For a while, there has been a common notion among security teams that finding serious software vulnerabilities is expensive, slow and limited by human attention. Now, Anthropic suggests it can change this notion with its latest release, Claude Opus 4.6.
In blog post on Thursday, Anthropic says the model will be able to uncover high-severity vulnerabilities “out of the box,” without custom tooling or specialised prompting.
In early tests, the company claimed that Claude Opus 4.6 identified bugs in heavily audited open-source projects, including vulnerabilities that had survived years of continuous fuzzing, testing for vulnerabilities, and “millions of hours of CPU time.” Some of those issues, Anthropic notes, had gone undetected for decades.
“Even more interesting is how it found them,” the post says. “Fuzzers work by throwing massive amounts of random inputs at code to see what breaks. Opus 4.6 reads and reasons about code the way a human researcher would—looking at past fixes to find similar bugs that weren't addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it.”
The Claude Opus 4.6. is important because open-source software sits at the heart of almost everything, from enterprise systems to critical infrastructure. Many of the projects that underpin the internet are maintained by small teams with limited security resources. When vulnerabilities slip through, the blast radius is wide. Anthropic says it has already found and validated more than 500 high-severity issues and is working directly with maintainers to get them patched.
This isn’t the only project like this. Late last year, Google disclosed that its own AI agent, Big Sleep (formerly Project Naptime), uncovered a previously unknown critical flaw in SQLite before attackers could exploit it. In both cases, the models didn’t outperform humans by brute speed alone; they succeeded by reasoning about code structure, history, and assumptions that had gone unchallenged.
The larger question is what happens next. Disclosure timelines built for human-paced discovery may not hold when hundreds of bugs can surface in parallel. Defensive teams may gain a temporary advantage, but only if they move quickly enough to act on it.
Emmanuel Oyedeji
