Claude Security Public Beta: Complete Guide to AI-Powered Vulnerability Scanning (2026)

On April 30, 2026, Anthropic moved Claude Security from private research preview to public beta for all Claude Enterprise customers — and the reception from security engineers has been immediate. Since its February 2026 preview launch, hundreds of organizations have used it to discover and remediate vulnerabilities that traditional automated scanners had missed for years. The public beta brings five new capabilities: scheduled scans for continuous monitoring, directory-level targeting for large codebases, structured triage tracking with documented dismissal reasons, CSV and Markdown export for compliance reporting, and webhook integrations with Slack and Jira. This guide covers exactly what Claude Security is, how it reasons about code, who has access today, how it stacks up against conventional SAST and DAST tooling, and what it means for engineering and security teams that take application security seriously.

What Is Claude Security?

Claude Security is Anthropic’s AI-powered code vulnerability scanner, built on Claude Opus 4.7. It scans codebases to find and fix software vulnerabilities by reasoning about code the way a skilled human security researcher would — reading raw source code, understanding how components interact across files and modules, tracing data flows through the application, and identifying where those flows could be exploited.

The product grew from Anthropic’s Claude Code platform, which already integrates deeply with development workflows. Because Claude Security is built directly on top of that same infrastructure, organizations already using Claude for development can start scanning without new API integrations or custom agent builds. There is no SDK to install, no webhook to configure for basic access, and no separate authentication layer to manage. If your organization has a Claude Enterprise subscription, Claude Security is available in your console today.

This is not Anthropic’s first move into security tooling. In early 2026, Claude Mythos and Project Glasswing demonstrated the model’s capability to reason about zero-day vulnerabilities. Claude Security is the productized, operational version of that research — designed for continuous use in engineering organizations rather than one-off security research exercises.

How Claude Security Works: Reasoning Over Code

The architectural difference between Claude Security and conventional scanning tools is the distinction between pattern matching and reasoning — and that distinction determines which vulnerabilities each approach finds.

Traditional SAST (static application security testing) tools work by analyzing code against a database of known vulnerability signatures. They are highly effective at catching predictable, well-characterized vulnerabilities: SQL injection in obvious parameter concatenations, XSS in unescaped output statements, hardcoded credentials in configuration files. They struggle with context-dependent vulnerabilities — cases where code is only exploitable because of how it interacts with a specific combination of other modules, configurations, or data flows that the scanner cannot follow across file boundaries.

Claude Security approaches the problem the way a senior security engineer would during a manual code review. It reads the entire source code of the repository, builds a model of how the application works, identifies the attack surface, and then reasons about what could go wrong given the specific architecture. Anthropic’s documentation describes it as a system that “reasons about code much like a security researcher — seeking to understand how components interact across files and modules, tracing data flows, and reading raw source code.”

When Claude Security finds a vulnerability, it produces a structured report that includes:

• A confidence assessment (low / medium / high) for whether the finding is a real vulnerability or a false positive
• A severity rating with estimated impact
• A complete reproduction path: the exact sequence of inputs and conditions an attacker would use to trigger the vulnerability
• Targeted patch instructions with specific code changes to remediate the issue

That last element — generated remediation guidance — is what makes Claude Security practically useful beyond analysis. Security scanners that only report findings create work for the team that receives them. A system that finds the vulnerability, explains it clearly, and provides targeted fix instructions compresses the remediation cycle from days to hours for well-characterized issues.

Public Beta Features in Detail

The April 30 public beta launch expands significantly on the February research preview. Here is what is new and what it means in practice.

Scheduled and Targeted Scans

Claude Security can now run on a defined schedule — nightly, after a CI/CD pipeline event, or on a custom cadence — rather than requiring manual triggering. More importantly, directory-level scanning lets teams target specific repositories, modules, or high-risk directories rather than scanning the full codebase on every run. For large monorepos where a comprehensive scan takes hours, directory-level targeting is the feature that makes continuous security monitoring operationally viable rather than aspirational.

