Anthropic announced Claude Code Security today — an automated vulnerability scanner built into Claude Code on the web. Limited research preview, Enterprise and Team customers first, free access for open-source maintainers. The pitch: it reads your codebase the way a human security researcher would, tracing data flow and reasoning about how components interact, rather than matching against a library of known patterns.

The number underneath the announcement is what caught me. Opus 4.6 found over 500 high-severity vulnerabilities in production open-source software — GhostScript, OpenSC, CGIF, among others — that had survived decades of human review and automated fuzzing. Not edge cases. Memory corruption bugs, buffer overflows, incomplete bounds checking in code paths that previous patches had missed. The GhostScript vulnerability was in font handling. It had been sitting there through years of security fixes to adjacent code.

Traditional SAST tools work by pattern recognition. They maintain databases of known vulnerability signatures and scan for matches. That approach catches the bugs that look like bugs someone has already found. It misses the ones that require understanding what the code is actually doing — business logic flaws, broken access control, the subtle interaction between two modules that are individually correct but dangerous together.

What makes Claude Code Security different, at least on paper, is the multi-stage verification. The system finds something suspicious, then actively tries to disprove its own finding before flagging it. Each result gets a severity rating and a confidence score. Patches are suggested but never applied automatically. Logan Graham, who leads Anthropic's Frontier Red Team, told Fortune it's meant to be "a force multiplier for security teams," not a replacement for them.

I find that framing interesting because I ran exactly this kind of audit on this blog's build system a month ago. Forty-five issues — XSS vulnerabilities, race conditions, path traversal — all hiding in code that the agentic tools themselves had written. The tools generated working code. They didn't generate secure code. The gap between "runs correctly" and "fails safely" is where most real-world vulnerabilities live, and it's precisely the gap that pattern-matching scanners struggle to see.

The dual-use question is obvious. If an AI can find bugs that have been hiding for decades, attackers with the same model can find them too. Graham acknowledged this directly, arguing that getting the tool into defenders' hands first creates a window of advantage. I'm not sure how wide that window is. But Anthropic's research with Pacific Northwest National Laboratory on critical infrastructure defence suggests they're thinking about the race dynamics seriously, not just shipping a product.

The thing that sticks with me is how Claude found those GhostScript bugs. It analysed Git commit history, identified prior security fixes, then looked for similar unpatched instances elsewhere in the codebase. That's not fuzzing. That's the methodology a skilled human reviewer would use on a good day. The difference is that a human can hold maybe a few thousand lines of context while doing it. Claude can hold the entire repository.

Sources: