Investors overreact every time a new AI tool or feature is announced these days. Last week was no different: when Anthropic launched Claude Code Security, a tool capable of autonomously finding and patching vulnerabilities, shares of elite cybersecurity companies plummeted in a flash. But is the risk of AI agents cannibalizing the market even real?
Claude Code Security, a new feature from Anthropic, scans codebases for vulnerabilities and suggests patches to fix issues.
“It scans codebases for security vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss,” Anthropic said in an announcement.
“Finding the subtle, context-dependent vulnerabilities that are often exploited by attackers requires skilled human researchers, who are dealing with ever-expanding backlogs. AI is beginning to change that calculus.”
Even though the new capability is currently only available as a limited research preview, the announcement alone sent some cybersecurity stocks – such as CrowdStrike, Okta, Cloudflare, and Sailpoint – into a downward spiral.
Is this the end of cybersecurity as we know it? After all, Anthropic also said recently that Claude Opus 4.6 “found and validated more than 500 high-severity vulnerabilities” in open source code.
“Some had gone undetected for decades,” the firm added for good measure.
No wonder investors are panicky. But (human, so far) cybersecurity experts tell Cybernews that the update is not as sexy as the AI evangelists – with an obvious financial interest – claim it to be.
This isn’t new, and this isn’t a miracle
Firstly, let’s measure the mere hype. Because it’s this – not actual developments on the ground, even if it’s digital – is what the market usually reacts to.
Someone on LinkedIn even offered a better headline for Anthropic’s announcement: “Reporting on the alleged added value of the Claude security tool is unsettling investors.”
Exactly – investors are easy to unsettle. In recent weeks, shares of software and cloud services (SaaS) companies have plunged following the launch of AI vibe-coding tools that allow users to build advanced applications using natural language.
Data analytics and digital forensics firms fell after Anthropic introduced an add-on to its AI assistant, Claude, turning it into an autonomous agent capable of automating certain enterprise tasks.
The conversation on this topic is live. Join in the discussion.
And wealth management stocks slid after the debut of AI-driven tax planning tools from startups such as Altruist. All of this happened within a single month.
Moreover, what Anthropic is now doing isn’t even new. According to Wired, Amazon also uses AI agents to find security flaws and suggest fixes internally, and Microsoft’s AI staff remediate vulnerabilities, automate the identification of impacted devices, and initiate fixes.
Even Anthropic itself took great care to point out that human cyber pros will still be the ones signing off on any fixes.
Google said as early as November 2024 that its LLM-based bug-hunting tool was the first AI to spot a memory-safety vulnerability in the wild and fix it. Another AI agent, CodeMender, automates patch creation.
Neither of these developments shook the cybersecurity market as hard as Anthropic’s announcement, though.
It’s probably because this particular firm is considered one of the strongest players in the enterprise AI market and is watched really closely by industry insiders and, of course, investors.
But even Anthropic itself took great care to point out that human cyber pros will still be the ones signing off on any fixes.
“Nothing is applied without human approval: Claude Code Security identifies problems and suggests solutions, but developers always make the call,” the company said.
Killer app? Definitely not
Indeed, the rush to sell the shares of CrowdStrike and other cybersecurity companies seems more like selling the fire department because someone invented smoke detectors.
“AI is not a replacement for human judgment. It generates far more signals than teams can blindly act on, so operational discipline, oversight, and tool diversity are critical,” says Ravid Circus, co-founder and chief product officer at cybersecurity firm Seemplicity.
“Simply relying on the tool itself isn’t enough to ensure security. It must be integrated into accountable, human-centered workflows.”
Joshua Scarpino, CISO at TrustEngine, thinks that the market reaction to Anthropic’s announcement was an example of confusing efficiency with agency. To him, cybersecurity’s nature has always been sociotechnical.
“The cyber industry’s business model is not under threat: it’s being forced to mature and pivot to address modern threats,” Scarpino told Cybernews.
“We are moving away from ‘checkbox security’ toward a model in which AI handles the repetitive, data-intensive tasks of threat detection, while human experts focus on strategic governance, ethical oversight, and complex incident response.”
Of course, it’s simply illogical not to recognize what finding 500 serious vulnerabilities in open-source projects means for source code analysis. But source code bugs are just one input into a security program, Collin Hogue-Spears, senior director of solution management at cybersecurity firm Black Duck, explains.
“Simply relying on the tool itself isn’t enough to ensure security. It must be integrated into accountable, human-centered workflows,”
Ravid Circus.
Indeed, Claude Code Security and similar tools don’t generate a software bill of materials. They don’t check whether an open-source component’s license allows commercial distribution.
They don’t scan compiled binaries, and, actually, the few independent tests that exist show that AI catches fewer than half of planted backdoors. They don’t produce the audit evidence required by the European Union or US regulators.
“CrowdStrike sells endpoint detection. Okta sells identity. Claude Code Security does source code analysis. The overlap between those categories is close to zero,” says Hogue-Spears.
“Calling this a killer app for cybersecurity is like calling a thermometer a killer app for medicine. Accurate readings matter, but they don’t replace treatment.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked