> A 0% false-positive rate is not necessary

To be clear, I'm not saying 0% false-positive because that will always be impossible with any LLM.

However, to greatly over-simplify what I already said ...

The presence of >0 false-positives means you still need someone who knows what they are doing behind the keyboard.

The presence of an LLM, no matter how good, will never remove the need for a human with domain expertise in security analysis.

You cannot blindly fix stuff just because the LLM says it needs fixing.

You cannot report stuff just because the LLM says it needs reporting.

There may well be scope for LLM-assisted workflows, but WHO is being assisted is a critical part of the equation.

That is the fundamental point I am making.