Making frontier cybersecurity capabilities available to defenders

Claude Code Security, a new capability built into Claude Code on the web, is now available in a limited research preview. It scans codebases for security vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss.

Executive Summary

Claude Code Security, a new capability built into Claude Code on the web, is now available in a limited research preview. It scans codebases for security vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss.

Security teams face a common challenge: too many software vulnerabilities and not enough people to address them. Existing analysis tools help, but only to a point, as they usually look for known patterns. Finding the subtle, context-dependent vulnerabilities that are often exploited by attackers requires skilled human researchers, who are dealing with ever-expanding backlogs.

Key Insights

• Security teams face a common challenge: too many software vulnerabilities and not enough people to address them. Existing analysis tools help, but only to a point, as they usually look for known patterns.
• AI is beginning to change that calculus. Anthropic has recently shown that Claude can detect novel, high-severity vulnerabilities. But the same capabilities that help defenders find and fix vulnerabilities could help attackers exploit them.
• Claude Code Security is intended to put this power squarely in the hands of defenders and protect code against this new category of AI-enabled attack.

Technical Deep Dive

How Claude Code Security works

Static analysis—a widely deployed form of automated security testing—is typically rule-based, meaning it matches code against known vulnerability patterns. That catches common issues, like exposed passwords or outdated encryption, but often misses more complex vulnerabilities, like flaws in business logic or broken access control.

Rather than scanning for known patterns, Claude Code Security reads and reasons about your code the way a human security researcher would: understanding how components interact, tracing how data moves through your application, and catching complex vulnerabilities that rule-based tools miss.

Every finding goes through a multi-stage verification process before it reaches an analyst. Claude re-examines each result, attempting to prove or disprove its own findings and filter out false positives. Findings are also assigned severity ratings so teams can focus on the most important fixes first.

Validated findings appear in the Claude Code Security dashboard, where teams can review them, inspect the suggested patches, and approve fixes. Because these issues often involve nuances that are difficult to assess from source code alone, Claude also provides a confidence rating for each finding. Nothing is applied without human approval: Claude Code Security identifies problems and suggests solutions, but developers always make the call.

Using Claude for cybersecurity

Claude Code Security builds on more than a year of research into Claude’s cybersecurity capabilities. Anthropic’s Frontier Red Team has been stress-testing these abilities systematically: entering Claude in competitive Capture-the-Flag events, partnering with Pacific Northwest National Laboratory to experiment with using AI to defend critical infrastructure, and refining Claude’s ability to find and patch real vulnerabilities in code.

Claude’s cyberdefensive abilities have improved substantially as a result. Using Claude Opus 4.6, released earlier this month, Anthropic’s team found over 500 vulnerabilities in production open-source codebases—bugs that had gone undetected for decades, despite years of expert review. They’re working through triage and responsible disclosure with maintainers now, and plan to expand their security work with the open-source community.

Anthropic also uses Claude to review their own code, and they’ve found it to be extremely effective at securing Anthropic’s systems. They built Claude Code Security to make those same defensive capabilities more widely available. And since it’s built on Claude Code, teams can review findings and iterate on fixes within the tools they already use.

The road ahead

This is a pivotal time for cybersecurity. Anthropic expects that a significant share of the world’s code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues.

Attackers will use AI to find exploitable weaknesses faster than ever. But defenders who move quickly can find those same weaknesses, patch them, and reduce the risk of an attack. Claude Code Security is one step towards Anthropic’s goal of more secure codebases and a higher security baseline across the industry.

Why This Matters

This is a pivotal time for cybersecurity. AI-powered tools like Claude Code Security represent a fundamental shift in how we approach software security. By enabling defenders to find and fix vulnerabilities at the same pace that attackers can discover them, we’re moving toward a more secure software ecosystem.

The tool’s ability to find over 500 previously unknown vulnerabilities in production codebases demonstrates the power of AI-assisted security analysis. This isn’t just about automation—it’s about augmenting human security researchers with tools that can reason about code at scale.

Getting Started

Claude Code Security is now available in a limited research preview to Enterprise and Team customers. Participants will get early access and collaborate directly with Anthropic’s team to hone the tool’s capabilities. Open-source maintainers are also encouraged to apply for free, expedited access.

Apply for access here

To learn more, visit claude.com/solutions/claude-code-security

Related Resources

• 📄 Read Full Article
• 🏢 Anthropic News
• 🔬 Claude can detect novel, high-severity vulnerabilities
• 🎯 AI for cyber defenders - CTF events
• 🏭 Critical infrastructure defense research

---

This post was automatically curated from Anthropic. Published on 2026-02-20.