This work addresses the limitations of existing vulnerability detection methods, which struggle with repository-scale scenarios due to their reliance on local code views, single-pass prediction, and insufficient validation, thereby failing to capture complex interactions among code structure, contextual dependencies, and runtime conditions. To overcome these challenges, we propose VulnAgent-X, the first approach to model vulnerability detection as a multi-stage, evidence-driven auditing process. VulnAgent-X employs hierarchical agent collaboration to enable lightweight risk triaging, bounded context expansion, specialized analysis, selective dynamic verification, and multi-source evidence fusion. Evaluated on both function-level and just-in-time detection benchmarks, our method significantly outperforms static analyzers, encoder-based models, and simplified agent-based baselines, achieving higher accuracy and interpretability while effectively reducing false positives and optimizing the trade-off between performance and computational cost.

Software vulnerability detection is critical in software en- gineering as security flaws arise from complex interactions across code structure, repository context, and runtime conditions. Existing meth- ods are limited by local code views, one-shot prediction, and insuffi- cient validation, reducing reliability in realistic repository-level settings. This study proposes VulnAgentX, a layered agentic framework integrat- ing lightweight risk screening, bounded context expansion, specialised analysis agents, selective dynamic verification, and evidence fusion into a unified pipeline. Experiments on function-level and just-in-time vul- nerability benchmarks show VulnAgent-X outperforms static baselines, encoder-based models, and simpler agentic variants, with better local- isation and balanced performance-cost trade-offs. Treating vulnerabil- ity detection as a staged, evidence-driven auditing process improves de- tection quality, reduces false positives, and produces interpretable re- sults for repository-level software security analysis. Code is available at https://github.com/xiaolu-666113/Vlun-Agent-X.