Amp does something no other coding agent does
Amp is the only major AI coding agent that automatically redacts your secrets before they reach an AI model.
Type your AWS access key into a file. Amp catches it. Paste a Stripe secret key. Amp replaces it with [REDACTED:stripe-api-key] before the model ever sees it. GitHub tokens, SendGrid keys, database passwords. All caught at the system level, before transmission.
No other coding agent does this by default. Not Claude Code. Not Cursor. Not Windsurf, Cline, or Aider. Secret redaction is left entirely to the developer. Amp made it automatic.
That alone makes it worth a serious look. But the security story is more complicated than one feature.
What Amp is
Amp is a coding agent built by Sourcegraph, the company behind the popular code search and intelligence platform. It launched publicly in May 2025 and has since taken one of the most opinionated positions in the AI coding space.
The core idea: instead of letting you pick a model, Amp picks the best model for each task automatically.
| Task | Model | Why | | ----------------- | ----------------- | ----------------------------------- | | Primary coding | Claude Opus 4.6 | Most capable general agent | | Fast tasks | Claude Haiku 4.5 | Speed over depth | | Deep reasoning | GPT-5.4 | Extended thinking for hard problems | | Code review | Gemini 3.1 Pro | Dedicated bug-finding model | | Codebase search | Gemini 3 Flash | Fast retrieval across your repo | | External research | Claude Sonnet 4.6 | Large-scale code research |
Six or more models working together, each optimized for its role. You cannot switch models manually. That is by design. Amp's position: building deeply into model capabilities yields better results than giving users a dropdown menu.
In February 2026, they published a blog post titled "The Coding Agent Is Dead" and doubled down on the CLI as the primary interface. The editor extension still exists, but Amp's future is clearly terminal-first. Bold move. It tells you everything about how this team operates.
What I noticed using it
I have been using Amp alongside Claude Code (my primary tool) and Cursor. A few things stood out immediately.
It absorbs your existing setup. I have MCP servers, agent skills, and custom configuration across my environment. Amp picked all of it up on first run. No reconfiguration, no migration. It just worked. That is rare.
It sees the whole codebase. Most coding agents get tunnel vision on the file you are editing. Amp's search subagent (Gemini 3 Flash) traverses the entire repo. Its Oracle subagent (GPT-5.4) handles complex reasoning about how pieces fit together. The result: it catches issues that live in the gaps between files, not just within them.
It found bugs I missed. I had a debugging session that had me stuck for most of a day. Amp solved it by seeing a dependency chain across three files that I was looking at individually. The dedicated Review mode (Gemini 3.1 Pro) also surfaces small issues before they become big problems. It finds things like inconsistent error handling or missing validation that you would catch in a careful code review but skip when moving fast.
The pricing is honest. Usage-based, no markup, credits at provider cost. I generally dislike usage-based pricing. I prefer knowing what I will spend each month. But Amp is worth it. A $10 daily free grant covers light use. Heavy sessions with Opus cost more but deliver proportionally.
The security wins
Amp has the strongest security posture of any AI coding agent I have tested. Here is what they get right.
Automatic secret redaction
This is the headline feature. Amp detects and redacts secrets at the lowest system level before they enter conversation threads, before they are transmitted to any AI provider, before they are stored anywhere.
Supported formats include AWS, Google Cloud, and Azure credentials. GitHub, GitLab, and npm tokens. Stripe and Slack keys. OpenAI and Anthropic API keys. Generic API keys and webhook secrets.
When Amp catches a secret, it replaces the value with a marker like [REDACTED:aws-access-key-id]. The AI model sees the marker, understands a credential belongs there, and can work around it without ever seeing the actual value.
The limitation: secret redaction is best-effort. Non-standard formats, custom internal credential systems, and encoded or obfuscated secrets may slip through. Do not treat this as a replacement for proper secrets management. Treat it as a safety net.
Dedicated code review model
Amp's Review mode uses Gemini 3.1 Pro specifically for bug identification and code quality analysis. This is not the same model writing your code. It is a separate model trained and configured to find problems.
The Oracle subagent (GPT-5.4) adds a second layer. You can prompt it for security-focused review and it brings deep reasoning capabilities to the analysis. Two models looking at your code from different angles is better than one.
Certifications
SOC 2 Type II certified. ISO 27001 certified (Sourcegraph). GDPR and CCPA compliant. Annual penetration testing. Bug bounty program.
These certifications cover the platform, not the code it generates. But they mean Amp's own infrastructure has been independently audited, which is more than most coding agents can say.
Permission system
Ready to apply the FORGE framework?
VibeSec Advisory helps knowledge worker teams redesign real processes using the six FORGE pillars: Baseline, Skills, Agents, Guardrails, Schedule, and Capture. The next step is advisory intake, not checkout.
Granular tool-level permissions with pattern matching for allowed and blocked commands. Built-in defaults allow common development commands and block destructive ones. Enterprise adds MCP permission rules to allowlist or blocklist specific MCP servers organization-wide.
The security concerns
Here is where it gets complicated.
Your code touches seven AI providers
Amp sends code to Anthropic, OpenAI, xAI, Google Cloud Vertex AI, Amazon Bedrock, Fireworks, and Baseten. Seven different inference providers, all US-based.
Each provider has its own security practices, data handling policies, and potential attack surface. Enterprise customers get zero-data-retention for text inputs across all providers. Free and paid individual users do not.
For a solo developer building a side project, this is probably fine. For a team working on proprietary code or anything handling customer data, understand the chain. Your code snippets pass through up to seven third-party systems depending on which models Amp invokes for your task.
No prompt injection protection
Amp is explicit about this. From their security documentation: "We are NOT trying to protect against a malicious actor prompt-injecting something that causes the Bash tool to execute malicious code."
