Cursor Security Review (April 30, 2026): Always-on PR Security Reviewer + Scheduled Vulnerability Scanner
Cursor Security Review entered beta on April 30, 2026 for Teams and Enterprise plans, adding always-on security agents: a PR Security Reviewer that leaves inline findings and a scheduled Vulnerability Scanner that can send Slack updates.
Editorial Team
The AI Coding Tools Directory editorial team researches and reviews AI-powered development tools to help developers find the best solutions for their workflows.
Cursor added Cursor Security Review as a beta feature for Teams and Enterprise plans, with two always-on security agents: a PR-focused Security Reviewer and a scheduled Vulnerability Scanner. The feature is designed to make security feedback feel native to the same workflow where teams already review and ship code.
The AI-native code editor with $1B+ ARR, 25+ models, and background agents on dedicated VMs
TL;DR
- Beta on Teams + Enterprise.
- Security Reviewer: checks every PR and leaves inline security findings.
- Vulnerability Scanner: runs scheduled scans and can send updates to Slack.
- Customizable triggers/instructions, and supports plugging in existing security tooling via MCP.
What Cursor Shipped
1) Security Reviewer (PR-by-PR)
Cursor says the Security Reviewer runs against every pull request and flags:
- Security vulnerabilities
- Auth regressions
- Privacy and data-handling risks
- Agent tool auto-approvals
- Prompt injection attacks
It leaves inline comments at the relevant diff location, including severity and suggested remediation.
2) Vulnerability Scanner (Scheduled)
Cursor’s Vulnerability Scanner runs scheduled scans across your codebase to look for:
- Known vulnerabilities
- Outdated dependencies
- Configuration issues
Cursor says you can configure it to send updates of findings in Slack.
Customization and “Bring Your Own Tools” via MCP
Cursor positions Security Review as customizable: teams can adjust triggers, add their own instructions, choose how outputs are shared, and connect custom tooling.
A notable detail: Cursor explicitly calls out plugging in MCP servers for existing security tools (for example, SAST/SCA/secrets scanners), so the Cursor-managed agents can incorporate outputs from the tools you already trust.
Availability Notes (What You Need to Do)
According to Cursor:
- Security Review is in beta on Teams and Enterprise plans.
- An admin enables the feature in the Cursor dashboard.
- Security agents draw from your existing usage pool.
Practical Takeaway
If you already live in Cursor for day-to-day engineering work, Security Review is interesting because it tries to bring two common security loops into the same place:
- PR review feedback, without waiting for an external security review step.
- Scheduled scanning for the “slow drift” problems (dependencies and configuration issues).
The best initial trial is likely one repo with clear PR conventions and an existing scanner baseline, so you can compare what Cursor flags versus your current security tooling.
Sources
- Cursor changelog — Cursor Security Review (April 30, 2026): https://cursor.com/changelog/04-30-26
Tools Mentioned in This Article
Free Resource
2026 AI Coding Tools Comparison Chart
Side-by-side comparison of features, pricing, and capabilities for every major AI coding tool.
No spam, unsubscribe anytime.
Workflow Resources
Cookbook
AI-Powered Code Review & Quality
Automate code review and enforce quality standards using AI-powered tools and agentic workflows.
Cookbook
Building AI-Powered Applications
Build applications powered by LLMs, RAG, and AI agents using Claude Code, Cursor, and modern AI frameworks.
Cookbook
Building APIs & Backends with AI Agents
Design and build robust APIs and backend services with AI coding agents, from REST to GraphQL.
Cookbook
Debugging with AI Agents
Systematically debug complex issues using AI coding agents with structured workflows and MCP integrations.
MCP Server
AWS MCP Server
Interact with AWS services including S3, Lambda, CloudWatch, and ECS from your AI coding assistant.
MCP Server
Context7 MCP Server
Fetch up-to-date library documentation and code examples directly into your AI coding assistant.
MCP Server
Docker MCP Server
Manage Docker containers, images, and builds directly from your AI coding assistant.
MCP Server
Figma MCP Server
Access Figma designs, extract design tokens, and generate code from your design files.
Frequently Asked Questions
What is Cursor Security Review?
How do you enable Cursor Security Review?
What does the PR Security Reviewer check for?
Can teams plug in their own security tooling?
Related Articles
Claude Code v2.1.126 (May 1, 2026): claude project purge, gateway-aware /model, OAuth paste login, managed-sandbox security fix
Claude Code v2.1.126 adds claude project purge to delete local state, lists gateway /v1/models in /model when using ANTHROPIC_BASE_URL, lets claude auth login accept pasted OAuth codes for SSH/WSL/containers, expands dangerously-skip-permissions for protected paths, and ships a managed-sandbox security fix.
Read more →NewsGemini API April 2026 Update: Flex/Priority Tiers, Deep Research with MCP, embedding-2 GA, gemini-3.1-flash-tts-preview
April 2026 in the Gemini API: new Flex and Priority inference tiers (Apr 1), gemini-3.1-flash-tts-preview (Apr 15), Deep Research updates with MCP server integration and File Search (Apr 21), gemini-embedding-2 GA (Apr 22), and the gemini-robotics-er-1.5-preview shutdown (Apr 30).
Read more →NewsCursor SDK (April 29, 2026): Build Programmatic Agents with the Same Runtime That Powers Cursor
Cursor launched a TypeScript SDK on April 29, 2026 that exposes the same agent runtime, harness, and models that power the Cursor IDE. Run agents locally or on Cursor's cloud, integrate them into your own apps, and reach for any frontier model behind a single interface.
Read more →