Claude Security
configuration & combat use

TL;DR

Claude Security is an agentic SAST replacement, not an additional one. It reads code the way a security researcher does, traces data flow across files, self-verifies, and produces patch-ready findings inside Claude Code on the Web. It is good at logic and multi-file vulnerabilities, weak at runtime, infra, container, and dependency CVE coverage. Treat it as one of three complementary layers next to AWS Security Agent (DAST / pentest) and Wiz (cloud-to-code posture, IaC, SCA).

• Where it wins: business-logic flaws, IDOR, auth-bypass chains, deserialisation, multi-file taint paths, anything pattern matchers miss.
• Where it does not play: dependency CVE feeds, IaC misconfig, container CVE, cloud posture, runtime threats, secret rotation. None of those are in scope.
• Cost shape: consumption-billed at standard API rates on top of seat fees. There is no fixed price per scan. Plan a budget cap before opening it up to a team.
• Determinism: stochastic by design. Two scans of the same SHA produce overlapping but not identical findings. Build process around that, not against it.

What it actually is

Claude Security is a defensive code-scanning capability built into claude.ai, accessed at claude.ai/security. It launched as Claude Code Security in February 2026 limited preview, was renamed and reissued in public beta on 30 April 2026 to all Max, Team, and Enterprise tenants. The model under it is Opus 4.7, not the more capable but restricted Mythos. High

The agent scans a GitHub repository (full repo, scoped directory, or specific branch), reasons over the source, runs an adversarial verification pass on its own findings to suppress false positives, then produces structured output: title, location, impact, reproduction steps, recommended fix, severity, status, category. From any finding you can launch a Claude Code on the Web session pre-loaded with the context to draft and review the patch.

Finding categories Anthropic calls out

Per the official help centre: injection (SQLi, command, code, XSS, XXE, ReDoS), path and network (traversal, SSRF, open redirect), auth and access (authn bypass, privesc, IDOR/BOLA, CSRF, race), memory safety (overflow, UAF, unsafe), cryptography (timing, alg confusion, weak primitives), deserialisation (arbitrary type instantiation), protocol and encoding (cache safety, encoding confusion, length-prefix trust). Severity is assigned per finding based on exploitability in your codebase, not category, so the same class can land High in one repo and Low in another. High

Use cases

Non-use cases

Just as important. If you reach for Claude Security for any of these, you are using the wrong tool.

Prerequisites

Anthropic's own getting-started guide enumerates these, so this section reflects the official requirements rather than my interpretation. High

1. Eligible plan. Claude Enterprise, Team, or Max. (Enterprise was first, Team and Max were added in the public beta release.)
2. Claude Code on the Web enabled. The remediation flow opens a Claude Code session, so this has to be on for the org. Check at claude.ai/code.
3. Extra Usage enabled. Claude Security is consumption-billed. If Extra Usage is off you cannot run scans.
4. Anthropic GitHub App installed. Same app as Claude Code on the Web. Granted access to the repos you want to scan, at the GitHub org level.
5. Premium seats for scan operators. Standard seats do not include Claude Code on the Web. Each engineer who runs scans needs a premium seat.
6. Network allowlisting (optional). If your GitHub Enterprise has IP allowlisting, add Anthropic's published egress ranges.

Step-by-step setup

The set-up itself is short. The hard work is policy: who can scan what, what gets exported where, how dismissals are governed.

1. Confirm Extra Usage and set a spend cap Go to Organization Billing settings. Enable Extra Usage if it is off. Set a separate spend limit specifically for Claude Security once the feature toggle exposes it. Treat the first month as a budget calibration period, not a steady state.
2. Verify the Anthropic GitHub App is installed In your GitHub org settings, check Installed GitHub Apps. The app should be present and granted access to the relevant repositories. Scope by repository selection, not by "all repos" unless the org is small enough that the blast radius is acceptable.
3. Enable Claude Security in the admin console Visit claude.ai/admin-settings/claude-code. Toggle Claude Security on. Once enabled, the Security entry appears in the left sidebar of claude.ai for users with premium seats.
4. Provision RBAC roles Anthropic exposes custom roles via Claude Enterprise RBAC. Create at least two: a Security Operator who can run scans and triage findings, and a Security Reviewer who can read findings and dismissals but not run scans. Default-deny scan permission to engineering generally. You do not want every engineer launching repo-wide Opus 4.7 sessions on a whim, both for cost and noise.
5. Pick the first three repositories Do not start with the monolith. Pick: one critical service (small, high-stakes, you already understand it), one repo recently audited by humans (so you can sanity-check signal vs noise), and one greenfield service (so you see what zero-history scanning produces).
6. Wire integrations before findings start landing Set up the Slack and Jira webhooks per project before the first scheduled scan. Findings without an inbox accumulate as a backlog people stop opening.
7. Document dismissal policy Decide before, not after, what counts as a valid dismissal reason. Suggested taxonomy: not-exploitable-in-context, compensating-control, accepted-risk, false-positive, duplicate. Reject a generic "not applicable" with no reason.
8. Run a calibration scan Pick the small critical service. Run a Regular-effort scan first, then an Extended-effort scan. Compare findings. The delta is your real signal about how much depth Extended buys you on this codebase.