Triage Tracking and Audit Trail

The public beta introduces structured triage workflows. Security teams can accept findings, dismiss them with documented reasons, assign them to owners, and track remediation status through a unified dashboard. Every dismissal captures a reason and timestamp, creating an audit trail that satisfies SOC 2, ISO 27001, and similar compliance requirements. This is the feature that transforms Claude Security from an interesting research tool into one that security teams can actually deploy within a formal security program. The February preview could find vulnerabilities. The public beta can manage them through their lifecycle.

Export and Reporting

Findings export in CSV and Markdown formats for integration with existing security reporting and compliance systems. For teams that maintain security posture documentation for auditors or executive stakeholders, having Claude Security output structured, human-readable reports eliminates the manual translation work that makes scanner output painful to present to non-technical audiences.

Webhook Integrations

Real-time alerts via Slack and Jira webhook integrations surface critical findings in the channels where engineering and security teams already work. A newly discovered high-severity vulnerability can trigger an immediate Jira ticket assigned to the relevant team without anyone manually checking the Claude Security dashboard. For security teams that operate on-call rotations, this is the difference between finding out about a critical issue at the next daily standup and finding out within minutes of the scan completing.

Access and Availability

As of the April 30, 2026 public beta launch, Claude Security is available to all Claude Enterprise customers. No additional API integration is required. Access for Claude Team and Max customers is on Anthropic’s roadmap, with no specific public timeline announced as of this writing.

For organizations not yet on Claude Enterprise, Anthropic’s enterprise sales team manages onboarding. Given the product’s track record — finding vulnerabilities in production codebases that existing tools had missed for years — the security ROI case is straightforward for any organization with meaningful application security requirements. The question to ask your security team: what is the cost of a critical vulnerability that a pattern-matching scanner missed but a reasoning-based system would catch?

Claude Security vs. Traditional SAST and DAST Tools

The honest comparison acknowledges both where Claude Security outperforms conventional tools and where its limitations are real. Security teams considering adding it to an existing program should understand the precise tradeoffs.

Where Claude Security wins: Context-dependent vulnerabilities that cross file and module boundaries. Business logic flaws that require understanding the application’s intent, not just its syntax. Authorization and access control issues that only become visible when you understand the full request lifecycle. Novel vulnerability patterns that were not in the signature database of older scanners. The ability to generate concrete remediation guidance rather than just a CVE reference number that a developer then has to interpret and apply.

Where conventional SAST tools win: Scan speed on large codebases for known vulnerability classes. No per-scan cost tied to model inference. Deterministic output — running the same scan twice produces identical results. Regulatory compliance certifications that some enterprise procurement processes require of security tooling vendors. Deep integration with legacy GRC platforms and ticketing systems that predate webhook APIs.

Where DAST tools still fill a gap: Dynamic application security testing by definition tests running applications under real conditions. Claude Security is a static analysis tool — it reads source code, not running process behavior. DAST finds vulnerabilities that only manifest at runtime: race conditions under concurrent load, authentication issues that depend on session state, and timing attacks that require observing actual response times. These are outside Claude Security’s current scope.

The practical recommendation for mature security programs: Claude Security is an additive layer, not a replacement. Running it alongside existing SAST and DAST tools catches the class of vulnerabilities that automated pattern matching systematically misses — the vulnerabilities that currently require expensive manual penetration testing to find. For organizations doing no automated security scanning at all, Claude Security is a strong starting point that delivers measurable value with minimal setup friction.

Enterprise Ecosystem and Integrations

Anthropic is treating Claude Security as an ecosystem play rather than a standalone product. Several of the largest cybersecurity platforms have already announced integrations that embed Opus 4.7 capabilities directly into their existing workflows:

• CrowdStrike Falcon: Opus 4.7 is embedded in CrowdStrike’s Falcon platform and Project QuiltWorks, bringing Claude’s reasoning to CrowdStrike’s endpoint detection and response workflows.
• Microsoft Security: Integration brings Claude’s code reasoning to Security Copilot workflows for enterprise Microsoft customers.
• Palo Alto Networks, SentinelOne, TrendAI, Wiz: All four have announced Opus 4.7 integrations across their respective security platforms.

