Anthropic recently published a guide on using LLMs to secure source code. It describes a six-step loop — threat model, sandbox, discovery, verification, triage, patching — for using Claude Opus to find vulnerabilities in codebases. The process is well-designed. The separation of discovery and verification into independent agents is better than most approaches. The emphasis on threat modeling before scanning is correct. The practical advice (pin your dependencies, sandbox faithfully, don't let the discovery agent self-censor) comes from real experience with real teams.
For the class of problem it addresses — finding known vulnerability patterns in source code — this is a strong guide. Teams should read it and use it.
The concern is with the framing. "Using LLMs to secure source code" presents one class of security problem as if it were the security problem. That framing makes several other classes of security problem — arguably the ones that cause the most damaging breaches — invisible. Not rejected. Not deprioritized. Invisible. When a frontier AI lab publishes a guide that frames security as "find bugs in code and fix them," the industry follows, and the invisible problems stay invisible.