They also state: "Untrusted repositories, MCP servers, and other external inputs can influence what Amp does, including running commands on the built-in allow list."
This is honest. Most coding agents have the same vulnerability but do not acknowledge it. Amp gets credit for transparency. But the risk is real. If you clone an untrusted repo with a malicious AGENTS.md file, Amp could execute harmful commands with your system permissions.
For vibe coders who may not fully understand prompt injection, this is a meaningful risk. The tool trades safety for speed and autonomy.
No sandboxing
Commands execute directly on your machine with full user permissions. There is no container, no VM, no restricted execution environment. This is standard for CLI coding agents (Claude Code works the same way), but it means a single bad command can affect your entire system.
Shared threads by default
In workspace environments, conversation threads are visible to all members by default. This means code snippets, error messages, and debugging context are shared. If someone pastes a credential that slips past redaction, the whole team sees it.
Missing security tooling
No built-in SAST integration. No dependency vulnerability scanning. No supply chain verification for MCP servers or toolbox executables. The dedicated Review mode is good at catching code-level issues, but it does not replace security-specific tooling.
How Amp compares on security
| Feature | Amp | Claude Code | Cursor | | --------------------------- | -------------------- | -------------------- | ---------- | | Secret redaction | Built-in, automatic | None | None | | Dedicated review model | Yes (Gemini 3.1 Pro) | No (same model) | No | | SOC 2 Type II | Yes | Yes (Anthropic) | Yes | | Sandboxing | No | Yes (cloud sessions) | No | | Prompt injection protection | Explicitly none | Limited | Limited | | Data retention opt-out | Enterprise only | API-level | Varies | | AI providers receiving code | 7+ | 1 (Anthropic) | 1 (varies) | | MCP support | Full | Full | Partial |
Amp wins on secret redaction and dedicated review. It loses on data exposure breadth (seven providers vs. one). The prompt injection honesty is a wash. Everyone is vulnerable. Amp is just the only one saying so out loud.
What to do if you use Amp
Keep using it. The multi-model approach and secret redaction are genuine advantages. But layer your security.
-
Do not rely solely on secret redaction. Use
.envfiles, keep secrets out of your codebase, and rotate anything that was ever committed to git history. -
Understand the permission model. Review what Amp auto-approves. Tighten the defaults if you work with sensitive code. Use
amp.permissionsto block commands you do not want an AI running. -
Be careful with untrusted repos. Amp will read AGENTS.md files and act on them. Do not clone and immediately run Amp on a repository you do not trust.
-
Add your own security scanning. Amp does not run
npm audit, Semgrep, or CodeQL. Set those up in your CI pipeline. Let Amp write code and let dedicated tools scan it. -
Consider Enterprise for proprietary work. The zero-data-retention across all seven providers is a meaningful upgrade if your code is sensitive.
-
Review thread visibility. In team workspaces, check what is being shared. Threads are visible by default.
The bigger picture
Amp is the most security-conscious AI coding agent on the market. Automatic secret redaction, a dedicated review model, SOC 2 Type II certification, and transparent documentation about what it does and does not protect against.
It is also the coding agent that sends your code to the most third-party providers. That is the trade-off of multi-model orchestration. Better results, broader exposure.
For vibe coders, Amp is a strong choice. The built-in secret redaction alone prevents one of the most common mistakes we see in security reviews: API keys committed to source code. The dedicated Review mode catches code-quality issues that other agents miss entirely.
But "most secure coding agent" does not mean "secure enough on its own." You still need proper secrets management, CI-level security scanning, and human review for business logic, authorization, and the categories of vulnerability that no AI catches reliably.
Amp gives you a better starting point than any other coding agent. What you build on top of that starting point is still on you.
Frequently Asked Questions
Is Amp secure for coding with proprietary code?
Amp is SOC 2 Type II and ISO 27001 certified, which means the platform itself has been independently audited. However, your code touches up to seven different AI inference providers (Anthropic, OpenAI, xAI, Google, Amazon, Fireworks, Baseten). For proprietary work, consider Amp Enterprise, which includes zero-data-retention for text inputs across all providers. Free and paid individual plans do not include this guarantee.
Does Amp protect my API keys and secrets?
Yes. Amp is the only major coding agent with built-in automatic secret redaction. It detects AWS, GCP, Azure credentials, GitHub tokens, Stripe keys, and other common formats, replacing them with markers like [REDACTED:aws-access-key-id] before the AI model sees them. This is best-effort and may miss non-standard or obfuscated secrets, so you should still use proper secrets management practices.
How does Amp's multi-model approach work?
Amp automatically selects the best model for each task. Claude Opus 4.6 handles primary coding. GPT-5.4 handles deep reasoning and planning. Gemini 3.1 Pro runs dedicated code review. Gemini 3 Flash handles fast codebase search. You cannot switch models manually. Amp picks the right tool for each job, which is why it uses more AI providers than single-model agents.
Is Amp safe from prompt injection attacks?
No. Amp explicitly states in their security documentation that they do not protect against prompt injection via Bash. Untrusted repositories, MCP servers, and external inputs can influence what Amp executes. This is honest transparency, as most coding agents have the same vulnerability but do not acknowledge it. Be cautious when working with untrusted codebases.
How much does Amp cost?
Amp offers a $10 daily free grant. Paid usage is billed at provider cost with no markup. There is no monthly subscription option. Enterprise pricing is 50% above individual rates. There is a one-time $1,000 activation fee, which converts entirely to usage credits. Costs scale with model usage, with Opus 4.6 in Smart mode being the most expensive and Haiku in Rush mode being the cheapest.
Amp is a powerful tool with real security advantages. If you are building with it and want to know what gaps remain in your application's security, get in touch.