Anthropic’s launch of Claude Code Security sent cybersecurity stocks into a sharp decline, with investors interpreting the AI-powered vulnerability scanning tool as a threat to established players in the sector.
The Global X Cybersecurity ETF dropped 4.9%, its lowest closing since 2023, while CrowdStrike fell 8%, Cloudflare slid 8.1%, and both SailPoint and Okta shed more than 9%.
The tool, now available in a limited research preview for Enterprise and Team customers, is built into Claude Code on the web and can scan entire codebases for security vulnerabilities, propose targeted patches, and surface findings for human review, all without relying on the rule-based pattern matching that most traditional security tools use.
What Claude Code Security Does
Traditional static analysis tools work by matching code against a library of known vulnerability patterns. They are fast, predictable, and useful for catching well-documented flaws, however, they routinely miss complex, context-dependent bugs that require understanding how different parts of a system talk to each other.
Claude Code Security takes a different approach. Rather than scanning for patterns, it reads and reasons through a codebase the way a human security researcher would by tracing how data moves through an application, examining how components interact, and flagging issues that rule-based tools overlook. It targets high-severity vulnerability classes, memory corruption, injection flaws, authentication bypasses, and complex logic errors.
Every finding goes through what Anthropic describes as a multi-stage verification process. Claude re-examines its own results, attempting to confirm or disprove each one before it reaches an analyst. Findings are then assigned severity and confidence ratings, so teams can prioritize the most urgent fixes. Crucially, no patch is applied automatically as every suggested fix requires human review and approval before it goes anywhere near a codebase.
The research preview is currently open to Anthropic’s Enterprise and Team customers, who gain early access and the ability to work directly with Anthropic’s team to shape the tool’s development.
How the Cybersecurity Industry Responded
The stock selloff triggered a flurry of commentary, with some observers declaring the tool a threat to the entire application security market. CrowdStrike co-founder and CEO George Kurtz pushed back directly, noting that Claude Code Security tool still operates at the development stage as it only scans code before it ships, unlike CrowdStrike’s Falcon platform that responds to live threats after deployment. The two, he argued, address entirely different points in the security lifecycle.
Kurtz also asked Claude directly whether it could replace what CrowdStrike does. Claude’s answer was no.
“I appreciate the ambition, George, but I have to be straightforward: building a replacement for CrowdStrike isn’t something I can do here, and it wouldn’t be responsible for me to suggest otherwise,” was Claude’s response.
The Dual-Use Question
Anthropic has been careful to acknowledge that the capabilities behind Claude Code Security work in both directions. Attackers can use AI to find exploitable weaknesses just as defenders can use it to find and patch them first.
Logan Graham, one of the leaders on Anthropic’s Frontier Red Team, told Fortune that Anthropic is actively investing in safeguards to detect when the system might be used with malicious intent, though the company declined to share the specific mechanisms involved to avoid providing a roadmap for bad actors.
“It’s really important to make sure that what is a dual-use capability gives defenders a leg up,” Graham said.
Anthropic’s own statement on the launch put the stakes plainly, saying defenders who move quickly can find vulnerabilities, patch them, and reduce attack risk before adversaries get there. The alternative, which is waiting, means the same AI tools will be used against them.
Whether that translates into a fundamental threat to the cybersecurity industry or simply a new category of tool within it is a question the industry is still working out.
