Anthropic has opened Claude Security to all Claude Enterprise customers in public beta, marking a significant shift in how organisations can defend their software.
The tool uses Claude Opus 4.7 — currently one of the strongest generally available models for security analysis — to scan entire codebases, trace how data moves through code, and generate targeted patches for developer review. No custom API integration or agent-building is required; if your organisation already runs Claude, you can point it at a GitHub repository and start scanning today.
The stakes behind this launch are not subtle. Anthropic says that hundreds of organizations tested the tool in a closed research preview since February, uncovering exploits in production code — including vulnerabilities that existing tools had missed for years.
The predecessor model, Claude Opus 4.6, found over 500 vulnerabilities in production open-source codebases — bugs that had gone undetected for decades despite years of expert review. Patches and coordinated disclosures for those findings are ongoing.
How it actually works
Unlike traditional static analysis tools (rule-based scanners that match code against known vulnerability patterns), Claude reads and reasons about code the way a human security researcher would: understanding how components interact, tracing how data moves through an application, and catching complex vulnerabilities that rule-based tools miss.
Every finding then passes through a multi-stage verification pipeline where the model challenges its own conclusions before surfacing results to an analyst, reducing false positives and attaching a confidence rating to each issue.
Findings are organised by severity — High, Medium, or Low — based on exploitability in the specific codebase, not just vulnerability category.
A High-severity finding means an unauthenticated remote attacker could exploit it against a default deployment with no meaningful preconditions. Each finding also includes the affected file and line number, reproduction steps, and a suggested patch users can open directly in Claude Code on the Web to review and apply.
What's new in the public beta
Feedback from the preview shaped several additions in today's release. Teams can now schedule recurring scans — a weekly cadence ties well to sprint boundaries or pre-release checkpoints. Scans can be scoped to a specific directory within a repository, which meaningfully improves success rates on large monorepos.
Dismissed findings can carry documented reasons, building an audit trail for future reviewers. Results export as CSV or Markdown, and per-project webhooks push scan events into Slack, Jira, or other existing tracking systems in real time.
Claude Security sits alongside Anthropic's more restricted Project Glasswing initiative, where the far more capable — and more dangerous — Claude Mythos Preview model is being used with a vetted set of partners. Mythos-class capabilities are expected to become more broadly available within the next year or two, and the volume of downstream vulnerability findings will increase substantially.
Claude Security is Anthropic's answer for the wider enterprise market right now: less powerful, but accessible, with safeguards built in.
On the partner front, CrowdStrike, Palo Alto Networks, SentinelOne, TrendAI, and Wiz are embedding Opus 4.7 into their security platforms, while Accenture, BCG, Deloitte, Infosys, and PwC are helping enterprises deploy Claude-integrated security solutions for vulnerability management, secure code review, and incident response.
Currently, only GitHub-hosted repositories are supported. Access for the Claude Team and Max plan customers is expected soon. Organisations whose legitimate security work triggers Opus 4.7's built-in cyber safeguards can apply for Anthropic's Cyber Verification Program to continue operating without interruption.