Running scans

1. Sidebar > Security or claude.ai/security.
2. Pick the repo. For anything larger than a single service, pick a directory or branch. Anthropic explicitly recommends scoping for larger repositories.
3. Effort: Regular vs Extended. Regular is the default. Extended runs deeper analysis at materially higher token cost. Use Extended on the first scan of a repo or after material changes (rewrite, framework upgrade, new auth).
4. Start the scan. Time varies based on repo size and what the agent decides to investigate. Minutes to hours, not seconds.
5. Run multiple in parallel. Useful for triaging several services at once, or comparing a hardened branch against main without serialising.

Sample configurations

Claude Security is configured in-product, not via YAML. There is no .claude-security.yml. What you can configure: schedule cadence, scan effort, scope, webhook endpoints, and dismissal taxonomy. The samples below show what the integrations on the receiving end should look like.

Webhook payload → Slack triage channel (Block Kit)

Claude Security pushes scan-completion and new-finding events. Forward through a small Lambda or n8n flow that maps severity to channel, formats with Block Kit, and posts a review button linking back to claude.ai/security.

# n8n / Lambda handler shape (illustrative)
on: webhook.claude-security.finding.created
filter:
  severity: [HIGH, MEDIUM]
  repository: hellofresh/*
route:
  HIGH:   "#sec-findings-high"
  MEDIUM: "#sec-findings-triage"
payload:
  blocks:
    - type: header
      text: "[{{severity}}] {{title}}"
    - type: section
      fields:
        - "*Repo:*  {{repository}}"
        - "*File:*  {{location.path}}:{{location.line}}"
        - "*Category:*  {{category}}"
    - type: actions
      elements:
        - type: button
          text: "Open in Claude Security"
          url:  "https://claude.ai/security/findings/{{id}}"
        - type: button
          text: "Triage in Jira"
          url:  "https://hellofresh.atlassian.net/secure/CreateIssue.jspa?summary={{title}}"

Jira auto-creation policy

# Recommended policy at the receiving end
create_issue_when:
  severity: HIGH
  AND repository_tier: tier-1   # PII, payments, auth

create_issue_when:
  severity: HIGH or MEDIUM
  AND scan_type: scheduled-weekly

project:        APPSEC
issuetype:      Vulnerability
priority_map:
  HIGH:   Highest
  MEDIUM: High
  LOW:    Medium
labels:         ["claude-security", "auto-created", "{{category}}"]
assignee:       service_owner_lookup({{repository}})

Schedule policy by repo tier

Dismissal taxonomy

not-exploitable-in-context   # real bug, not reachable here
compensating-control         # WAF rule, network policy, etc.
accepted-risk                # risk owner has signed off; link decision doc
false-positive               # model wrong; link evidence
duplicate                    # covered by existing Jira ticket; link it

Reviewing findings

Each finding ships with: title, details, location (file + line, linked), impact, reproduction steps, recommended fix, severity, status, category, repo, branch, date. Dismissed findings carry a reason and optional note that travel forward into future scans.

Recommended review flow:

1. Triage by severity, then exploitability. Anthropic's severity already accounts for exploitability per repo, but you still have local context they do not.
2. Read the reproduction steps before the recommended fix. If the repro is hand-wavy, the finding is suspect. Real ones describe a concrete payload or call sequence.
3. Open a remediation session. Click into Claude Code on the Web with the finding pre-loaded. Review the proposed patch as you would any PR. Do not auto-merge.
4. Dismiss with reason if not acting. The dismissal reason becomes the audit trail. Future reviewers (and future you) will read these.
5. Export per scan. Pull a CSV or Markdown after each significant scan. Keep the exports as the paper trail for SOC2 / ISO 27001 evidence. Do not rely on the in-product UI being your sole record.

