Claude Code Security: AI Vulnerability Scanner

How Claude Code Security Goes Beyond Static Analysis

Claude Code Security, now available in a limited research preview, brings AI-powered vulnerability detection directly into Claude Code. Traditional static analysis matches code against known vulnerability patterns, catching common issues like exposed passwords or outdated encryption. Claude Code Security goes further: it understands how components interact, traces how data moves through your application, and catches complex vulnerabilities that rule-based tools miss.

It is powered by Claude Opus 4.6, the same model that leads Terminal-Bench 2.0 for agentic coding.

How Claude Code Security Works

The scanning process involves multiple stages of verification:

Stage	Description
Code Analysis	Claude reads and reasons about the codebase, understanding component interactions
Data Flow Tracing	Traces how data moves through the application to find injection points
Multi-Stage Verification	Re-examines each finding, attempting to prove or disprove its own results
False Positive Filtering	Filters out false positives before results reach an analyst
Severity Rating	Assigns severity ratings so teams can prioritize the most critical fixes
Patch Suggestion	Generates targeted code patches for each validated vulnerability

Every finding includes a confidence rating, and nothing is applied without human approval. Claude identifies problems and suggests solutions, but developers always make the final call.

Real-World Results: 500+ Zero-Days Found

Anthropic's Frontier Red Team has been stress-testing Claude's cybersecurity abilities through competitive Capture-the-Flag events and partnerships with Pacific Northwest National Laboratory for critical infrastructure defense.

Using Claude Opus 4.6, the team found over 500 vulnerabilities in production open-source codebases, including novel, high-severity zero-day vulnerabilities that had been missed by traditional tools and human review.

What Claude Code Security Catches That Others Miss

Business logic flaws: Vulnerabilities in application-specific logic
Broken access control: Authorization issues across complex permission systems
Context-dependent vulnerabilities: Issues that only appear when understanding how multiple components interact
Subtle injection points: Data flow paths that traditional pattern matching doesn't trace

For developers using Claude Sonnet 4.6 or Opus 4.6 for daily coding, security scanning integrates directly into the same workflow.

Claude Code Security Availability

Claude Code Security is available as a limited research preview for:

Enterprise and Team customers on claude.ai
Open-source maintainers with expedited access

The goal is to give defenders the same AI capabilities that attackers already use, helping teams find and fix vulnerabilities faster than they accumulate.

Frequently Asked Questions

What is Claude Code Security?

Claude Code Security is an AI-powered vulnerability scanner built into Claude Code by Anthropic. Unlike traditional static analysis that matches code against known patterns, it reads and reasons about code like a human security researcher, understanding component interactions and tracing data flow across an application. It found over 500 zero-day vulnerabilities in production open-source codebases during testing. It is available as a limited research preview for Enterprise, Team, and open-source maintainers.

How is Claude Code Security different from traditional static analysis?

Traditional static analysis tools check code against a database of known vulnerability patterns, catching issues like exposed passwords or outdated encryption. Claude Code Security goes further by reasoning about application-specific logic, tracing how data moves between components, and identifying context-dependent vulnerabilities like broken access control and business logic flaws. It uses a multi-stage verification process that re-examines its own findings to filter false positives before reporting.

How many vulnerabilities has Claude Code Security found?

Using Claude Opus 4.6, Anthropic's Frontier Red Team found over 500 vulnerabilities in production open-source codebases, including novel high-severity zero-day vulnerabilities that had been missed by both traditional tools and human code review. The team has been stress-testing these capabilities through competitive Capture-the-Flag events and partnerships with Pacific Northwest National Laboratory for critical infrastructure defense.

Who can access Claude Code Security?

Claude Code Security is available as a limited research preview for Enterprise and Team customers on claude.ai, with expedited access for maintainers of open-source repositories. It works with both Claude Opus 4.6 and Claude Sonnet 4.6. Anthropic has not announced general availability or pricing for the standalone security feature yet.