Anthropic's open-source framework for AI-powered vulnerability discovery
Anthropic releases open-source reference harness for autonomous vulnerability discovery and patching using Claude.
Anthropic published a reference implementation for finding and fixing vulnerabilities in source code using Claude. The framework includes interactive skills for threat modeling, static scanning, triage, and patching, plus an autonomous pipeline that performs recon, vulnerability finding, verification, deduplication, reporting, and patching in a gVisor sandbox. The pipeline is designed for C/C++ memory vulnerabilities using ASAN but is customizable for other languages and vulnerability classes. The framework proposes a four-step ramp-up: Day 1 builds a threat model and runs static scans; Day 2 runs the reference pipeline on known-vulnerable code; Days 3-5 customize it for your target; Week 2 adds outer scanning loops with triage and patching. The repository is not maintained and Anthropic directs users to Claude Security, its commercial managed offering.
What HN community is saying
Commenters focused on cost feasibility and market implications. Token consumption estimates range from hundreds to thousands of dollars per scan depending on model choice and codebase size; one calculator suggests 2.5M annual tokens for a 100-developer company. Several argue this remains cheaper than hiring security engineers or formal red team engagements, though others contend per-PR continuous scanning is impractical cost-wise. The thread debated whether LLM-powered security is defensible economics or a repeat of selling courses about stock trading rather than making money in it. Minor discussion noted the unmaintained status and mentioned competing tools like SRT.