Artificial intelligence is changing how developers write and protect code. Anthropic, the AI safety company behind Claude, has introduced Claude Code Security which has a new capability that helps teams find and fix vulnerabilities before attackers can exploit them.
This guide explains what Claude Code Security is, how it works, its safety features, and what it means for software development teams.
What is Claude Code Security?
Claude Code Security is a cybersecurity feature built into Claude Code, Anthropic’s AI coding assistant. It automatically scans codebases for security vulnerabilities and suggests fixes for human review.
The tool is currently available in a limited research preview for Enterprise and Team customers. Open-source maintainers can also apply for free, expedited access. This controlled release lets Anthropic work directly with early users to improve the tool before wider availability.
Unlike traditional security tools that match code against lists of known bad patterns, Claude Code Security “reads and reasons about your code the way a human security researcher would”.
It understands how different parts of an application work together, tracks how data moves through your code, and finds complex vulnerabilities that conventional tools often miss.
How Claude Code Security Works?
Claude Code Security uses a multi-stage process to ensure reliability and reduce false alerts before any finding reaches a human analyst.
From Pattern Matching to Contextual Reasoning
Traditional Static Application Security Testing (SAST) tools work by scanning code for known vulnerability patterns. They are good at finding common issues like hardcoded passwords but often miss more subtle problems like business logic flaws or broken access control .
Claude Code Security overcomes this limitation by performing deep, contextual analysis of the entire codebase. It builds an understanding of the application’s architecture and identifies logical inconsistencies that rule-based systems cannot detect.
The Multi-Stage Verification Process
Every potential vulnerability goes through a rigorous verification process:
Initial Discovery: Claude scans the codebase and identifies a possible vulnerability based on contextual reasoning.
Self-Verification: Claude re-examines each finding, attempting to prove or disprove it to filter out false positives.
Severity and Confidence Scoring: Validated findings receive severity ratings to help teams prioritize work and confidence ratings indicating how certain the system is about each assessment.
Human-in-the-Loop: The Dashboard and Patching
Validated findings appear in the Claude Code Security dashboard, where security teams and developers can:
- Review the finding in full context
- Inspect suggested fixes
- Approve changes
Nothing is applied automatically. All fixes require human approval. Developers always make the final call, ensuring changes align with the broader codebase and business requirements.
Research Behind Claude Code Security
Claude Code Security builds on more than a year of research into Claude’s cybersecurity capabilities. Anthropic’s Frontier Red Team has tested these abilities by:
- Entering Claude in competitive Capture-the-Flag (CTF) events
- Partnering with Pacific Northwest National Laboratory to explore using AI to protect critical infrastructure
- Refining Claude’s ability to find and fix real vulnerabilities in code
Anthropic is working through responsible disclosure with maintainers and plans to expand security work with the open-source community.
Anthropic also uses Claude to review its own code and has found it “extremely effective at securing Anthropic’s systems”.
The Core Security Foundation of Claude Code
Claude Code is built with security features that apply to all interactions, not just vulnerability scanning.
Security Certifications
Claude Code is developed according to Anthropic’s security program. Users can access SOC 2 Type 2 reports and ISO 27001 certificates through the Anthropic Trust Center.
Permission-Based Architecture
Claude Code uses strict read-only permissions by default. When additional actions are needed such as editing files, running tests, or executing commands, the Claude Code requests explicit permission. Users decide whether to approve actions once or allow them automatically.
As the official documentation states: “Claude Code only has the permissions you grant it. You’re responsible for reviewing proposed code and commands for safety before approval”.
Built-in Protections Against Prompt Injection
Prompt injection is a technique where attackers try to manipulate an AI assistant’s instructions by inserting malicious text. Claude Code includes several safeguards :
- Permission system: Sensitive operations require explicit approval
- Context-aware analysis: Detects potentially harmful instructions by analyzing the full request
- Input sanitization: Prevents command injection by processing user inputs
- Command blocklist: Blocks risky commands like
curlandwgetby default
Privacy Safeguards
Anthropic has implemented several privacy protections:
- Limited retention periods for sensitive information
- Restricted access to user session data
- User control over data training preferences (consumer users can change privacy settings at any time)
Additional Safeguards
Other important protections include:
- Write access restriction: Claude Code can only write to the folder where it was started and its subfolders, it cannot modify files in parent directories
- Network request approval: Tools that make network requests require user approval by default
- Isolated context windows: Web fetch uses a separate context window to avoid injecting potentially malicious prompts
- Trust verification: First-time codebase runs and new MCP servers require trust verification (note: disabled when running non-interactively with the -p flag)
- Command injection detection: Suspicious bash commands require manual approval, even if previously allowlisted
- Fail-closed matching: Unmatched commands default to requiring manual approval
- Natural language descriptions: Complex bash commands include explanations for user understanding
- Secure credential storage: API keys and tokens are encrypted
Advanced Security: Sandboxing and Cloud Execution
Sandboxed Bash Tool
Claude Code includes a sandboxed bash tool with filesystem and network isolation. Users can enable it with /sandbox to define boundaries where Claude Code can work autonomously while maintaining security.
