboxing, ideally with gVisor and networking switched off, and Google warns against running the suite anywhere near production systems.

Security and platform teams evaluating agentic scanning tools should treat those two guardrails, mandatory human review and hard sandbox isolation, as the default setup rather than settings to loosen for speed. A team that skips them and pipes Mantis output straight into a public bug bounty program is choosing to recreate the exact reporting mess the toolkit’s own warnings were written to prevent.

Google published the Mantis Skills toolkit in the google/mantis repository on GitHub on July 14, 2026.