ai

Anthropic's Claude Code Security is available now after finding 500+ vulnerabilities: how security leaders should respond

Published: (February 23, 2026 at 10:44 AM EST)
10 min read
Source: VentureBeat

Source: VentureBeat

Anthropic points its most advanced AI model, Claude Opus 4.6, at production open‑source codebases and finds a plethora of security holes: more than 500 high‑severity vulnerabilities that survived decades of expert review and millions of hours of fuzzing. Each candidate is vetted through internal and external security review before disclosure.

Fifteen days later, the company productized the capability and launched Claude Code Security.

Why security directors should care now

Security directors responsible for seven‑figure vulnerability‑management stacks should expect a common question from their boards in the next review cycle. VentureBeat anticipates the emails and conversations will start with:

“How do we add reasoning‑based scanning before attackers get there first?”

Because, as Anthropic’s review found, simply pointing an AI model at exposed code can be enough to identify — and, in the hands of malicious actors, exploit — security lapses in production code.

The answer matters more than the number, and it is primarily structural: how your tooling and processes allocate work between pattern‑based scanners and reasoning‑based analysis.

  • CodeQL and the tools built on it match code against known patterns.
  • Claude Code Security (launched Feb 20 as a limited research preview) reasons about code the way a human security researcher would. It follows how data moves through an application and catches flaws in business logic and access control that no rule set covers.

The board conversation security leaders need to have this week

Five hundred newly discovered zero‑days is less a scare statistic than a standing budget justification for rethinking how you fund code security.

The reasoning capability Claude Code Security represents—and its inevitable competitors—needs to drive the procurement conversation.

CapabilityWhat it does
Static Application Security Testing (SAST)Catches known vulnerability classes.
Reasoning‑based scannersFind what pattern‑matching was never designed to detect. Both have a role.

Anthropic published the zero‑day research on Feb 5. Fifteen days later, they shipped the product. While it uses the same model and capabilities, it is now available to Enterprise and Team customers.

What Claude does that CodeQL couldn’t

GitHub has offered CodeQL‑based scanning through Advanced Security for years, and added Copilot Autofix in August 2024 to generate LLM‑suggested fixes for alerts. Security teams rely on it, but the detection boundary is the CodeQL rule set; everything outside that boundary stays invisible.

Claude Code Security extends that boundary by generating and testing its own hypotheses about how data and control flow through an application, including cases where no existing rule set describes the issue.

  • CodeQL solves the problem it was built to solve: data‑flow analysis within predefined queries. It tells you whether tainted input reaches a dangerous function.
  • Claude can autonomously read a project’s commit history, infer an incomplete patch, trace that logic into another file, and then assemble a working proof‑of‑concept exploit end‑to‑end. It did exactly that on GhostScript, OpenSC, and CGIF, each time using a different reasoning strategy.

“The real shift is from pattern‑matching to hypothesis generation,” said Merritt Baer, CSO at Enkrypt AI, advisor to Andesite and AppOmni, and former Deputy CISO at AWS, in an exclusive interview with VentureBeat. “That’s a step‑function increase in discovery power, and it demands equally strong human and technical controls.”

Three proof points from Anthropic’s methodology

1. Commit‑history analysis across files

  • Target: GhostScript – a widely deployed utility for processing PostScript and PDF files.
  • Finding: Fuzzing and manual analysis turned up nothing. Claude pulled the Git commit history, found a patch that added stack‑bounds checking for font handling in gstype1.c, and reversed the logic: if the fix was needed there, every other call to that function without the fix was still vulnerable.
  • Result: In gdevpsfx.c (a completely different file) the call to the same function lacked the bounds checking. Claude built a working proof‑of‑concept crash. No CodeQL rule describes that bug today. The maintainers have since patched it.

