US-based AI company Anthropic has launched Claude Code Security, a new feature inside its web-based Claude Code platform.
The capability is now available in a limited research preview for Enterprise and Team customers, with expedited access for some open-source maintainers.
About Claude Code Security
Claude Code Security scans entire codebases to find security vulnerabilities and suggests targeted patches. Human developers must review and approve every fix before it is applied.
Uses Of Claude Code Security
Security teams face a familiar issue: too many vulnerabilities and too few people to fix them. Most companies rely on automated tools such as static analysis. These tools are rule-based. They scan code and match it against known vulnerability patterns. This works for common issues like exposed credentials or outdated encryption.
That said, static analysis often misses more complex problems, including:
- Flaws in business logic
- Broken access control
- Subtle data flow issues across multiple components
These types of vulnerabilities often require human reasoning to detect. Skilled security researchers can find them, but they are limited by time and workload.
Anthropic says that large language models (LLMs) can help bridge this gap.
How Claude Code Security Works
Unlike traditional tools, Claude Code Security does not only match patterns. Anthropic says the system “reads and reasons” about code more like a human reviewer. It aims to,
- Understand how different parts of an application interact.
- Trace how data moves through the system.
- Identify complex or indirect security weaknesses.
When the system finds a potential issue,
- It runs a multi-stage verification process.
- It attempts to confirm or disprove its own finding.
- It assigns a severity rating.
- It provides a confidence score.
- It suggests a targeted software patch.
Nothing is fixed automatically. Developers review findings through a dashboard and decide whether to apply changes.
Research Background
Anthropic says it has been testing Claude's cybersecurity capabilities for over a year.
Using its latest model, Claude Opus 4.6, the company claims it identified more than 500 vulnerabilities in production open-source codebases. Some of these issues had reportedly gone undetected for years. The company says it is working through responsible disclosure with maintainers.
Claude is also used internally to review Anthropic's code.
The Risk Of AI
Anthropic acknowledges that the same AI capabilities that help defenders find vulnerabilities can also help attackers exploit them.
If AI models can analyse large codebases quickly, trace complex data flows, and identify business logic flaws, then threat actors can use similar tools to scan software for weaknesses at scale.
How Bad Actors Can Exploit These Vulnerabilities
If attackers gain access to advanced AI scanning tools, several risks increase:
- Faster discovery of zero-day flaws - Attackers could identify previously unknown vulnerabilities before companies have time to patch them.
- More targeted attacks - AI systems can understand how applications work, enabling attackers to craft precise exploits rather than broad, generic attacks.
- Automation at scale - Instead of manually probing systems, attackers could scan thousands of repositories and applications in a short time.
- Business logic abuse - Complex vulnerabilities, such as bypassing payment rules or access restrictions, are often difficult to detect. AI could help attackers uncover and exploit these subtle flaws.
- Reduced time-to-exploit window - The gap between vulnerability discovery and exploitation may shrink.
Market Reaction
The Claude Code Security announcement affected financial markets, with shares of several cybersecurity companies falling after the news.
Stocks that declined included CrowdStrike, Cloudflare, Zscaler, Palo Alto Networks, Okta, GitLab, JFrog and Rubrik.
