Technical ArchitectureFebruary 3, 2026·11 min read

Real-Time WIP Monitoring: The Missing Layer in DevSecOps

Security teams see two extremes: source code in Git, and running code in production. Everything in between is a black box. Here's why real-time work-in-progress monitoring is the critical missing layer in DevSecOps.

The Hook: A Black Box in Your Pipeline

Picture the modern DevSecOps pipeline: Pre-commit hooks catch formatting errors. Your CI/CD runs SAST and SCA scans on every commit. Security gates block vulnerable code from reaching production. Runtime monitoring tracks behavior in prod.

But there's a massive blind spot between commit and runtime: the work-in-progress (WIP) phase — where developers spend 80% of their time writing, rewriting, and iterating on code before it ever hits Git.

Security teams see two extremes:

  • Source code in Git — static snapshots after developers commit
  • Running code in production — live behavior via APMs and SIEMs
  • Everything in between is invisible — the WIP phase is a black box

This gap has always existed. But with AI code generation exploding (GitHub Copilot, Claude Code, Cursor), the volume and velocity of WIP code has increased 10x. Developers now write thousands of lines per day — most of it AI-generated, unreviewed, and unseen by security teams until commit time.

The Traditional DevSecOps Pipeline

Let's map the standard DevSecOps flow and identify where security scanning happens:

1

Pre-Commit Hooks

Tools like Husky run linters (ESLint, Prettier) and formatters locally before code reaches Git. Fast, cheap, but limited to style and syntax.

LintingFormattingNo security scanning
2

Git Commit → CI/CD Scans

Developer commits code to feature branch. CI/CD pipeline triggers SAST (Snyk, Semgrep), SCA (dependency scanning), and secret detection (GitGuardian).

SASTSCASecrets Scanning
3

Pull Request Review

Human reviewers (and AI tools like CodeRabbit) check for logic errors, architectural issues, and compliance with coding standards.

Human reviewAI code review
4

Merge → Deploy → Runtime Monitoring

Code passes review and merges to main. CD pipeline deploys to staging/prod. Runtime monitoring (Datadog, Sentry) tracks live behavior, errors, and performance.

APMError trackingSIEM
?

The Gap: Work-in-Progress Never Gets Scanned

Developers work for hours or days before committing. During this time, code is written, AI generates completions, patterns are copy-pasted, and vulnerabilities are introduced. None of this is visible to security teams.

No scanningNo visibilityNo feedback

The "Dark Space" of WIP

The WIP phase is where most code is born — and where most vulnerabilities are introduced. Let's quantify the problem:

80%

Developer Time Spent in WIP

Developers write, rewrite, test, and iterate for hours before committing. This is where AI assistants generate thousands of lines of code.

48%

AI-Generated Code is Insecure

According to Snyk research, nearly half of AI-generated code contains vulnerabilities. But these issues only surface at commit time.

10x

Increase in Code Volume

AI assistants enable developers to write 10x more code per day. More code = more attack surface, but scanning frequency hasn't changed.

0

Security Scans During WIP

Traditional tools scan at commit time or in CI/CD. The WIP phase — where vulnerabilities are introduced — goes completely unmonitored.

What Happens in the Dark Space

  • Bad patterns get written and re-written — developers iterate on insecure code for hours before committing
  • AI generates insecure completions — Copilot suggests eval(), hardcoded secrets, SQL injection patterns
  • Copy-paste spreads vulnerabilities — developers reuse insecure code across multiple files before detection
  • Technical debt compounds — by commit time, refactoring is expensive and resistance is high

Why WIP Monitoring Matters

Catching issues during the WIP phase — before commit — offers three critical advantages:

1.Catch Issues Earlier (When They're Easier to Fix)

A vulnerability detected during WIP takes 2 minutes to fix — the developer is in-context, the code is fresh, and refactoring is trivial.

The same issue discovered in CI/CD or code review requires 20+ minutes — context switching, re-reading code, running tests, updating the PR.

2.Provide Real-Time Feedback (Developer Still in Context)

Imagine a developer writes a SQL query with injection risk. With WIP monitoring, they get an inline warning in the IDE within seconds — while they're still thinking about the query logic.

Without WIP monitoring, the issue is flagged 30 minutes later in CI/CD. The developer has moved on to another task. Context is lost. Frustration builds.

