Software vulnerability detection faces dual challenges: high false-positive rates in static analysis and low efficiency in formal verification. To address these, this work proposes SecureFalcon—a lightweight, domain-specific large language model (121M parameters)—the first to deeply adapt the pruned-and-fine-tuned Falcon architecture for CWE-level vulnerability classification. We construct FalconVulnDB, a multi-source, OWASP Top 25–comprehensive dataset, and introduce multi-stage data augmentation, joint binary/multi-class training, and CPU-optimized inference. Experiments show SecureFalcon achieves 94% binary-classification accuracy and 92% multi-class accuracy—matching formal verification in precision—while maintaining millisecond-scale inference latency. It significantly outperforms BERT, CodeBERT, and mainstream static analyzers, and supports real-time integration into code-completion frameworks.

Software vulnerabilities can cause numerous problems, including crashes, data loss, and security breaches. These issues greatly compromise quality and can negatively impact the market adoption of software applications and systems. Traditional bug-fixing methods, such as static analysis, often produce false positives. While bounded model checking, a form of Formal Verification (FV), can provide more accurate outcomes compared to static analyzers, it demands substantial resources and significantly hinders developer productivity. Can Machine Learning (ML) achieve accuracy comparable to FV methods and be used in popular instant code completion frameworks in near real-time? In this paper, we introduce SecureFalcon, an innovative model architecture with only 121 million parameters derived from the Falcon-40B model and explicitly tailored for classifying software vulnerabilities. To achieve the best performance, we trained our model using two datasets, namely the FormAI dataset and the FalconVulnDB. The FalconVulnDB is a combination of recent public datasets, namely the SySeVR framework, Draper VDISC, Bigvul, Diversevul, SARD Juliet, and ReVeal datasets. These datasets contain the top 25 most dangerous software weaknesses, such as CWE-119, CWE-120, CWE-476, CWE-122, CWE-190, CWE-121, CWE-78, CWE-787, CWE-20, and CWE-762. SecureFalcon achieves 94% accuracy in binary classification and up to 92% in multiclassification, with instant CPU inference times. It outperforms existing models such as BERT, RoBERTa, CodeBERT, and traditional ML algorithms, promising to push the boundaries of software vulnerability detection and instant code completion frameworks.