AI Just Started Patching Your Code. A Cybersecurity Veteran Reacts.
Anthropic's Claude Security entered public beta this week — codebase scanning, adversarial self-validation, and patch proposals in one workflow. What it changes for defenders, and what attackers got at the same time.
The Promise
- Adversarial self-validation cuts false-positive fatigue — the AI scans, then attacks its own findings before reporting
- Multi-file reasoning catches cross-file vulnerabilities that traditional SAST tools miss
- Scan → validate → propose patch in one workflow, end to end
The Risk
- Same capability shipped to attackers simultaneously — net effect depends on defender adoption speed
- Risk of false confidence in AI-validated findings without governance review
- Most boards haven't yet evaluated AI security tools — accountability gap until they do
Why this matters
Anthropic shipped something this week that I have been waiting 25 years to see. Claude Security went into public beta. It scans your codebase, validates findings against itself in an adversarial pass, and proposes the patch — all in one workflow.
Three things make this different from the SAST era. Adversarial validation addresses the false-positive fatigue that broke the first generation of code scanners. Multi-file reasoning catches the cross-file vulnerabilities single-file scanners always missed. And the scan-validate-patch loop closes inside one tool rather than across three.
Defenders and attackers got the same capability simultaneously. Whether the net effect is good or bad depends on adoption speed — and on whether boards are asking the governance question yet.