3.Prevent Bad Patterns from Spreading

Developers copy-paste code constantly. A single insecure pattern can propagate across 5-10 files in minutes.

WIP monitoring detects the pattern at first creation — before it spreads. This prevents cascade failures where one bad line becomes 50 bad lines by commit time.

4.Educate Developers at the Point of Creation

Real-time feedback is a teaching tool. When a developer sees "This hardcoded API key is a security risk" as they type it, they learn to avoid the pattern.

When feedback comes hours later in CI/CD, it's punitive — not educational. The developer has already moved on.

How Real-Time WIP Monitoring Works

WIP monitoring requires a fundamentally different architecture than traditional SAST tools. Here's how it works:

1

Desktop Agent Monitors IDE Events

A lightweight agent runs on the developer's machine, listening for file saves, AI code completions, and refactoring actions. It captures diffs (not full files) to minimize data transfer.

// Example: IDE event captured by agent
{
  "event": "file_save",
  "file": "src/api/users.ts",
  "diff": "+  const query = `SELECT * FROM users WHERE id=${userId}`;",
  "timestamp": "2026-02-03T14:32:15Z",
  "ai_generated": false
}
2

Lightweight Local Analysis

The agent runs fast, rule-based checks locally: regex for hardcoded secrets, basic SAST patterns (SQL injection, XSS), and context alignment with Linear/Jira tickets.

  • Secret patterns: AKIA[A-Z0-9]{16} (AWS keys), sk-[a-zA-Z0-9]{48} (OpenAI keys)
  • SQL injection: String concatenation in SQL queries
  • Context alignment: Does code mention ticket ID from Linear/Jira?
3

Agent Sends Findings to Cloud for Deep Analysis

If local checks flag potential issues, the agent sends metadata + diffs (not full codebase) to the cloud platform for deeper analysis: LLM-powered context reasoning, cross-file pattern detection, and roadmap alignment checks.

// Cloud analysis request
{
  "project_id": "proj_xyz123",
  "file": "src/api/users.ts",
  "diff": "+  const query = `SELECT * FROM users WHERE id=${userId}`;",
  "local_findings": ["sql_injection_risk"],
  "context": {
    "ticket": "LIN-4892",
    "ticket_title": "Add user profile endpoint",
    "recent_commits": ["feat: add user auth", "fix: validate JWT"]
  }
}
4

Dashboard Shows Real-Time "WIP Momentum" Score

Security and engineering leads see a live dashboard with WIP Momentum scores: a metric combining code quality, security posture, and roadmap alignment — updated in real-time as developers write code.

92
WIP Momentum
3
Active Issues
98%
Roadmap Aligned
5

Integration with Linear/Jira for Context-Aware Scanning

WIP monitoring pulls context from project management tools. If a developer is working on ticket "LIN-4892: Add user profile endpoint", the system verifies that code changes align with the ticket description. Off-roadmap code gets flagged.

Example: Context-Aware Alert

"You're working on LIN-4892: Add user profile endpoint. This code implements a password reset flow, which isn't mentioned in the ticket. Did scope change?"

Architecture Deep Dive

Building a real-time WIP monitoring system requires solving several hard technical problems:

Non-Intrusive: Doesn't Slow Down the IDE

The agent runs in the background with <10ms overhead per file save. It uses async event queues and batches analysis requests to avoid blocking the IDE.

  • File saves are queued, not processed synchronously
  • Heavy analysis (LLM calls) happens in the cloud, not locally
  • Agent only activates on user-triggered events (save, AI completion), not keystroke-level monitoring

Privacy-First: Only Sends Metadata + Diffs, Not Full Codebase

Security teams are paranoid about sending proprietary code to third-party services. WIP monitoring never sends full files — only diffs, metadata, and context.

  • Diffs are minimal: only changed lines, not entire files
  • Metadata includes file path, timestamp, event type — no business logic
  • Enterprise customers can run self-hosted agents with on-prem analysis

Offline Queue: Works Without Internet, Syncs Later

Developers work on planes, in coffee shops with bad Wi-Fi, and in air-gapped environments. The agent queues events locally and syncs when connectivity is restored.

  • Local SQLite database stores events during offline periods
  • When online, agent syncs queued events in batches (not one-by-one)
  • Local analysis (secrets, basic SAST) works fully offline

Multi-Language Support

WIP monitoring must support every language in the stack: JavaScript/TypeScript, Python, Go, Rust, Java, C#, Ruby, PHP, etc.