On the services side, Accenture, BCG, Deloitte, Infosys, and PwC are actively building Claude-integrated security offerings for enterprise clients. For larger organizations that procure security tooling through these consultancies, Claude Security capabilities are likely to appear embedded in advisory and managed security service offerings over the next 12 to 18 months.

What This Means for Security Teams and Developers

The practical implication for security teams is a new tier in the vulnerability detection stack. Today the typical security workflow looks like this: automated scanning in CI/CD catches the obvious issues, and quarterly or annual penetration testing by specialist firms catches the deeper ones. Claude Security inserts a higher-reasoning continuous layer between those two tiers — more thorough than automated pattern matching, faster and lower-cost than manual penetration testing, and capable of running on every code change rather than at infrequent intervals.

The triage tracking and audit trail features are the most operationally significant change for security teams working within formal compliance frameworks. The February research preview was useful for discovery. The public beta is designed for deployment as part of a security program that needs to demonstrate its posture to auditors. Timestamped finding records, documented dismissal reasons, and remediation tracking reduce the overhead of compliance reporting substantially.

For developers, Claude Security creates a path to self-service security review that did not previously exist at this depth of reasoning. Rather than waiting for a security team review or a quarterly pen test to surface architectural vulnerabilities, developers can scan their own code during implementation. That shift — finding security issues at the time the code is written rather than weeks or months later — is the same improvement that SAST tools brought to obvious vulnerabilities in the 2010s. Claude Security applies it to the harder category of context-dependent issues.

Limitations to Understand Before You Deploy

Claude Security is a reasoning model applied to security analysis, which means it inherits both the strengths and the known limitations of that approach.

False positives exist. The model will occasionally flag code as potentially vulnerable when it is not, particularly in cases where a defensive pattern is unusual enough that the model interprets it as a vulnerability rather than a safeguard. The confidence ratings are a useful signal: low-confidence findings should be reviewed by a human security engineer before acting on them. Over-triaging low-confidence findings wastes time; under-triaging them wastes security value.

Large monorepos with tens of thousands of files will see longer scan times than signature-based SAST tools. Directory-level scanning is the practical answer to this for most teams: start with the highest-risk areas of the codebase — authentication flows, payment processing, API endpoints that handle user data, and privilege escalation paths — and expand scope as you build confidence in the workflow.

Binary analysis, runtime behavior, and infrastructure security (cloud configuration, network topology, IAM policies) are outside Claude Security’s current scope. It analyzes source code. For teams with infrastructure security requirements, the existing tooling category covering CSPM and KSPM remains necessary alongside Claude Security for code.

Getting Started

For Claude Enterprise customers, access is available through the Claude console under the Security tab. The initial setup flow connects your code repository — GitHub, GitLab, and Bitbucket are supported — selects scan scope, and runs the first manual scan to establish a baseline of findings. Scheduled scan configuration, directory targeting, and webhook setup follow from there.

Anthropic’s security documentation at docs.anthropic.com covers the full setup flow, scan configuration, triage workflow, and export options in detail. For teams deploying Claude Security within a formal compliance framework, the documentation includes specific guidance on using the CSV and Markdown export formats for audit reporting.

The recommended starting point: run a targeted scan of your authentication and authorization code first. These areas carry the highest business risk and are where reasoning-based analysis is most likely to find issues that pattern-matching scanners missed. Use the initial findings to calibrate your understanding of Claude Security’s confidence ratings before expanding to full-codebase scheduled scanning.

The Bottom Line

Claude Security in public beta represents the most significant update to automated code security review in years — not because it replaces existing tooling, but because it closes the gap that has always existed between what automated scanners find and what human security researchers find. The context-dependent vulnerabilities it catches — the ones that have been sitting in production codebases for years because pattern-matching tools cannot trace them across file boundaries — are precisely the class of vulnerabilities that sophisticated attackers focus on in targeted intrusions.

Catching them continuously, with specific remediation guidance, at the cost and cadence of automated tooling rather than annual penetration testing, is a genuine operational improvement for organizations serious about their security posture. The February preview showed the concept was real. The public beta shows it is ready for production security programs.