Claude Security beta — Anthropic enters the vulnerability-scanning market

Code security used to be its own discipline — its own vendors, own tooling, own budget line. The 2024-2025 trend was AI-assisted: tools like Snyk, Semgrep, and GitHub Advanced Security all bolted LLM-generated explanations and patches onto their existing engines. Last week, Anthropic flipped that model. They shipped a tool where the LLM is the engine, with traditional AST analysis as a supporting layer^[1].

A week in production later, here is what I have seen.

How Claude Security actually works#

The pitch is straightforward^[1][2]:

1. Connect Claude Security to your repo (GitHub, GitLab, Bitbucket).
2. On every PR (or on demand), Claude Opus 4.7 reviews the diff plus relevant context from the codebase.
3. Findings are surfaced as Claude-written explanations: "this query is vulnerable to SQL injection because user input flows into the query string without parameterisation — see users.ts:42 for the source".
4. Each finding comes with a proposed patch you can apply with one click.

Behind the scenes, Claude Security is not just an LLM in a trench coat. There is real AST analysis to identify candidate vulnerabilities, real taint-tracking to determine which ones are actually reachable, and real test-suite probing to validate findings. The LLM's job is triage, explanation, and patch generation.

This is the architecture that GitHub Advanced Security and Snyk are evolving toward. Anthropic shipped it as the native design.

How it compares to existing SAST tools#

Three meaningful differences:

1. Patch quality. Claude-generated patches are noticeably better written than Copilot Autofix or Snyk DeepCode patches. Not because the model is smarter — because Claude Security has tighter coupling between the finding context and the patch generation. Patches actually fit the surrounding code style.
2. Explanation depth. Findings come with full reasoning. "Here is the source. Here is the sink. Here is the flow. Here is why this is exploitable." Most SAST tools surface a CWE number and a code snippet; Claude Security surfaces a paragraph.
3. Triage cost. This is the biggest practical difference. Most SAST tools surface 50-200 findings per repo and rely on developers to triage. Claude Security typically surfaces 10-30, all with reasoning that lets you assess validity in seconds. False-positive rate (anecdotal) is roughly 15%, vs ~40% for rule-based tools.

Where Claude Security loses#

Three real gaps:

1. Language coverage. Claude Security supports TypeScript, JavaScript, Python, Go, Rust, Ruby, Java, C#. That is most of what most teams use. But Snyk covers ~30 languages including all the legacy ones (COBOL, Perl, Visual Basic, etc.). If you have a polyglot codebase with old languages, Claude Security has gaps.
2. Compliance reporting. Existing SAST vendors have built ten years of compliance-reporting infrastructure (SOC 2, PCI-DSS, HIPAA, etc.). Claude Security is at v1. The compliance reports are present but bare-bones.
3. Pricing model. Bundled with Claude Enterprise, which is per-seat. For shops not already on Enterprise, the cost of adopting Claude Security is "buy Claude Enterprise". That is a significant jump from a Semgrep Pro seat or a Snyk Team plan.

Where this lands strategically#

The vulnerability-scanning market is worth roughly $5 billion globally in 2026 and growing 25% year-on-year. Anthropic does not need to dominate it to make Claude Security worthwhile — they need to make it a credible attach-rate product for Claude Enterprise. That is exactly what they have shipped.

The medium-term implication: every existing SAST vendor now needs to compete on the patch-generation dimension specifically, not just on finding count. Snyk has DeepCode AI; GitHub has Copilot Autofix; Semgrep has Code Mods. None of them are as good as what Claude Security has shipped today. They will close the gap, but Claude Security has the advantage of a 4.7-level model in the loop natively.

For end users, the right read is: this is now a usable alternative to a dedicated SAST vendor, especially if you are already on Claude Enterprise. It is not yet the right choice if you have complex compliance requirements or non-mainstream languages. By end of 2026, both gaps will likely close.

What I would do#

Three scenarios:

1. You are already on Claude Enterprise and have no SAST tool. Use Claude Security. It is free with what you are already paying for, and it is good.
2. You are on Claude Enterprise + an existing SAST tool. Pilot Claude Security alongside for 90 days. Compare findings. Most teams will find Claude Security catches the high-value bugs and the existing tool catches the long-tail ones — keep both, but cut the existing tool back to passive monitoring.
3. You are not on Claude Enterprise. Stay on what you have. Adopting Claude Enterprise just for the security feature does not make economic sense unless you also want the Enterprise tier for other reasons.

The verdict#

Claude Security is a strong v1 that demonstrates what AI-native security tooling looks like when you build the AI in, not bolt it on. It is not yet a category killer — language coverage and compliance reporting are real gaps — but it is the most interesting move in vulnerability scanning since CodeQL.

If you build on Claude already, try it this week.