Anthropic Opensources AI-Powered Vulnerability Detection: A Developer's Guide
Anthropic Opensources AI-Powered Vulnerability Detection
On June 4, 2026, Anthropic released an open-source reference implementation for autonomous vulnerability discovery and remediation — the Defending Code Reference Harness. This isn't just another security scanner. It's a framework that uses Claude to autonomously find, triage, and patch security vulnerabilities in code.
What Makes This Different
Traditional security tools rely on static analysis rules or known vulnerability signatures. This harness takes a fundamentally different approach:
- Threat modeling first — it understands your codebase's architecture before scanning
- Multi-stage verification — findings go through a verification pipeline to reduce false positives
- End-to-end autonomy — from reconnaissance to patching, Claude handles the full cycle
The harness is designed around five Claude Code skills:
| Skill | Purpose |
|---|---|
/quickstart | Orient yourself in the repo |
/threat-model | Map attack surfaces in your codebase |
/vuln-scan | Scan for vulnerabilities |
/triage | Prioritize and verify findings |
/patch | Generate fixes |
/customize | Port to different languages or vuln classes |
How It Works Under the Hood
The autonomous pipeline (harness/) follows a recon → find → verify → report → patch loop:
- Recon: Analyzes the codebase structure, build system, and dependencies
- Find: Uses Claude to identify potential vulnerabilities
- Verify: Applies a multi-stage verification pipeline to confirm findings
- Report: Generates structured vulnerability reports (TRIAGE.json, VULN-FINDINGS.json)
- Patch: Creates and validates fixes automatically
The reference implementation ships with C/C++ memory vulnerability detection using Docker and AddressSanitizer (ASAN). But thanks to the /customize skill, you can port it to any language or vulnerability class.
Managed Option: Claude Security
If you'd rather not DIY, Anthropic also offers Claude Security — a hosted product that scans repositories, applies multi-stage verification, and manages findings through their lifecycle. Ideal for teams that want the power without the setup overhead.
Why This Matters
This release comes alongside Anthropic's broader When AI Builds Itself paper, which shows that Anthropic engineers now ship 8x more code per quarter than they did in 2021-2025, thanks to AI-assisted development. Security tooling was one of the first domains where Anthropic's own teams saw real impact from autonomous AI agents.
For the broader developer ecosystem, this open-source harness means:
- Smaller teams can now run sophisticated vulnerability analysis without enterprise budgets
- Open-source projects can integrate CI/CD vulnerability scanning powered by AI
- Security researchers have a customizable platform to build upon
Getting Started
git clone https://github.com/anthropics/defending-code-reference-harness
cd defending-code-reference-harness
# Set up the sandbox environment
bash scripts/setup_sandbox.sh
# Run the pipeline
./bin/vp-sandboxed
Or open the repo in Claude Code and run /quickstart to get oriented.
⚠️ Security note: The autonomous pipeline executes code in Docker. The reference harness refuses to run outside a gVisor sandbox unless explicitly overridden. Individual Claude Code skills (
/quickstart,/vuln-scan,/triage,/patch) are read/write-only and safe to run unsandboxed.
This tool has been added to our Coding & Development directory. Check out Claude and Anthropic Console for more Anthropic tools.
Found this helpful? Share it with your team.
Read more articles →