I tried doing vulnerability scanning, detection, and remediation all in one go with Claude Security
This page has been translated by machine translation. View original
Claude Security is a security service announced by Anthropic as a limited research preview in late February 2026. It provides end-to-end support from vulnerability detection → triage → code remediation, and has the following characteristics.
- Parallel scanning with understanding of context and data flow
- Multi-stage verification for low false-positive detection
- Seamless integration from reviewing findings to code remediation
Since it was released as a public beta for Claude Enterprise users on April 30, I am sharing the results of running a walkthrough on a GitHub repository using Opus 4.7.
Cybersecurity and AI
The application of generative AI to security is thriving.
Opus 4.6, released in early February 2026, discovered more than 500 vulnerabilities.
Claude Security (then called "Claude Code Security") was announced in late February.
In early April of the same year, Mythos was announced, with access granted only to a very select few on the grounds that making it publicly available would be too dangerous.
The Linux kernel vulnerability "Copy Fail" (CVE-2026-3143), reported at the end of April, was discovered by the AI-powered vulnerability detection tool xint.
As the timeline from vulnerability discovery to exploitation is getting shorter, Claude Security can be expected to serve as a tool for defenders.
Public Beta Availability
Claude Security is in public beta, but it is not available to all Claude users.
At this time, only users on the Claude Enterprise plan can use it.
Availability for Claude Team/Max users is also planned.
Scan Usage Scope
The support documentation clearly states the following regarding the scan usage scope.
Use Claude Security only to scan code that you or your company own and have all necessary rights to scan. Do not use Claude Security to scan code owned or controlled by third parties, including repositories not included in open source projects or your company's codebase(s).
Please confirm that scan targets are within the permitted usage scope.
For example, intentionally vulnerable projects like OWASP Juice Shop fall outside the permitted scan scope.
Enabling Claude Security
GitHub Integration
Install the GitHub App in your GitHub Organization and grant access to the target repositories.
Enabling Claude Security
Enable Claude Security from Products → Claude Code in the Claude admin panel.
Budget Adjustment
Claude Security incurs usage costs based on the scan scope, and it requires at least $600 in remaining budget at the time the scan starts.
This scan's reserved credits would exceed your remaining billing headroom.
Organization spend limit $xx.xx remaining · scan requires $600.00 reserved during execution
If you are managing your budget, temporarily ensure you have a margin of at least $600.
Running Detection
Claude Security is executed from the web interface.
Navigate to the Claude Security Screen
Select Security from the menu list on claude.ai, or access it via the following URL.
Select a Repository
From "Start a new scan," specify the target repository and settings.
- Repository: Target repository for scanning
- Branch: Target branch for scanning
- Scan scope: Defaults to the entire repository. Path specification is also possible (scan scope affects cost)
- Model: Only Claude Opus 4.7 is selectable
- Effort: Standard or Extended
Verification Codebase
As stated in the support documentation, Claude Security cannot be applied to OSS.
Using Claude Code, I prepared the following simple vulnerable application in Flask.
Running the Scan
Start the scan from "Start scan."
To reiterate, at least $600 in remaining budget (credits) is required at the time the scan starts. If an error message is displayed, ask your administrator to adjust the budget.
Scans are executed in a job-based (asynchronous) manner, and for the single-file, few-hundred-line codebase I verified, it completed within 5 minutes.
Scans support not only on-demand execution but also scheduled execution.
Detection Results
When the scan is complete, a list of detected vulnerabilities (Findings) is displayed along with a summary. Because it is an LLM, scan results are stochastic rather than deterministic.
Claude Security detects vulnerabilities across the following 8 categories, along with severity (High/Medium/Low).
- Injection (SQL, Command, Code, XSS)
- Injection (XXE, ReDoS)
- Path and Network (Path Traversal, SSRF, Open Redirect)
- Authentication and Access (Auth Bypass, Privilege Escalation, IDOR/BOLA, CSRF, Race)
- Memory Safety (Buffer/Integer Overflow, UAF, Unsafe Misuse)
- Cryptography (Timing Leaks, Algorithm Confusion, Weak Primitives)
- Deserialization (Arbitrary Type Instantiation)
- Protocol and Encoding (Cache Safety, Encoding Confusion, Length Prefix Trust)
The list of findings can be exported in CSV or Markdown format.
Triage & Remediation
Review each finding in detail and triage them.
Clicking "Create fix" integrates with Claude Code to apply the fix and push it to the repository.
After the fix is complete, create a pull request from "Create PR."
Once the PR is merged and the response is complete, the Status on the Claude Security side becomes "Fixed".
Cost
Claude Security costs are incurred based on the scan scope and the number of scans.
In this verification, I was able to confirm consumption of $7.50 in credits immediately after the scan was executed.
On the billing page in the admin panel, you can check Claude Security usage costs in parallel with Claude Code Review in the service list.
Since Claude Security allows you to control the scan scope, it is advisable to adjust the scope while checking the codebase and cost estimates.
Closing Thoughts
In the early preview of Claude Security, the following learnings were shared.
- Quality of detection matters: Perform reliable detection that gives teams actionable findings
- Short path from scan to fix: No days of communication between security teams and engineering teams; end-to-end from scan to fix
- Not just one-shot, but continuous scanning
Claude Security, now released as a public beta, incorporates these learnings, seamlessly connecting Opus's vulnerability detection capabilities with Claude Code's coding capabilities, bringing together a full set of features sufficient for security operations.
While Mythos is only available to a very limited number of organizations worldwide, Claude Security is now available to all Claude Enterprise users.
As the application of generative AI to security spreads rapidly, why not give it a try on your own repositories?
