Claude Security exits closed preview into public beta for repo vulnerability scanning

Code security tools usually do one simple thing well — they match patterns. That catches hardcoded secrets, stale crypto, and a lot of familiar mistakes. But the nastier bugs are often not pattern bugs at all. They live in the way files, services, permissions, and business logic interact. That is the gap Anthropic is trying to close with Claude Security, which moved from limited preview into public beta on April 30 for Claude Enterprise customers. (claude.com) ### What is Claude Security, exactly? It is Anthropic’s repo vulnerability scanner and fix generator. You point it at a repository — or even a branch or directory — and it scans for security flaws, explains what it found, rates confidence and severity, and proposes a patch for human review. Anthropic also renamed the product along the way: the February preview was called Claude Code Security, while the broader beta is now Claude Security. (claude.com) ### What changed in this release? The big change is access. In February, Anthropic offered the tool in a limited research preview to Enterprise and Team customers, with expedited access for some open-source maintainers. Now it is in public beta for Claude Enterprise customers. Anthropic also says the beta adds scheduled and targeted scans, easier audit-system integration, and better tracking for triaged findings. (cl([claude.com)# Why isn’t this just another static analyzer? Because Anthropic is pitching it as reasoning-based, not rules-based. The tool is supposed to trace data flows across files, understand how components interact, read Git history, and catch context-dependent bugs like broken access control, logic flaws, authentication bypasses, injection issues, and even memory-corruption problems. Basically, the claim is that it behaves(claude.com)ecking signatures. (claude.com) ### Why does that matter so much? Because the hardest vulnerabilities are often distributed. One function looks harmless. Another permission check looks fine. A third service trusts the wrong state. Put them together and you get a real exploit path. Traditional scanners can miss that because each piece, on its own, does not match a known bad pattern. Claude Security’s whole pitch is that it follows the chain instead of just flagging the fragments. (claude.com) ### What does Anthropic think the real threat is? The company is pretty explicit here — AI is compressing the time between finding a bug and weaponizing it. Anthropic ties this launch to its broader cyber work, including Claude Mythos Preview and Project Glasswing, where it has been testing stronger vulnerability-finding and exploitation capabilities with selected partners. The message is not subtle: if frontier models can hel(claude.com)omparable tools in their own workflow now. (claude.com) ### What keeps this from becoming auto-patch roulette? Human review. Anthropic says nothing is applied automatically, every patch requires approval, and each finding goes through verification before it reaches analysts. The product also surfaces confidence ratings and severity so teams can spend time on likely-real, high-impact issues instead of drowning in false positives — which is the oldest complaint in AppSec tooling. (claude.com) ### How does it fit into enterprise workflows? Anthropic is trying to make adoption friction low. The beta can be opened from the Claude sidebar or a dedicated security page, and the company says it does not require API integration or a custom agent build. Findings can be pushed out through webhooks to Slack, Jira, or other ticketing systems, and exported for audit or tracking. Anthropic is also leaning on partners like CrowdS(claude.com), TrendAI, Wiz, Accenture, Deloitte, Infosys, and PwC to get the model into existing enterprise security stacks. (claude.com) ### So what is the bottom line? This beta is Anthropic turning a research-preview security feature into a real enterprise product. The bet is simple — code scanning is moving from pattern matching to model-driven reasoning. If that works reliably, security teams get fewer junk alerts and faster fixes. If it does not, they just get a more fluent false-positive machine. Public beta is where that difference starts to show. (claude.com)