2. Reasoning about preconditions that fuzzers can’t reach

  • Target: OpenSC – processes smart‑card data.
  • Finding: Standard approaches failed, so Claude searched the repository for function calls that are frequently vulnerable and found a location where multiple strcat operations ran in succession without length checking on the output buffer.
  • Result: Fuzzers rarely reached that code path because too many preconditions stood in the way. Claude reasoned about which fragments looked interesting, constructed a buffer overflow, and proved the vulnerability.

3. Algorithm‑level edge cases that no coverage metric catches

  • Target: CGIF – a library for processing GIF files.
  • Finding: The vulnerability required understanding how LZW compression builds a dictionary of tokens. CGIF assumed compressed output would always be smaller than uncompressed input, which is almost always true.
  • Result: Claude recognized that if the LZW dictionary filled up and triggered resets, the compressed output could exceed the uncompressed size, overflowing the buffer. Even 100 % branch coverage wouldn’t catch this. The flaw demands a particular sequence of operations that exercises an edge case in the compression algorithm itself; random input generation almost never produces it. Claude did.

“The challenge with reasoning isn’t accuracy, it’s agency,” Baer told VentureBeat. “Once a system can form hypotheses and pursue them, you’ve shifted from a lookup tool to something that can explore your environment in ways that are harder to predict and constrain.”

How Anthropic validated 500+ findings

Anthropic placed Claude inside a sandboxed virtual machine equipped with standard utilities and vulnerable codebases. Each discovered issue was:

  1. Reproduced automatically by Claude.
  2. Verified by internal security engineers.
  3. Triaged through an external advisory program for responsible disclosure.

Only after passing these steps did Anthropic publish the findings and ship Claude Code Security.

Takeaways for security leaders

Action
Assess your current SAST stack – what proportion of coverage comes from pattern‑matching vs. reasoning?
Pilot Claude Code Security (or a comparable reasoning‑based scanner) on a high‑risk codebase.
Integrate hypothesis‑generation alerts into your existing ticketing and remediation workflow.
Educate board members on the shift from “rule‑set completeness” to “hypothesis‑driven discovery.”
Allocate budget for both tooling and the human expertise needed to validate AI‑generated findings.

By pairing traditional pattern‑based scanners with reasoning‑based analysis, you can move from merely detecting known flaws to discovering the unknown—exactly the capability that turned 500 hidden zero‑days into a compelling business case.

Red‑Team Approach & Findings

The red team didn’t provide any specialized instructions, custom harnesses, or task‑specific prompting—just the model and the code.

  • Focus: Memory‑corruption vulnerabilities, because they’re the easiest to confirm objectively. Crash monitoring and address sanitizers leave no room for debate.
  • Model behavior: Claude filtered its own output, deduplicating and reprioritizing before human researchers touched anything.
  • Scale: As the confirmed count kept climbing, Anthropic brought in external security professionals to validate findings and write patches.

“When a vulnerability sits in one of these projects for a decade, every product that pulls from it inherits the risk.” – Anthropic internal brief

Defensive Research Timeline

  • Duration: More than a year of defensive research before the product launch.
  • CTF performance:
    • Ranked in the top 3 % of PicoCTF globally.
    • Solved 19 of 20 challenges in the HackTheBox AI vs Human CTF.
    • Placed 6th of 9 teams defending live networks against human red‑team attacks at the Western Regional CCDC.
  • Industrial test: Partnership with Pacific Northwest National Laboratory (PNNL) to simulate a water‑treatment plant.
    • PNNL estimated the model completed adversary emulation in three hours—a process that traditionally takes multiple weeks.

The Dual‑Use Dilemma

“The same reasoning that finds a vulnerability can help an attacker exploit one.” – Logan Graham, Frontier Red Team (quoted in Fortune)

  • Anthropic’s stance (Gabby Curtis, communications lead, VentureBeat):

    • “We built Claude Code Security to make defensive capabilities more widely available, tipping the scales towards defenders.”
    • “The same reasoning that helps Claude find and fix a vulnerability could help an attacker exploit it, so we’re being deliberate about how we release this.”

