Can Anthropic’s AI Scanner Replace Enterprise Security Tools

Anthropic has launched Claude Code Security, an AI-powered vulnerability scanning and patching tool designed to support cybersecurity defenders.

The announcement triggered significant market reactions, with the Global X Cybersecurity ETF falling 4.9% to its lowest closing point since 2023.

Major cybersecurity firms experienced notable declines, with CrowdStrike dropping 8%, Cloudflare falling 8.1%, and SailPoint and Okta declining 9.4% and 9.2%, respectively. Zscaler also tumbled 5.5% following the announcement.

The development could represent a significant shift in how organisations approach code security. Dario Amodei, Anthropic Chief Executive Officer, suggested at Davos that AI models might handle most or all software engineering tasks within six to 12 months, a prediction that appears to be materialising with Claude Code Security's capabilities.

Understanding Claude Code Security

Anthropic identified that society had reached "an inflection point for AI's impact on cybersecurity" towards the end of 2025. This assessment followed demonstrations where Claude models outperformed human teams in cybersecurity competitions, successfully identified and fixed cyber flaws within Claude's own code base and recreated cyberattacks for testing purposes.

Claude's Red Team has collaborated with the Pacific Northwest National Laboratory to stress test the system, experimenting with AI tools that could defend national critical infrastructure. The technology has now progressed to a full security feature available in research preview.

Operating with the Claude Opus 4.6 model, Claude Code Security identified over 500 vulnerabilities in open-source code during testing, including issues that had remained undetected for decades.

According to Anthropic's announcement, this demonstrates the potential value the tool could bring to defence teams. The company expects that a significant portion of global code will be scanned by AI in the near future, given the effectiveness models have shown in finding long-hidden bugs and vulnerabilities

How the technology works

Traditional static analysis relies on automated, rule-based security testing that matches code against known vulnerabilities. Claude Code Security moves beyond this approach by simulating the reasoning of human security researchers. The system analyses how components interact, traces data movements and identifies complex vulnerabilities dynamically.

Once errors are detected, Claude verifies and rates them by importance before presenting findings to security teams. This prioritisation allows teams to address vulnerabilities in order of their severity. Security teams interact with Claude's findings through a dashboard that displays errors, their importance ratings and suggested patches.

However, the final decision on whether to implement Claude's suggested fixes or develop alternative solutions remains with senior engineers.

The question of replacement

Following the market reaction to Claude Code Security's announcement, George Kurtz, CrowdStrike's founder and CEO, posted on LinkedIn an interaction with Claude where he prompted it to build a tool to replace CrowdStrike.

The model declined, stating that CrowdStrike's threat hunting tools, developed over a decade, represent infrastructure products that cannot be replicated with a script.

When specifically asked whether Claude Code Security could serve as a CrowdStrike replacement, the model responded that it functions as a code vulnerability scanner and patcher, competing more directly with static analysis tools like Snyk, Checkmarx or Veracode rather than with CrowdStrike.

According to Claude's analysis, while Claude Code Security identifies bugs before code shipment at the development stage, CrowdStrike responds to real-time threats that emerge after deployment. As Claude described it, they operate at completely different points in the security lifecycle.

“AI innovation is inspiring. But let's stay grounded in reality: an AI capability that scans code does not replace the Falcon platform – or your security programme," says George.

“Security requires an independent, battle-tested platform built to stop breaches.

“AI is powerful. It's transformative. And it absolutely makes security better.

“But AI doesn't eliminate the need for security. It increases it.

“If you want to build AI, you need GPUs. If you want to deploy AI, you need security. That's not a hallucination – it's a fact.”