  • Tree-sitter parsers for language-agnostic AST analysis
  • Language-specific SAST rules (e.g., SQL injection patterns differ between Node.js and Django)
  • LLM-powered analysis is language-agnostic (Claude can reason about any code)

The Result: Shift-Left Taken to the Extreme

The DevSecOps mantra is "shift left" — move security earlier in the development lifecycle. But traditional shift-left stops at CI/CD or pre-commit hooks.

WIP monitoring takes shift-left to its logical extreme: before commit, during writing. This is the earliest possible intervention point — when developers are still thinking about the code, when fixing is trivial, when education is most effective.

Shift-Left Evolution

Traditional
Production → Staging → CI/CD
Modern Shift-Left
CI/CD → Pre-commit hooks
WIP Monitoring
Pre-commit → During writing (WIP)

Key Benefits of Extreme Shift-Left

  • 10x faster fixes — issues caught in WIP take 2 minutes to fix vs. 20+ minutes in CI/CD
  • Zero context switching — developers fix issues immediately, without breaking flow
  • Prevent issue propagation — bad patterns are stopped before they spread across files
  • Educational, not punitive — real-time feedback teaches developers secure coding patterns
  • Roadmap alignment built-in — code is verified against business goals as it's written

How Cortex Implements WIP Monitoring

Cortex is purpose-built for real-time WIP monitoring. Here's how we implement the architecture:

Desktop Agent (Open Source)

Our lightweight agent integrates with VS Code, JetBrains IDEs, and Vim. It monitors file saves, AI code completions, and refactoring actions. The agent is open source so security teams can audit the code.

Multi-Layered Analysis

We run three layers of analysis:

  • 1.Local rules — regex for secrets, basic SAST patterns (runs offline, sub-10ms)
  • 2.Cloud SAST — Semgrep rules, tree-sitter AST analysis (runs in cloud, 1-2 seconds)
  • 3.LLM reasoning — Claude Opus analyzes context, roadmap alignment, architectural risks (2-5 seconds)

Project Management Integration

Cortex connects to Linear, Jira, and GitHub Issues to pull context about active tickets. We verify that code changes align with ticket descriptions — and flag off-roadmap work.

Real-Time Dashboard with WIP Momentum

Engineering and security leads see live WIP Momentum scores: a composite metric combining code quality (SAST findings), security posture (vulnerabilities detected), and roadmap alignment (context match with tickets).

Privacy-First Architecture

We only send diffs and metadata to the cloud. Full codebases stay on developer machines. Enterprise customers can deploy self-hosted agents with on-prem analysis for air-gapped environments.

See WIP Monitoring in Action

Watch a 2-minute demo of Cortex catching a SQL injection vulnerability in real-time — before the developer even commits. Then see how roadmap alignment works with Linear integration.

Watch Demo

Conclusion: Closing the WIP Gap

DevSecOps has evolved dramatically over the past decade. We moved from manual penetration testing to automated SAST in CI/CD to pre-commit hooks. But one gap remains: the WIP phase.

With AI code generation exploding — 73% of developers now use tools like Copilot — the volume of WIP code has increased 10x. Security teams can no longer afford to wait until commit time to scan.

Real-time WIP monitoring is the missing layer — the final frontier of shift-left. It catches issues when they're easiest to fix, provides feedback when developers are still in context, and prevents bad patterns from spreading.

The architecture is challenging — non-intrusive agents, privacy-first data handling, offline support, multi-language analysis — but the payoff is massive: 10x faster fixes, zero context switching, and built-in developer education.

The Future is Real-Time

As AI continues to accelerate development velocity, security must evolve from reactive scanning (post-commit) to proactive monitoring (during-writing). The winners will be platforms that bridge the gap between code-time and runtime — and that starts with WIP.

That's the gap Cortex is built to close.

Related Reading

→ Prompt Injection in Code Generation: The Security Threat Nobody's Talking About→ From Copilot to Governance: Why AI Coding Tools Need Guardrails

Ready to monitor your WIP?

Join the waitlist for early access to Cortex. Free tier includes 1 project, real-time WIP monitoring, and Linear/Jira integration — no credit card required.

Join Waitlist