  • CISO survey (VentureBeat, >40 CISOs):

    • Formal governance frameworks for reasoning‑based scanning tools are the exception, not the norm.
    • Many CISOs considered the capability too nascent to arrive early in 2026.

Key Questions for Security Directors

  1. Internal threat surface: If I give my team a tool that finds zero‑days through reasoning, have I unintentionally expanded my internal threat surface?
  2. Risk of exposure: “You didn’t weaponize your internal surface, you revealed it,” says Baer (VentureBeat). “These tools can surface latent risk faster and more scalably.”
  3. IP considerations: “In addition to access and attack‑path risk, there is IP risk… Reasoning models can internalize and re‑express proprietary insights, blurring the line between use and leakage.” – Baer

Release Model & Safeguards

  • Availability: Enterprise and Team customers only, via a limited research preview.

  • Open‑source maintainers: Can apply for free expedited access.

  • Verification pipeline:

    • Multi‑stage self‑verification before an analyst sees a finding.
    • Severity ratings and confidence scores attached to each report.
    • Every patch requires human approval.

  • Built‑in detection:

    • Probes measure internal activations as the model generates responses.
    • New cyber‑specific probes track potential misuse.
    • Real‑time intervention capabilities (e.g., blocking malicious traffic).

“Offense and defense are converging in capability. The differentiator is oversight. If you can’t audit and bound how the tool is used, you’ve created another risk.” – Baer (VentureBeat)

  • Performance metrics (requested by VentureBeat):
    • False‑positive rate before and after self‑verification.
    • Number of disclosed vulnerabilities with patches landed vs. still in triage.
    • Specific safeguards distinguishing attacker use from defender use (not disclosed to avoid tipping off threat actors).

Competitive Landscape

OpenAI

  • Researcher: Sean Heelan used OpenAI’s o3 model (no custom tooling, no agentic framework).
  • Result: Discovered CVE‑2025‑37899, a previously unknown use‑after‑free in the Linux kernel’s SMB implementation.
  • Method: Analyzed >12 000 lines of code, identified a race condition missed by traditional static analysis because it required understanding concurrent thread interactions.

AISLE

  • Startup: AI security firm AISLE.
  • Findings: Discovered all 12 zero‑day vulnerabilities announced in OpenSSL’s January 2026 security patch, including a high‑severity CVE‑2025‑15467 (stack buffer overflow in CMS message parsing, potentially remotely exploitable without valid key material).

Takeaway

The speed advantage of reasoning‑based vulnerability discovery does not automatically favor defenders; it favors whoever adopts the technology first. Early adopters can set the terms of use, but they must also implement rigorous oversight, governance, and mitigation strategies to avoid expanding their own attack surface.

Overview

  • OpenSSL CVEs in 2025 – 13 of the 14 total OpenSSL CVEs assigned this year were discovered by an AI model.
  • Why it matters – OpenSSL is one of the most‑scrutinized cryptographic libraries on the planet; fuzzers have been running against it for years. The AI found what those fuzzers were not designed to find.

The Window Is Already Open

  • The 500 vulnerabilities live in open‑source projects that enterprise applications depend on.
  • Anthropic is disclosing and patching these issues, but the gap between discovery and the adoption of patches is where attackers operate today.

Availability

  • The same model improvements behind Claude Code Security are available to anyone with API access.

Next Steps for Teams

  • If your team is evaluating these capabilities, start with the limited research preview.
  • The preview includes:
    • Clearly defined data‑handling rules
    • Audit logging
    • Success criteria agreed up front

Stay ahead of the threat landscape by leveraging AI‑driven security insights while ensuring proper governance and rapid patch adoption.

0 views
#Anthropic #Claude #AI security #code vulnerability scanning #vulnerability management #cybersecurity #reasoning-based scanning
View source
Share:
Back to Blog

Related posts

Read more »