1. News
  2. Anthropic Launches Claude Code Security, 2 Weeks After Opus 4.6 Finds 500 Zero-Day Vulnerabilities

Anthropic Launches Claude Code Security, 2 Weeks After Opus 4.6 Finds 500 Zero-Day Vulnerabilities

On Feb. 20, Anthropic unveiled Claude Code Security, a feature of Claude Code, which can scan codebases for security vulnerabilities and suggest patches that humans can review.

Jackie LeavittAleksander Hougen

Written by Jackie Leavitt (Editor at Large)

Reviewed by Aleksander Hougen (Chief Editor)

Last Updated:

Claude Code Security Featured Image

This new Claude Code Security feature follows just two weeks after the company announced its newest model was able to identify over 500 zero-day vulnerabilities in open-source libraries using its “out-of-the-box” functionality.

Cyber stocks took a massive hit following the announcement as investors considered a future where AI agents reduce the long-term value of existing security suites, like Cloudflare and Sailpoint, and software as a service (SaaS), in general.

In early February, Anthropic released Claude Opus 4.6, its newest model, and also announced the model’s ability to find high-severity vulnerabilities at scale. 

As detailed in a post from Anthropic, the Frontier Red team put Opus 4.6 with “out-of-the-box” capabilities within a virtual machine with access to the latest versions of open-source projects. Without even receiving specialized knowledge about how to find vulnerabilities, Claude found over 500 zero-day vulnerabilities — unknown software security flaws that could be exploited by hackers. 

Before reporting the bugs, human team members validated each one — to make sure Claude hadn’t hallucinated the vulnerabilities — and wrote patches by hand.

Opus 4.6’s approach to finding vulnerabilities diverged from the normal “fuzzing” approach, which throws massive amounts of different inputs at code to see if something breaks. 

Instead, “Opus 4.6 reads and reasons about code the way a human researcher would—looking at past fixes to find similar bugs that weren’t addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it,” according to Frontier Red’s post. 

Opus 4.6 found high-severity vulnerabilities within even well-tested codebases with years of fuzzing — with some that had been undetected for decades. 

Logan Graham, head of Anthropic’s Frontier Red team, told Axios in early February that they were considering new AI-powered tools to hunt vulnerabilities. “The models are extremely good at this, and we expect them to get much better still… I wouldn’t be surprised if this was one of — or the main way — in which open-source software moving forward was secured.”

Considering how quickly Opus 4.6 went from research results to a live, integrated Claude Code Security tool, the pace of change for cybersecurity and software development is likely to be dramatic. For the cybersecurity industry, we now know AI can do this work and do it well; now it’s just a matter of how quickly it will reshape who gets paid to do it, both for companies and also individual employees. 

If you want to stay up-to-date on the latest news and also receive some “deep dives,” consider signing up for our newsletter below.

↑ Top