← All episodes
Special · News ·9 min ·May 1, 2026

AI Just Started Patching Your Code. A Cybersecurity Veteran Reacts.

Anthropic's Claude Security entered public beta this week — codebase scanning, adversarial self-validation, and patch proposals in one workflow. What it changes for defenders, and what attackers got at the same time.

The Promise

  • Adversarial self-validation cuts false-positive fatigue — the AI scans, then attacks its own findings before reporting
  • Multi-file reasoning catches cross-file vulnerabilities that traditional SAST tools miss
  • Scan → validate → propose patch in one workflow, end to end
PROMISE RISK
Balanced

The Risk

  • Same capability shipped to attackers simultaneously — net effect depends on defender adoption speed
  • Risk of false confidence in AI-validated findings without governance review
  • Most boards haven't yet evaluated AI security tools — accountability gap until they do

Why this matters

Anthropic shipped something this week that I have been waiting 25 years to see. Claude Security went into public beta. It scans your codebase, validates findings against itself in an adversarial pass, and proposes the patch — all in one workflow.

Three things make this different from the SAST era. Adversarial validation addresses the false-positive fatigue that broke the first generation of code scanners. Multi-file reasoning catches the cross-file vulnerabilities single-file scanners always missed. And the scan-validate-patch loop closes inside one tool rather than across three.

Defenders and attackers got the same capability simultaneously. Whether the net effect is good or bad depends on adoption speed — and on whether boards are asking the governance question yet.