Can Claude Code Security Combat AI-Enabled Cyber Attacks?

Anthropic is betting on AI for cyber defence.

The AI colossal, Anthropic has expanded its AI capabilities with the launch of Claude Code Security, a new feature now available in research preview, that demonstrates how AI models are evolving beyond traditional language tasks into specialised technical applications.

The announcement triggered notable market movements, with the Global X Cybersecurity ETF falling 4.9% to its lowest closing position since 2023.

Several cybersecurity firms experienced share price declines. CrowdStrike dropped 8%, Cloudflare fell 8.1%, SailPoint declined 9.4% and Okta fell 9.2%. Zscaler also saw a 5.5% decrease following the news.

Dario Amodei, Anthropic CEO, said at Davos in January 2026 that the industry could be “six to twelve months away from when the model is doing most, maybe all of what software engineers do end-to-end”. Claude Code Security could represent a step towards this prediction.

AI for cyber defence using Claude Code Security 

Anthropic's team indicated towards the end of 2025 that society had reached “an inflection point for AI's impact on cybersecurity”.

This assessment followed demonstrations where Claude models showed competitive performance against human teams in cybersecurity competitions, identified security flaws within Claude's own codebase and replicated one of the most prolific cyberattacks.

Claude's Red Team has worked alongside the Pacific Northwest National Laboratory to test the model's potential applications in defending national critical infrastructure.

When used with Claude Opus 4.6 model, Claude Code Security identified more than 500 vulnerabilities in open-source code repositories, including some that had persisted undetected for decades.

This suggests potential value for development teams working to identify security issues earlier in the software lifecycle.

“We expect that a significant share of the world's code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and vulnerabilities,” according to Anthropic's announcement.

“Claude Code Security is one step towards our goal of more secure codebases and a higher security baseline across the industry.”

Traditional static analysis relies on automated, rule-based security testing that matches code against databases of known vulnerabilities.

Claude Code Security aims to extend beyond this approach by analysing how software components interact, tracking data flows and identifying complex vulnerability patterns.

The system then verifies identified issues and assigns priority ratings before presenting findings to security teams, who can address vulnerabilities according to their assessed importance.

Teams can review Claude's findings through a dashboard that displays detected errors, priority rankings and suggested remediation approaches.

The final decision on implementing fixes remains with human developers, allowing senior engineers to evaluate whether to apply Claude's suggested patches or develop alternative solutions.

Market positioning and industry response

Following the market reaction to Claude Code Security's announcement, George Kurtz, CrowdStrike Founder and CEO, shared a LinkedIn post featuring an interaction with Claude where he asked the model to build a tool to replace CrowdStrike.

The model declined, noting that CrowdStrike's threat hunting capabilities, developed over more than a decade is “not something you can replicate with a script – it's an infrastructure product.”

When asked specifically about competing with CrowdStrike, Claude's output stated: “Claude Code Security is a code vulnerability scanner and patcher. It competes more directly with static analysis tools (like Snyk, Checkmarx, or Veracode) than with CrowdStrike.”

The distinction lies in operational timing. While Claude Code Security identifies potential bugs during the development phase before code deployment, CrowdStrike addresses active threats that emerge after systems are operational.

As Claude characterised it: “They sit at completely different points in the security lifecycle.”

George says: “AI innovation is inspiring. But let's stay grounded in reality: an AI capability that scans code does not replace the Falcon platform – or your security programme.

“Security requires an independent, battle-tested platform built to stop breaches.

“AI is powerful. It's transformative. And it absolutely makes security better.

“But AI doesn't eliminate the need for security. It increases it.

“If you want to build AI, you need GPUs. If you want to deploy AI, you need security. That's not a hallucination – it's a fact.”