Security teams have long faced a dilemma: too many vulnerabilities and too few hands. Traditional static analysis tools can only identify known vulnerability patterns, such as exposed passwords or outdated encryption methods. However, they are often helpless when dealing with issues like business logic flaws or access control vulnerabilities, which require an understanding of the code context.

Anthropic's newly released Claude Code Security tool aims to change this status quo. Unlike rule-based scanning, it can read and reason about code like a human security researcher, understanding how components interact and tracing the flow of data throughout the application.

Using Claude Opus 4.6, the Anthropic team discovered over 500 vulnerabilities in production open-source codebases that had remained hidden despite expert review for decades. Each finding undergoes a multi-stage verification process where Claude re-examines every result, attempting to prove or disprove its own findings to filter out false positives.

Some observers have pointed out that scanning is merely a basic capability; the real breakthrough lies in the quality of the patches. Security teams are only likely to actually apply fixes if they are reliable enough not to break other functionalities, rather than tossing the issues into a backlog.

Another critical issue is risk control. While reasoning-based scanning is indeed more advanced than pattern matching, the real test lies in the remediation phase. If the AI breaks existing business logic while fixing a vulnerability, it effectively swaps a security risk for a production incident risk. Currently, all fixes require manual review and approval; there is no automatic merging mechanism.

The emergence of such tools alters the offense-defense balance in cybersecurity. Attackers will use AI to discover exploitable weaknesses more quickly, but defenders can also find and fix the same weaknesses if they act swiftly. In the future, the majority of the world's code will be scanned by AI, turning every codebase into a race to complete fixes before exploitation occurs.

The tool is currently in a limited research preview phase, available to enterprise and team customers. Maintainers of open-source projects can apply for free accelerated access.