Anthropic released Claude Code Security in a limited research preview on February 20th. If you work in security, it’s worth understanding exactly what it is, what problem it solves, and what it doesn’t cover.
The problem it’s solving
Static application security testing (SAST) has been the first step in automated security testing for years. The core limitation is that it’s rule-based. It matches code against known vulnerability patterns, which means it catches things like exposed credentials, outdated cipher usage, and well-documented injection patterns. It consistently misses anything that requires understanding runtime context.
Complex vulnerabilities don’t look like known patterns. Business logic flaws, broken access control, subtle trust boundary violations, these require a reader to understand how data moves through a system and how components interact. Traditionally, that meant human security researchers. The problem is that security researchers are expensive, limited in number, and buried under backlogs. Most code never gets that level of review.
What Claude Code Security actually does
Claude Code Security replaces the pattern-matching approach with reasoning. It approximates human-style reasoning through LLM-based semantic analysis: tracing data flows, mapping component relationships, and identifying vulnerabilities that only become visible when you’re able to get some more context.
Before any finding reaches a developer, it goes through a multi-stage verification process. This has yet to be proven, so we can’t testify to the real-world accuracy of the system, but here’s the idea: Claude re-examines its own results, attempting to prove or disprove each one, which filters out the false positives that make traditional tools exhausting to use. Validated findings are assigned severity ratings so teams can prioritize. Suggested patches are queued for human review in the Claude Code Security dashboard. Nothing is applied automatically. A developer approves every fix.
Anthropic has been building toward this for over a year. Their Frontier Red Team has been testing Claude’s security reasoning in competitive Capture-the-Flag events, in critical infrastructure defense experiments with Pacific Northwest National Laboratory, and against real production code. Using Claude Opus 4.6, that team found over 500 vulnerabilities in open-source codebases, bugs that had survived years of expert review undetected. They’re working through responsible disclosure on those now.
The short version: Claude Code Security is an AI doing security testing, and doing it at a scale and depth that wasn’t previously possible without a large team of human experts.
Security for AI, AI for security
Claude Code Security fits into a category that’s easy to describe: using AI to do security work better. The AI is the tool, and the output is more thorough, more accurate code analysis. This is a significant advancement for application security teams, and it addresses a real, well-understood bottleneck.
There’s a separate category that’s newer and less well-understood: securing the AI itself.
These are not the same problem, and they require different thinking. An AI agent doing security research is still software. It has a permission scope. It connects to external systems. It processes inputs that can include malicious content. It operates within a broader infrastructure. All of that needs to be governed and protected, just like any other high-privilege system in your environment.
As AI agents take on more capable roles, whether that’s security research, code generation, data analysis, or process automation, this second category becomes more consequential. The more access an agent needs to do its job effectively, the more important it is to have visibility into what it’s doing, what it can reach, and whether its behavior stays within expected boundaries.
What this means in practice
Claude Code Security can provide meaningful value, but only if it is deployed with the same discipline as any other system that has deep access to your environment. It requires visibility into full codebases, which often include sensitive business logic, configuration data, and proprietary algorithms. That means organizations should treat it as a high-privilege system and apply strict access controls, scoped repository permissions, credential redaction policies, and clear data handling agreements before enabling it broadly.
Because it may connect to external systems via MCP to gather context, those integrations should be explicitly allow-listed, monitored, and logged. AI-driven tooling should not have open-ended connectivity to internal or third-party systems without oversight.
Finally, assume adversarial input. Code comments, metadata, or test files could contain malicious or manipulative instructions designed to influence model behavior. Implement prompt injection safeguards, sandboxed analysis environments, and human validation checkpoints. AI security tools should operate in constrained execution environments, not with implicit trust in all inputs.
In short, if an AI tool has full visibility into your software supply chain, it must be governed as part of your critical infrastructure, not treated as a convenience feature.
This is where Noma operates. Noma’s job is not to scan your code for vulnerabilities. That’s what Claude Code Security does. Noma’s job is to secure the agents doing that work, and every other AI agent running in your environment.
That means maintaining a real-time inventory of every agent, every model, and every external connection in your AI stack. It means evaluating the risk profile of each agent based on its permission scope and what data it can reach, so you can identify and close over-provisioned access before it becomes a problem. And it means inspecting agent behavior at runtime, so if an agent is manipulated into taking an action it shouldn’t, you can block it before it executes.
Noma’s approach to AI security
Noma’s mission is to enable the safe adoption of AI across the enterprise. AI is moving at an unprecedented speed, with new innovations being introduced daily. While everyone is under pressure to realize the potential of AI, Noma is here to make sure you can do it securely. We do that by focusing on three core areas:
- Continuous Discovery and Inventory: You can’t secure what you can’t see. Noma automatically discovers every Claude Code instance and MCP server across your development environment, including shadow installations that were never approved. It maps every tool each server exposes, surfaces unvetted community servers, and gives security teams a real-time inventory of their full AI attack surface.
- Risk Assessment: Not all MCP servers carry the same risk. Noma automatically flags risky characteristics like unknown sources, production exposure, embedded secrets, and destructive tools that can write, modify, or delete, while evaluating supply chain risk from open-source or community packages. The result is a prioritized risk view that tells you where to focus first
- Runtime Guardrails: Noma monitors Claude Code activity in real time and intervenes when things go wrong. It watches MCP tool invocations as they happen, detects sensitive data leakage before it leaves your environment, and flags destructive actions that lack user confirmation. When Noma detects something wrong, it doesn’t just alert. It blocks the action before damage is done.
The evolution of cybersecurity
The security industry has spent decades building discipline around how to govern high-privilege software: least-privilege access, audit logging, behavioral monitoring, network segmentation. AI agents are subject to the same principles. What’s new is that most organizations are deploying them without the governance infrastructure that would be considered standard for any other class of high-privilege tooling.
Claude Code Security is a good example of why that needs to change. It’s a genuinely useful tool that can find vulnerabilities faster and more thoroughly than most teams could manage on their own. Using it well means giving it the access it needs to be effective while keeping appropriate oversight in place. That oversight is what Noma provides.
AI agents doing more sophisticated security work is a net positive for defenders. It only creates new risk if you’re not treating the agents themselves as assets that need to be secured.
