Anthropic pointed its most superior AI mannequin, Claude Opus 4.6, at manufacturing open-source codebases and located a plethora of safety holes: greater than 500 high-severity vulnerabilities that had survived many years of knowledgeable evaluate and tens of millions of hours of fuzzing, with every candidate vetted by way of inner and exterior safety evaluate earlier than disclosure.
Fifteen days later, the corporate productized the potential and launched Claude Code Safety.
Safety administrators accountable for seven-figure vulnerability administration stacks ought to anticipate a typical query from their boards within the subsequent evaluate cycle. VentureBeat anticipates the emails and conversations will begin with, “How will we add reasoning-based scanning earlier than attackers get there first?”, as a result of as Anthropic’s evaluate discovered, merely pointing an AI mannequin at uncovered code could be sufficient to establish — and within the case of malicious actors, exploit — safety lapses in manufacturing code.
The reply issues greater than the quantity, and it’s primarily structural: how your tooling and processes allocate work between pattern-based scanners and reasoning-based evaluation. CodeQL and the instruments constructed on it match code in opposition to identified patterns.
Claude Code Safety, which Anthropic launched February 20 as a restricted analysis preview, causes about code the best way a human safety researcher would. It follows how information strikes by way of an software and catches flaws in enterprise logic and entry management that no rule set covers.
The board dialog safety leaders have to have this week
5 hundred newly found zero-days is much less a scare statistic than a standing funds justification for rethinking the way you fund code safety.
The reasoning functionality Claude Code Safety represents, and its inevitable opponents, have to drive the procurement dialog. Static software safety testing (SAST) catches identified vulnerability lessons. Reasoning-based scanners discover what pattern-matching was by no means designed to detect. Each have a task.
Anthropic revealed the zero-day analysis on February 5. Fifteen days later, they shipped the product. Whereas it is the identical mannequin and capabilities, it’s now out there to Enterprise and Group prospects.
What Claude does that CodeQL could not
GitHub has provided CodeQL-based scanning by way of Superior Safety for years, and added Copilot Autofix in August 2024 to generate LLM-suggested fixes for alerts. Safety groups depend on it. However the detection boundary is the CodeQL rule set, and the whole lot outdoors that boundary stays invisible.
Claude Code Safety extends that boundary by producing and testing its personal hypotheses about how information and management movement by way of an software, together with instances the place no current rule set describes. CodeQL solves the issue it was constructed to unravel: data-flow evaluation inside predefined queries. It tells you whether or not tainted enter reaches a harmful operate.
CodeQL will not be designed to autonomously learn a mission’s commit historical past, infer an incomplete patch, hint that logic into one other file, after which assemble a working proof-of-concept exploit finish to finish. Claude did precisely that on GhostScript, OpenSC, and CGIF, every time utilizing a distinct reasoning technique.
“The actual shift is from pattern-matching to speculation era,” stated Merritt Baer, CSO at Enkrypt AI, advisor to Andesite and AppOmni, and former Deputy CISO at AWS, in an unique interview with VentureBeat. “That is a step-function improve in discovery energy, and it calls for equally sturdy human and technical controls.”
Three proof factors from Anthropic’s revealed methodology present the place pattern-matching ends and speculation era begins.
Commit historical past evaluation throughout information. GhostScript is a extensively deployed utility for processing PostScript and PDF information. Fuzzing turned up nothing, and neither did handbook evaluation. Then Claude pulled the Git commit historical past, discovered a patch that added stack bounds checking for font dealing with in gstype1.c, and reversed the logic: if the repair was wanted there, each different name to that operate with out the repair was nonetheless weak. In gdevpsfx.c, a very totally different file, the decision to the identical operate lacked the bounds checking patched elsewhere. Claude constructed a working proof-of-concept crash. No CodeQL rule describes that bug at the moment. The maintainers have since patched it.
Reasoning about preconditions that fuzzers cannot attain. OpenSC processes good card information. Commonplace approaches failed right here, too, so Claude searched the repository for operate calls which are incessantly weak and located a location the place a number of strcat operations ran in succession with out size checking on the output buffer. Fuzzers hardly ever reached that code path as a result of too many preconditions stood in the best way. Claude reasoned about which code fragments seemed fascinating, constructed a buffer overflow, and proved the vulnerability.
Algorithm-level edge instances that no protection metric catches. CGIF is a library for processing GIF information. This vulnerability required understanding how LZW compression builds a dictionary of tokens. CGIF assumed compressed output would all the time be smaller than uncompressed enter, which is sort of all the time true. Claude acknowledged that if the LZW dictionary stuffed up and triggered resets, the compressed output may exceed the uncompressed dimension, overflowing the buffer. Even 100% department protection would not catch this. The flaw calls for a selected sequence of operations that workout routines an edge case within the compression algorithm itself. Random enter era nearly by no means produces it. Claude did.
Baer sees one thing broader in that development. “The problem with reasoning is not accuracy, it is company,” she advised VentureBeat. “As soon as a system can kind hypotheses and pursue them, you have shifted from a lookup device to one thing that may discover your atmosphere in methods which are tougher to foretell and constrain.”
How Anthropic validated 500+ findings
Anthropic positioned Claude inside a sandboxed digital machine with customary utilities and vulnerability evaluation instruments. The pink crew did not present any specialised directions, customized harnesses, or task-specific prompting. Simply the mannequin and the code.
The pink crew centered on reminiscence corruption vulnerabilities as a result of they’re the simplest to verify objectively. Crash monitoring and tackle sanitizers do not go away room for debate. Claude filtered its personal output, deduplicating and reprioritizing earlier than human researchers touched something. When the confirmed depend stored climbing, Anthropic introduced in exterior safety professionals to validate findings and write patches.
