TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY CYBERSECURITY ANALYTICS CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS News, news analysis, and commentary on the latest trends in cybersecurity technology. Flaw-Finding AI Assistants Face Criticism for Speed, Accuracy Using AI to find security vulnerabilities holds significant promise, but the initial products fall short of the needs of enterprises and software developers, say experts. Robert Lemos,Contributing Writer February 27, 2026 5 Min Read SOURCE: KOUPEI STUDIO VIA SHUTTERSTOCK Anthropic's announcement of limited research preview of Claude Code Security — a tool that reads code, finds vulnerabilities, and proposes fixes — has caused no small amount of turmoil in the cybersecurity industry. Anthropic revealed that its latest reasoning engine, Claude Opus 4.6, found more than 500 zero-day vulnerabilities in open-source projects. While many investors panicked on the news, application-security experts cautioned that the initial iteration of Claude Code Security and OpenAI's Aardvark tool, released in October, are slow, prone to false positives, and do not readily fit into the development pipelines of most enterprises. Even as the system evolves, automated reasoning about code security may be limited to helping AI companies produce more secure code or helping developers better understand their code, not necessarily replacing existing security checks in the current pipeline, says Julian Totzek-Hallhuber, senior principal solution architect at Veracode. Related:Automaker Secures the Supply Chain With Developer-Friendly Platform "Does it really fit my process when vibe coating is so fast in helping me building these applications, but then I'm slower using these tools and finding the flaws in code compared to another tool?" he says. Instead, existing vendors, such as Veracode, are already using their expertise as well as "using AI tools in the background to help developers better understand and generate fixes for them." As AI vendors move into various market segments, the market reacts with uncertainty. Yet, the reaction ignores the complexity of how many software vendors address their customers' needs, a team of analysts at Forrester Research stated on Feb. 11 in a research note. Companies with specific expertise can "preserve their moat using what’s hard for AI-only companies to replicate: their deep vertical experience building specialized solutions; deep bench of consulting partners; access to vast customer data for benchmarking and machine learning; and the integration of people, process, tech, and governance," the analysts wrote. Slow and Prone to False Positives As with most AI innovations, it's too early to tell whether those predictions will hold for the application-security market, but so far, most experts consider the initial tools more of a preview than a product. Among the most serious concerns: Developers and application-security experts are complaining that the scans are currently far too slow. In one test posted to LinkedIn, an analyst found that the security review function in Claude Code, which is likely the basis of Claude Code Security, took 17 minutes to review a code sample, finding three vulnerabilities, but of which two issues were false positives. In comparison, OpenGrep took 30 seconds to find the same issue, the post stated. Related:AI Agents Undermine Progress in Browser Security It's a finding confirmed by Neatsun Ziv, co-founder and CEO of OX Security, a security platform for vibe-coding developers. In his own tests, Claude Code Security took more than 15 minutes — and cost $4 in token costs — to find a flaw that could be found with a static application security testing (SAST) tool for less than a cent, he says. In addition, today's development processes use a variety of tools to provide defense-in-depth throughout the software development lifecycle. A pipeline that relies on the same foundational AI for both writing and reviewing code is not ideal, Ziv argues. With human developers, the best security practice is to prevent the same programmer from writing and reviewing code for a new feature, patch, or modification. "They [Anthropic] are actually using Claude Code on themselves, and it's kind of an issue when you're saying, 'Hey, I'm a developer ... I'm writing the code [and] I'm going to test my own code,'" Ziv says. Complementary, Not a Substitution In many ways, Anthropic's and OpenAI's tools seem likely less about improving the security design and codebases of human-created applications and more about making up for the shortcomings apparent in AI-assisted and agentic-AI development, such as the OpenClaw development saga, says Veracode's Totzek-Hallhuber. Related:Hardened Containers Look to Eliminate Common Source of Vulnerabilities The share of organizations affected by both overall and critical security debt rose in 2026. Source: Veracode In its "2026 State of Software Security Report," Veracode found that companies are accruing more security debt and producing more high-severity vulnerabilities due to the faster generation of code: 82% of companies had debt, compared to 74% last year, and 11.3% of vulnerabilities ranked as severe, compared to 8.3% the previous year. The trends are likely caused by the rapid adoption of agentic-AI development platforms, he says. "Everybody's complaining about, whenever I write code, I am fast, but I'm insecure like crazy," says Totzek-Hallhuber. "So it's interesting to see all these AI vendors [supporting] their vibe coding with security-testing solutions." In addition, the Anthropic announcement does not address the hard part of vulnerability management: Not just finding vulnerabilities, but remediating them in a way that fits with a company's development pipeline, Randall Degges, vice president of AI engineer and developer relations at application-security firm Snyk, wrote in a response to Claude Code Security. "The hard part, the part that keeps AppSec teams up at night, the part that generates the multi-year backlogs and the 'we'll get to it next sprint' conversations, is fixing them," he said. "At scale. Across hundreds of repositories. Without breaking anything. While developers are shipping new features at breakneck speed. In code they didn't write, using libraries they didn't choose, in languages they may not be experts in." Yet replacing manual code review with AI-augmented review and using AI to enrich and explain vulnerability findings could both be of real value, says Vercode's Totzek-Hallhuber. And they may expand the application security market rather than shrink it, he says. "Thirty years back, we did manual code reviews, [but] that art died somehow — it doesn't really exist anymore today," he says. "Now you can do this with an AI tool, ... allowing you to interact with the results and the tools, and maybe that's building a new industry for us again." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Microsoft Drops Another Massive Patch Update by Jai Vijayan, Contributing Writer APR 08, 2025 APPLICATION SECURITY 'IngressNightmare' Vulns Imperil Kubernetes Environments by Jai Vijayan, Contributing Writer MAR 24, 2025 APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Latest Articles in DR Technology CYBERSECURITY ANALYTICS As Cybersecurity Firms Chase AI, VC Market Skyrockets FEB 24, 2026 CYBER RISK More Than Dashboards: AI Decisions Must Be Provable FEB 23, 2026 CYBER RISK Emerging Chiplet Designs Spark Fresh Cybersecurity Challenges FEB 19, 2026 REMOTE WORKFORCE Zscaler-SquareX Deal Boosts Zero Trust, Secure Browsing Capabilities FEB 13, 2026 Read More DR Technology Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use