Cloud Execution Security
When using Claude Code on the web, additional security controls apply:
- Isolated virtual machines: Each cloud session runs in an isolated, Anthropic-managed VM
- Network access controls: Network access is limited by default and can be configured to be disabled or allow only specific domains
- Credential protection: Authentication is handled through a secure proxy that uses a scoped credential inside the sandbox, which is then translated to your actual GitHub authentication token
- Branch restrictions: Git push operations are restricted to the current working branch
- Audit logging: All operations in cloud sessions are logged for compliance
- Automatic cleanup: Cloud sessions automatically terminated when complete
MCP Security
Claude Code allows users to configure Model Context Protocol (MCP) servers. The list of allowed MCP servers is configured in source code as part of Claude Code settings that engineers check into source control.
Anthropic encourages users to either write their own MCP servers or use MCP servers from providers they trust. Users can configure Claude Code permissions for MCP servers. Anthropic does not manage or audit any MCP servers.
Windows-Specific Security Consideration
When running Claude Code on Windows, Anthropic recommends against enabling WebDAV or allowing Claude Code to access paths such as \\* that may contain WebDAV subdirectories. WebDAV has been deprecated by Microsoft due to security risks.
Enabling WebDAV may allow Claude Code to trigger network requests to remote hosts, bypassing the permission system.
Security Best Practices
Best Practices for Individual Developers
Anthropic’s official documentation recommends:
- Review suggested commands before approval
- Avoid piping untrusted content directly to Claude
- Verify proposed changes to critical files
- Use virtual machines to run scripts and make tool calls, especially when interacting with external web services
- Report suspicious behavior with the
/bugcommand
Working with Sensitive Code
Additional recommendations include:
- Review all suggested changes before approval
- Use project-specific permission settings for sensitive repositories
- Consider using development containers for additional isolation
- Regularly audit your permission settings with the
/permissionscommand
Team Security
For organizations, best practices include:
- Use managed settings to enforce organizational standards
- Share approved permission configurations through version control
- Train team members on security best practices
- Monitor Claude Code usage through OpenTelemetry metrics
- Audit or block settings changes during sessions with
ConfigChangehooks
Industry Executive Responses
Cybersecurity leaders have responded to the announcement of Claude Code Security.
CrowdStrike CEO George Kurtz posted on LinkedIn defending the company’s position, stating that security requires “a proven, independent platform to prevent intrusions” and that new AI tools would not replace their systems.
Palo Alto Networks CEO Nikesh Arora expressed that he was “confused” by the market viewing AI as a threat to cybersecurity, noting that customers actually want more AI to expand their security capabilities.
What Claude Code Security Is and Isn’t?
Industry analysis has clarified what Claude Code Security represents: “Claude Code is Anthropic’s agentic coding assistant.
Claude Code Security is a specific capability within it, focused on vulnerability detection. It is not a full security platform. It is a very powerful Shift Left tool”.
This distinction matters because Claude Code Security operates at the pre-deployment layer. Once code ships and AI agents are live, Claude Code Security is no longer monitoring activity.
Runtime security, monitoring what credentials AI agents create, which vaults they access, and whether secrets are properly managed which remains a separate concern.
The Shift Left Context
Claude Code Security represents an advancement in “Shift Left” security, moving vulnerability detection earlier into the development process.
However, security experts note that effective security requires both Shift Left (prevention tools) and Shift Right (runtime monitoring and detection).
The Road Ahead
Anthropic envisions a future where AI plays an increasingly central role in code security. As the company states: “This is a pivotal time for cybersecurity.
We expect that a significant share of the world’s code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues” .
The company acknowledges that attackers will also use AI to find exploitable weaknesses faster than ever.
However, “defenders who move quickly can find those same weaknesses, patch them, and reduce the risk of an attack”. Claude Code Security is positioned as a tool to help defenders achieve this goal.
Getting Started with Claude Code Security
Claude Code Security is currently available in a limited research preview for:
- Claude Enterprise customers
- Claude Team customers
- Open-source maintainers (eligible for free, expedited access)
Interested organizations can join a waitlist for early access and collaborate directly with Anthropic’s team to refine the tool’s capabilities.
Conclusion
Claude Code Security represents a significant step forward in AI-powered vulnerability detection.
By moving beyond pattern matching to true contextual reasoning, it can identify complex, logic-based vulnerabilities that have traditionally required painstaking manual effort to find.
The discovery of over 500 long-dormant bugs in open-source software demonstrates its potential to improve code security at scale.
However, it is important to understand what Claude Code Security is a powerful Shift Left tool for pre-deployment vulnerability detection and what it is not a complete security platform that replaces runtime monitoring and other security controls.
For organizations adopting AI coding tools, the question is no longer whether to adopt, but how to adopt responsibly.
Claude Code Security, with its permission-based architecture, multi-stage verification, and human-in-the-loop design, provides a framework for integrating AI assistance while maintaining security oversight.