Operationalising

Ownership

Tag every project with a named owner (an engineering team or on-call rota), not a person. Findings without a routing rule become a backlog. Tie ownership to the same service catalogue you already use for incident routing.

Scoped scanning beats whole-repo scanning

For monorepos and anything over roughly 200k lines, run scoped scans against modules in rotation rather than full-repo scans. This is Anthropic's own guidance: narrower scope increases determinism and focuses the agent. It is also cheaper.

Audit trail discipline

Three artefacts per scan should be retained: the CSV / Markdown export, the Jira tickets created, and the dismissal log. These are what an auditor will ask for. Capture them in your existing GRC system, not just in the Claude Security UI.

Human gate on patches

Anthropic's own product copy says it: Claude can make mistakes, so you should always review proposed patches before applying them, especially for critical systems. The remediation session generates a candidate, not a merge-ready commit. Treat it as a PR draft.

Cyber Verification Program

If your team's legitimate security work (red team, exploit research, pentest) trips Opus 4.7's built-in cyber safeguards, Anthropic's Cyber Verification Program is the route to keep operating without interruption. Apply early if you anticipate it. Medium

Token consumption & cost

This is the section vendors are most evasive on, so here is the honest shape of it.

Billing model

Claude Security is consumption-billed at standard Anthropic API rates on top of your seat fees. There is no fixed price per scan, no included monthly scan budget. The seat fee covers access; every token the agent spends scanning, reasoning, self-verifying, and producing the report is billed as Extra Usage. High

What drives cost

• Codebase size. The agent reads source. Lines of code multiplied by re-reads as it traces flows is the dominant cost driver.
• Effort setting. Extended runs deeper, costs materially more than Regular. No public multiplier published. Plan for 2x to 5x as a working assumption until you measure.
• Scope. Full repo vs scoped directory differs by orders of magnitude on a monorepo.
• Self-verification. The agent's own adversarial pass is part of the cost. It is what reduces false positives, but it is not free.
• Findings volume. Each verified finding adds output tokens for the structured report.

What it does not do for cost

• No prompt caching across scans documented. You should not assume re-scanning the same repo next week is cheap. Medium
• No Batch API discount exposed for this product surface. Medium

Working numbers

Anthropic publishes Opus 4.7 API pricing (input / output / cache) on the platform docs. As of the launch window, expect that a Regular scan of a small service (sub-50k LOC) is in the low-single-digit USD range, an Extended scan on the same repo is the same order higher, and a full monorepo Extended scan can be in the low-three-digit USD range. These are working estimates, not Anthropic-published figures. Run a calibration scan on a known repo and divide your invoice line item by the run to get your actual unit cost. Low: order of magnitude only. Verify by measuring.

Cost-control playbook

1. Set a feature-level Claude Security spend cap separate from the org cap.
2. Default to Regular effort. Reserve Extended for tier-1 services and post-incident deep dives.
3. Scope to directories on monorepos. Rotate weekly, do not full-scan weekly.
4. Limit who can run scans via RBAC. Premium seat plus a custom role.
5. Review the first invoice line by line before unlocking the rest of the org.

Anti-patterns

Versus AWS Security Agent & Wiz

The three tools occupy different layers of the same problem. They are complementary, not competitive, despite the marketing surface. High

What each one actually is

Claude Security (Anthropic, Apr 2026)

Agentic SAST. Source-only. Logic and multi-file taint. Self-verifying. GitHub repo input, claude.ai surface, Claude Code remediation.

AWS Security Agent (Mar 2026 GA)

Agentic DAST + design review + on-demand penetration testing. Reads source, architecture docs, and runs validated multi-step attacks against running apps. Output includes CVSS scores and reproducible exploit paths. Across AWS, Azure, GCP, on-prem.

Wiz Code (and the broader Wiz Cloud Security Platform)

Cloud-to-code unified posture. SCA, secrets, IaC, container, CSPM, runtime. Code-to-cloud graph that ties a vulnerable line to a running workload to a public-facing cloud asset. Recently shipped Wiz Skills for agent-driven remediation in IDEs and PRs.

Side-by-side

What this means in practice

For HelloFresh's stack (GitHub Actions → k8s on AWS), the rational division of labour:

• Claude Security on tier-1 service repos for logic-class bugs that bypass pattern-based SAST. Weekly scoped scans.
• AWS Security Agent for design-time review of new services and on-demand pentest of staging endpoints before release. Replaces the long lead-time human pentest for the long tail of services.
• Wiz Code as the everyday floor: SCA, IaC, container, secrets, CSPM, runtime. The existing investment continues to do the heavy lifting on the cloud and dependency surface.

