Semgrep
GitHub
Snyk
Endor Labs
AWS
Today’s announcement from our friends at Anthropic is worth taking a closer look at. Here at StackHawk, we see it as a major disruption to the markets and how our customers do work.
What to Know about Claude Code Security
According to their announcement, Claude Code Security scans entire codebases the way a human security researcher would: tracing how data moves through a system, understanding how components interact, catching vulnerabilities that rule-based tools miss.
And we know there is some real meat behind it. Opus 4.6 found over 500 bugs in production open-source software that had survived years of expert review—some for decades. AI reasoning about code is genuinely better than rule-based static analysis at catching certain classes of vulnerabilities. We’ve been saying for months that AI systems were going to make traditional rule-based code security obsolete. This announcement confirms that.
But the announcement implies more than it demonstrates, and AppSec practitioners should notice the gap.
Anthropic calls out business logic flaws and broken access control as what rule-based tools miss but Claude Code Security catches through reasoning. Their examples, however, look more like dataflow and memory analysis rather than true business logic testing. That distinction matters. Business logic vulnerabilities aren’t patterns you find by reading code carefully. They’re behaviors specific to each application’s intent that you can only find by running the application, not with more training data.
What it Means for Your AppSec Program
Claude Code Security doesn’t run your application. It can’t send requests through your API stack, test how your auth middleware chains together, or confirm whether a finding is actually exploitable in your environment. Those are the vulnerabilities that show up in incident reports — and they only manifest at runtime.
AI getting smarter at reading code is a genuine capability improvement. It doesn’t change the fact that your runtime attack surface only gets tested by actually attacking it.
Where StackHawk Fits
StackHawk runs in your CI/CD pipeline. Tests complete in minutes. Findings land directly in the PR — actionable, prioritized, with full application context. Not a PDF report. Not a backlog of unvalidated alerts.
That’s the layer Claude Code Security doesn’t cover. And with the StackHawk MCP Server, that runtime testing now runs directly inside AI coding environments — Claude Code, Cursor, Windsurf — without leaving the workflow. AI reasoning about your code while it’s being written. StackHawk tests what the code actually does before it ships. Both layers, same workflow.
What This Signals For AppSec
AI-accelerated development is generating more code faster than any team can manually review. Code-level security getting smarter is good for everyone. But the runtime problem doesn’t get absorbed by better static analysis — it gets worse as the attack surface grows faster.
The teams that instrument both layers: 1) intelligent code review and 2) runtime validation in CI/CD, are the ones that will keep pace. This announcement signals that AI-powered security tooling is maturing. The question is whether your program is testing the full picture.
