Anthropic unveils Claude Code Security to scan codebases

Anthropic has launched Claude Code Security, a new feature in Claude Code for the web, in a limited research preview for software security teams. The tool scans codebases for vulnerabilities and proposes specific patches for developers to review before any changes are made.

The release comes as organisations face a growing volume of vulnerabilities across commercial and open-source software, while many teams say staffing has not kept pace with the number of issues requiring investigation and remediation.

Most automated code security tools rely on static analysis, which matches code against known patterns using rules. This method can flag recurring problems such as exposed credentials or weak cryptography, but often struggles with context-dependent issues, including business logic flaws and access-control weaknesses.

Claude Code Security takes a different approach. It analyses how application components interact and traces how data moves through a system, aiming to surface problems that do not match known vulnerability signatures.

Verification Steps

Before surfacing findings to an analyst, the system runs a multi-stage verification process. It rechecks its conclusions and attempts to validate or refute them. The workflow is intended to reduce false positives, which can consume scarce engineering time.

Validated findings appear in a Claude Code Security dashboard, which shows a suggested patch alongside each issue. The tool assigns a severity rating to guide triage and provides a confidence rating for each finding, reflecting the uncertainty that can exist when assessing security issues from source code alone.

Code changes are not applied automatically; developers must approve any fix before it is implemented.

Access And Scope

The limited research preview is open to Claude Enterprise and Team customers, with expedited access also available for maintainers of open-source repositories. Anthropic plans to work with participants during the preview period to refine the product and govern its use.

The move comes amid a growing debate across the security industry about how to manage AI systems that can find weaknesses quickly. Tools that improve defensive testing can also lower the barrier for attackers seeking exploitable bugs.

Security Research

Claude Code Security builds on more than a year of research into using Anthropic's models for cyber defence. The company's Frontier Red Team has tested the system in competitive Capture-the-Flag events and worked with Pacific Northwest National Labouratory on experiments related to protecting critical infrastructure.

Anthropic also described recent work using Claude Opus 4.6, which it said was released earlier this month. Its team reported finding more than 500 vulnerabilities in production open-source codebases, including bugs that had gone undetected for decades, and said it is working with maintainers on triage and responsible disclosure.

The company has also used Claude to review its own internal code, describing the approach as effective for securing its systems. It positioned Claude Code Security as a way to bring that style of review into a product interface.

Industry Direction

Anthropic expects AI-assisted scanning to become more common across the software industry and said a significant share of the world's code will be scanned by AI in the near future. It also said attackers will use AI to find exploitable weaknesses more quickly, raising expectations for how fast defenders can identify and patch issues.

Anthropic framed the release as a defensive step in that environment. "Claude Code Security is intended to put this power squarely in the hands of defenders and protect code against this new category of AI-enabled attack," it said.