The automatic CVE patching is the feature I did not expect. Most AI coding platforms in 2026 are competing on how fast they generate features. Replit Agent 4 added something different: a system that watches your deployed application for newly published security vulnerabilities and prepares a patch before you have to notice the CVE yourself.

That is a different category of capability. It is not making you build faster. It is reducing the chance your shipped app gets compromised by a known vulnerability while you were focused on something else.

Replit has had a reputation as a learning and prototyping platform. Agent 4 is a deliberate push toward production — and the security features are the clearest signal of that.

Agent 4: Parallel Builders

The core Agent 4 capability is building applications from natural language using parallel agents. When you describe an app idea, Agent 4 does not generate it sequentially — scaffolding, then database, then UI, then auth. It distributes the work across parallel agents handling those pieces simultaneously, keeping each step visible as it progresses.

The result is faster initial generation on complex apps and a clearer picture of what is being built before it is finished. You can see the database taking shape at the same time as the component structure, rather than waiting for one to complete before the other starts.

Replit Agent is powered by Claude 3.5 Sonnet on Google Cloud Vertex AI. The model choice is relevant for developers who have opinions about which foundation model produces better code for their use cases — Anthropic’s model has strong performance on the agentic coding benchmarks that Replit’s use case maps to.

iOS App Generation: January 15, 2026

Replit announced iOS app creation from natural language descriptions on January 15, 2026. Describe the app, and Agent 4 generates a functional iOS application.

This is a significant expansion for a platform that previously focused on web. The iOS generation extends the “describe it, get it” model to mobile — you do not need Swift knowledge, you do not need Xcode configured, you do not need to understand Apple’s developer toolchain.

The limitation is the same one that applies to all natural language app generation: complex custom native features, deep OS integrations, and performance-sensitive implementations still require manual development work. But for apps that are primarily data display, form handling, and API calls — which describes most business apps — natural language generation covers the functional requirements.

The iOS launch positions Replit as the broadest platform in terms of deployment targets. Web apps, and now mobile, from the same natural language interface.

Security Agent: The Feature That Earns Production Trust

The Security Agent is Replit’s most differentiated addition in Agent 4.

When you run a security audit, the Security Agent builds a threat model for the project, maps all routes and data flows, runs static analysis across the codebase, and then uses an LLM to determine which findings from the static analysis are actually exploitable versus which are theoretical concerns. The output is a prioritized list of real issues, not a noisy dump of every potential vulnerability.

This is a meaningful improvement over running a static analysis tool and receiving hundreds of findings that require manual triage. The LLM-based filtering does the triage step and surfaces what actually matters.

The automatic CVE patching takes this further. When a critical CVE is published — a vulnerability in a dependency your project uses — Replit checks your dependency list, identifies the exposure, and has Agent prepare and test a patch. You receive a notification rather than discovering the problem from a breach report.

For context on why this matters: AI-generated code security vulnerabilities are a growing problem, with 45% of AI-generated code failing OWASP Top-10 checks. A platform that proactively monitors and patches known CVEs in generated code addresses one layer of that risk.

App Monitoring and Production Diagnosis

App Monitoring for published Replit apps gives you access to production logs and the ability to have Agent 4 diagnose issues from those logs.

When something fails in production, the traditional path is: find the error, look at logs, understand context, identify root cause, write a fix, test, deploy. With Agent 4 and App Monitoring, you can describe the failure to Agent and have it sift through logs and the production database to identify root cause and suggest a fix.

This is not a replacement for proper observability tooling on a serious production system. But for apps in early stages — MVPs, internal tools, small SaaS products — having the AI builder also handle production diagnosis keeps everything in one place without requiring a separate monitoring stack.

MCP and Video Stack

Replit’s MCP integration expanded in 2026, with Razorpay MCP added and a growing list of third-party MCP connections. This extends the range of external tools Replit can interface with during app generation.

The Video Stack is a newer addition for apps that handle video content — generation, processing, or playback. The details are still evolving, but it signals Replit’s intent to cover multimedia application types that were previously outside its scope.

Pricing: Pro Turbo

Replit Pro in 2026 runs at 2.5× Agent 4’s standard execution speed via Turbo Mode. Credits are tiered with rollover. Up to 15 builders per team with no per-seat fees is a meaningful pricing advantage for small teams. Priority support and 4× data retention round out the Pro tier.

The no-per-seat-fee structure for teams up to 15 is competitive compared to per-seat models. A team of five developers on Replit Pro pays one subscription rather than five.

Where Replit Agent 4 Has Limits

Replit generates complete applications from natural language, which means the output is optimized for the general case. Highly specific technical requirements — custom database configurations, non-standard auth flows, domain-specific algorithms — require manual extension or replacement of what Agent generated.

The iOS generation is powerful but produces apps at the prototype-to-early-production level. Apps with deep native features — camera handling, CoreData, complex animations, background processing — need a developer to take the Agent output further.

Replit is also a managed platform. If your team needs to run on-premise, in a specific cloud region, or with specific infrastructure controls, the managed nature of Replit is a constraint.

Verdict

Replit Agent 4 is not the learning platform it was two years ago. The iOS generation, Security Agent, and automatic CVE patching are production-grade additions that take the platform seriously as a place to build and deploy real software.

The Security Agent alone changes the calculus for teams using Replit for anything beyond experimentation. Having a production security auditor and automatic patching built into the platform you use to build is meaningfully better than remembering to run external security tooling after the fact.

For teams looking for a single platform that handles web and mobile app generation, production deployment, and ongoing security maintenance, Replit Agent 4 is the most complete option in that specific category.