> it's just a bash script that goes through every single file in the codebase and, for each one and runs a "find the vulns here" prompt.

This really is not the case.

You have freedom of methodology.

You can also ask it to enumerate various risks and find proof of existence for each of them.

Certainly our LLM audits are not just a prompt per file - so I have a hard time believing that best in class tools would do this.