Each goal was an open-source mission underpinning enterprise methods and important infrastructure. Small groups preserve lots of them, staffed by volunteers, not safety professionals. When a vulnerability sits in one in every of these tasks for a decade, each product that pulls from it inherits the chance.
Anthropic did not begin with the product launch. The defensive analysis spans greater than a yr. The corporate entered Claude in aggressive Seize-the-Flag occasions the place it ranked within the prime 3% of PicoCTF globally, solved 19 of 20 challenges within the HackTheBox AI vs Human CTF, and positioned sixth out of 9 groups defending stay networks in opposition to human pink crew assaults at Western Regional CCDC.
Anthropic additionally partnered with Pacific Northwest Nationwide Laboratory to check Claude in opposition to a simulated water therapy plant. PNNL’s researchers estimated that the mannequin accomplished adversary emulation in three hours. The normal course of takes a number of weeks.
The twin-use query safety leaders cannot keep away from
The identical reasoning that finds a vulnerability may help an attacker exploit one. Frontier Purple Group chief Logan Graham acknowledged this on to Fortune’s Sharon Goldman. He advised Fortune the fashions can now discover codebases autonomously and observe investigative leads sooner than a junior safety researcher.
Gabby Curtis, Anthropic’s communications lead, advised VentureBeat in an unique interview the corporate constructed Claude Code Safety to make defensive capabilities extra extensively out there, “tipping the scales in the direction of defenders.” She was equally direct in regards to the pressure: “The identical reasoning that helps Claude discover and repair a vulnerability may assist an attacker exploit it, so we’re being deliberate about how we launch this.”
In interviews with greater than 40 CISOs throughout industries, VentureBeat discovered that formal governance frameworks for reasoning-based scanning instruments are the exception, not the norm. The commonest responses are that the realm was thought-about so nascent that many CISOs did not assume this functionality would arrive so early in 2026.
The query each safety director has to reply earlier than deploying this: if I give my crew a device that finds zero-days by way of reasoning, have I unintentionally expanded my inner risk floor?
“You did not weaponize your inner floor, you revealed it,” Baer advised VentureBeat. “These instruments could be useful, however additionally they might floor latent danger sooner and extra scalably. The identical device that finds zero-days for protection can expose gaps in your risk mannequin. Remember the fact that most intrusions do not come from zero-days, they arrive from misconfigurations.”
“Along with the entry and assault path danger, there’s IP danger,” she stated. “Not simply exfiltration, however transformation. Reasoning fashions can internalize and re-express proprietary insights in ways in which blur the road between use and leakage.”
The discharge is intentionally constrained. Enterprise and Group prospects solely, by way of a restricted analysis preview. Open-source maintainers apply totally free expedited entry. Findings undergo multi-stage self-verification earlier than reaching an analyst, with severity rankings and confidence scores connected. Each patch requires human approval.
Anthropic additionally constructed detection into the mannequin itself. In a weblog publish detailing the safeguards, the corporate described deploying probes that measure activations inside the mannequin because it generates responses, with new cyber-specific probes designed to trace potential misuse. On the enforcement aspect, Anthropic is increasing its response capabilities to incorporate real-time intervention, together with blocking visitors it detects as malicious.
Graham was direct with Axios: the fashions are extraordinarily good at discovering vulnerabilities, and he expects them to get a lot better nonetheless. VentureBeat requested Anthropic for the false-positive fee earlier than and after self-verification, the variety of disclosed vulnerabilities with patches landed versus nonetheless in triage, and the precise safeguards that distinguish attacker use from defender use. The lead researcher on the 500-vulnerability mission was unavailable, and the corporate declined to share particular attacker-detection mechanisms to keep away from tipping off risk actors.
“Offense and protection are converging in functionality,” Baer stated. “The differentiator is oversight. If you cannot audit and certain how the device is used, you have created one other danger.”
That pace benefit does not favor defenders by default. It favors whoever adopts it first. Safety administrators who transfer early set the phrases.
Anthropic is not alone. The sample is repeating.
Safety researcher Sean Heelan used OpenAI’s o3 mannequin with no customized tooling and no agentic framework to find CVE-2025-37899, a beforehand unknown use-after-free vulnerability within the Linux kernel’s SMB implementation. The mannequin analyzed over 12,000 traces of code and recognized a race situation that conventional static evaluation instruments persistently missed as a result of detecting it requires understanding concurrent thread interactions throughout connections.
Individually, AI safety startup AISLE found all 12 zero-day vulnerabilities introduced in OpenSSL’s January 2026 safety patch, together with a uncommon high-severity discovering (CVE-2025-15467, a stack buffer overflow in CMS message parsing that’s doubtlessly remotely exploitable with out legitimate key materials). AISLE co-founder and chief scientist Stanislav Fort reported that his crew’s AI system accounted for 13 of the 14 complete OpenSSL CVEs assigned in 2025. OpenSSL is among the many most scrutinized cryptographic libraries on the planet. Fuzzers have run in opposition to it for years. The AI discovered what they weren’t designed to seek out.
The window is already open
These 500 vulnerabilities stay in open-source tasks that enterprise functions depend upon. Anthropic is disclosing and patching, however the window between discovery and adoption of these patches is the place attackers function at the moment.
The identical mannequin enhancements behind Claude Code Safety can be found to anybody with API entry.
In case your crew is evaluating these capabilities, the restricted analysis preview is the best place to begin, with clearly outlined information dealing with guidelines, audit logging, and success standards agreed up entrance.