None of the three replaces the other two. The cost trap is convincing leadership any one of them is "the AI security tool" and dropping the others.

HelloFresh comparison experiment

Option A: single-repo deep dive (1 week, low effort)

1. Pick one tier-1 service. Mid-sized, real history of findings. Avoid the absolute crown jewels for the first run.
2. Pin a specific commit SHA. All three tools scan the same SHA.
3. Run Claude Security (Extended), AWS Security Agent (code review + design review + pentest of the staging endpoint), Wiz Code (full).
4. Export each tool's findings to a single CSV. Normalise to: category, severity, file, line, summary, tool.
5. Score by hand: true positive, false positive, duplicate of another tool, unique to this tool.
6. Score the patches: safe to merge as-is, safe with edits, unsafe / wrong.

Output: a Venn diagram of unique-vs-overlapping findings, a precision number per tool, a patch-quality score per tool, and a per-finding cost on the Claude side.

Option B: representative cohort (3 weeks, medium effort)

1. Pick five repos across tiers: one tier-1 critical, two tier-2, two tier-3.
2. Same SHA-pinning and normalisation as Option A.
3. Score the same way, then aggregate.

Output: a tier-weighted view of where each tool earns its keep. Stronger basis for a procurement decision than a single-repo data point.

Option C: continuous parallel run (90 days, high effort)

1. Run all three in parallel across the top 20 repos for a quarter.
2. Track time-to-fix, real exploits caught, false-positive rate, and total tool-cost per real exploit caught.
3. Use that as the basis for a renewal / consolidation decision.

This is the only mode that produces a real ROI number. The first two produce signal-quality numbers, which is different.

Where each tool likely wins on HelloFresh-shaped code

• Claude Security: auth and session logic across the customer-account services. IDOR in order / subscription endpoints. Multi-file taint in the recipe-rendering pipeline.
• AWS Security Agent: design-review on new services before they hit prod. Validated pentest output that the eng team trusts more than a pure SAST finding. Speed up of the "we need a pentest before launch" lead time.
• Wiz: the long tail of CVE in container images, IaC drift in EKS clusters, exposed S3, IAM blast radius. The stuff that does not show up in source.

Sources

1. Anthropic, Claude Security product page: claude.com/product/claude-security
2. Anthropic, Use Claude Security (help centre): support.claude.com/en/articles/14661296-use-claude-security
3. Anthropic, Getting started with Claude Security: claude.com/resources/tutorials/getting-started-with-claude-security
4. SecurityWeek, Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge, 30 Apr 2026.
5. SiliconANGLE, Anthropic announces Claude Security public beta to find and fix software vulnerabilities, 30 Apr 2026.
6. The New Stack, Anthropic's Claude Security emerges from closed preview, 14 Mar 2026 (updated 30 Apr).
7. AWS, New AWS Security Agent secures applications proactively from design to deployment, GA 31 Mar 2026.
8. AWS Security Blog, Building AI defenses at scale, Apr 2026 (Project Glasswing context).
9. Google Cloud / Wiz, Next '26: Redefining security for the AI era, Apr 2026 (Wiz Skills, Wiz Code).
10. Anthropic platform docs, Pricing: platform.claude.com/docs/en/about-claude/pricing

Assumptions

• "AWS security agent" in your prompt refers to AWS Security Agent (the frontier-agent product GA'd 31 Mar 2026), not Amazon Inspector or Security Hub. If you meant a different product (Inspector, GuardDuty, Security Hub), the comparison framework changes shape and I will redo §13 accordingly.
• "Wiz code scanning" refers to the Wiz Code module of the Wiz Cloud Security Platform, including SCA, IaC, secrets, container, and the Wiz Code-to-Cloud graph. If you specifically mean Wiz Defend (runtime) or a different module, that also reshapes §13.
• HelloFresh is on Claude Enterprise and already has Claude Code on the Web in flight. If the org is still on Team or seat-based Enterprise, the prerequisite path in §05 differs slightly.
• The cost figures in §11 are working estimates based on Opus 4.7 published API pricing, not a Claude Security price sheet. Anthropic has not published a per-scan price. Calibrate by measuring your first-month invoice.
• The §13 capability table reflects vendor-published positioning as of 30 Apr 2026, plus my interpretation of practical strength. The "partial / strong" labels are a working assessment, not a benchmark, and would shift on real measurement.
• This document does not include Mythos / Project Glasswing in scope. Mythos is research-restricted, not generally available, and does not factor into a current procurement decision.