When video assistant referee (VAR) was introduced at the 2018 World Cup, it gave officials the chance to do something they had only ever dreamed of: call a near-perfect game. According to the premier league website, VAR improved decision accuracy from 82% to 94%. Now, AI is poised to do the same for security teams focused on securing the Software Development Lifecycle (SDLC) and Agentic Development Lifecycle (ADLC).
For those who might not know…VAR doesn’t run the game. It reviews four specific situations: goals, penalty decisions, red cards, and mistaken identity, and only for clear errors. The on-field ref still makes the final call.
For the most part, Application Security is living in a pre-VAR era, making million-dollar decisions from a single angle or vantage point. The numbers don’t lie: According to The 2026 State of Product Security, 100% of organizations now have AI-generated code in their codebase, yet only 19% have full visibility into where and how it’s being used.
Just like with FIFA referees, the issue isn’t capability; it’s the context that they are given.
1. VAR Didn’t Replace the Referee. It Gave Them Context
Pre-VAR, referees made the call from a single, imperfect angle. The expertise was always there; the information wasn’t. FIFA ultimately decided that better information would lead to better decisions. They were right.
Security teams are in the same position: experienced, capable, but working from fragmented signals.
That’s the VAR moment for security: not more cameras, but all the angles connected. By correlating signals across tools, they surface patterns no human could catch in real time, presenting context the way VAR presents replay footage.
Cycode’s Context Intelligence Graph approaches investigations the same way a senior Application Security engineer would reason through a finding. It runs across several dimensions at once:
- When did things change?
- What caused what?
- What does this actually mean?
- Who owns this?
- What happened after the decision was made?
More angles, fewer blind spots.
2. Bad Calls Happen When Nobody Sets the Rules
VAR works because the rules of what it can and can’t review are agreed upfront. Four situations. Clear and obvious errors. The final call stays with the on-field referee. Without that framework, VAR would be chaos.
Traditional Application Security is running the opposite playbook. 52% of orgs still have no centralized governance for AI adoption. Agents are writing code, opening pull requests, and shipping to production before anyone has agreed what they’re allowed to do, who reviews their work, or what counts as ‘offside’.
As Daniel Hammon, Director, Information Security and Compliance at Signifyd, shared in the Product Security All-Stars report, “AI can…support security in ways we’ve never had before” but human oversight and clarity remain essential.
Humans set the boundaries of what VAR can and cannot do. It can’t make a call independent of the referee. When VAR challenges a decision, the ref can approve it, deny it, or review it. The same goes for security: if the agents in your ADLC aren’t governed before they start generating code, no amount of context will help.
3. You Can’t Make the Call if You Can’t See the Whole Pitch
VAR is only useful if every camera angle is connected to it. Miss one, and the call is wrong. The same goes for SDLC & ADLC security.
Take a tool like a Claude Code security scanner running in isolation. It’s the equivalent of a referee with one camera angle. It sees what it sees. But it has no way of knowing what happened two plays earlier, who was involved, or whether the offside call changes anything.
But if you combine that scanner with Cycode’s full platform, now you have VAR, or what’s called the CIG (context intelligence graph). Code, pipelines, cloud, and runtime are all connected, giving security teams a view across the entire pitch.
As noted in the Shift to AI Manifesto, the traditional linear SDLC model has fundamentally changed. The old assumption that you only needed to watch one part of the pitch no longer applies, as AI agents now operate across all areas.
4. A Replay Isn’t a Verdict. You Must Act
VAR can surface the angle. It can show the foul. But the goal doesn’t count until the referee makes the call. Seeing the problem isn’t the same as solving it.
Legacy security tools stop at the replay. They surface alerts and wait for someone to act. But the tools that will help security teams win in 2026 and beyond act autonomously, investigating, prioritizing, and remediating without waiting to be told.
Maestro, Cycode’s agentic orchestration engine, doesn’t wait for instructions. It investigates, prioritizes, and acts across your SDLC & ADLC, operationalizing response at the speed of the AI that’s attacking it.
Maestro lets teams orchestrate multi-agent responses and run complex queries in natural language. Spotting the offside or foul becomes something the whole team can do.
5. Having VAR Means Nothing if You Don’t Use It
VAR was built to be the near-superhuman second opinion, removing human error from the moments that matter most. The full picture, every angle, available on demand. And yet, referees sometimes still choose not to consult it, reading the game on instinct and trusting the angle they had. That’s when the consequences hit: immediate, measurable, and replayed on every screen for years.
Security teams make the same mistake. A single scanner flags something, the engineer makes a judgment call, and the broader picture never gets consulted. The technology is there. The context is there. But the behavior hasn’t caught up.
That’s the risk of relying on isolated tools: they don’t know what they don’t know.
And that gap has a price. Boards are asking. CFOs are asking. The teams that change their behavior, lean on the full platform, and can quantify what that shift is saving them are the ones who get to keep building.
Don’t Lose By an Illegal Goal
VAR didn’t change football (er, soccer…) by adding more technology. It changed football by adding context at the moments that mattered most, and trusting the referee on the pitch to act on it. AI is doing the same for security. Your opponents, the cyber attackers, are already playing at AI speed. The defensive units who win will be the ones who get the call right, early. And with full context.
Winning the World Cup takes a complete team. Winning at security takes the same: control of the rules, context across the pitch, and the autonomy to remove human error and take the right action faster.
