Software vulnerabilities remain a critical challenge, with tens of thousands of Common Vulnerability and Exposure (CVEs) recorded annually. Static analysis tools like CodeQL offer scalable, deterministic detection through pre-determined rule-based queries, but they are limited in contextual reasoning and novel vulnerability patterns, while fully LLM-based approaches raise concerns regarding reproducibility, cost, and integration within established DevSecOps pipelines. This thesis proposes a hybrid three-agent architecture that uses LLMs to augment CodeQL rather than replace it. An Analyzer agent validates CodeQL results through autonomous reasoning on source code, quadrupling CodeQL’s F1-score on a labeled Python dataset (0.43 vs 0.11). A Suggestor agent identifies coverage gaps by analysing false negatives and generating structured improvement proposals, and a Creator agent synthesises new CodeQL queries based on these proposals, successfully targeting missing sources, sinks, and taint-propagation steps for CWE-89 and CWE-79.