Introduction
As a product security engineer, I’m always looking for tools that can help me move faster without compromising on security. Recently, I’ve started using Claude Code, and I’m genuinely impressed by how well it can augment appsec workflows.
The AppSec Challenge
Security engineering often feels like we’re underwater—drowning in code reviews, vulnerability assessments, threat modeling, and the constant need to stay ahead of emerging threats - and that was before the velocity increase caused by AI coding tools. I know I’ve often felt like this:
Where Claude Code Shines for AppSec
1. Codebase Analysis
Claude Code can help you quickly gain context on an unfamiliar codebase. See my post here about leveraging AI tools more broadly. However, Claude Code seems uniquely adept at understanding an entire codebase, and turns hunting through files manually trying to understand into a Q&A session with Claude instead:
Hey Claude, where in this codebase is authorization handled? Give me a summary of how it is implemented
give me a list of all endpoints that are unauthenticated
show me where database operations are handled
This means that an appsec engineer can drop into a codebase they’ve never seen before and have a usable understanding of key pieces of the app within minutes rather than hours. Additionaly, with Claude Code and other dev tools increasing the rate and size of PRs, this can be critical for keeping up with the pace of AI generated tools.
2. Security Testing Script Generation
Need to generate test cases for a new authentication flow or a POC for an exploit you think made it to production? Claude can do that in a minute given enough context about what you’re doing, and unlike a year or two ago, it often gets it right on the first try. This means instead of giving engineers a theoretical vulnerability to fix, you can give them a cli tool specifically for testing the vulnerability and verifying the fix.
3. AppSec Engineers as Actual engineers
But why stop there? With tools like Claude Code you can actually write the fixes yourself, if your company PR culture is such that that’s acceptable. Instead of a vulnerability ticket you hand the engineering team a PR with the fix. No more waiting around for them to prioritize it.
Additionally, it expands what we can do, because now writing and maintaining our own security-related internal services isn’t that hard or expensive to do.
Important Caveats
- Claude isn’t a replacement for appsec expertise. While Claude is excellent at understanding what is right in front of it, it also will definitely miss things if it’s the only thing you do. Use it as a junior reviewer, not your only defense.
- Context matters. The more context you provide about your systems, the better Claude can help. Giving it the PR in addition to the code, or even the entire product design document, can change the quality of the AI review.
- Don’t be afraid to challenge the model’s thinking or decision processes. The good news is that LLMs never get offended, so you can argue with them all day without problem. Often, if you’re reading through something Claude tells you and feel yourself raise an eyebrow inside, there’s a good reason. Claude is getting better at avoiding sycophancy and will often provide further reasoning if it’s actually right, or sometimes it will notice it is actually wrong.
- Understand the answers, don’t just copy and paste them.
- There are new attack vectors posed by tools like Claude Code. Familiarize yourself with security breaches surrounding these tools and think about how to mitigate them in your environment.
The Productivity Gain
For me, the real value is using Claude Code as a force-multiplier. Instead of spending a day or even a week reviewing a codebase, I can be reviewing several at once, while also scripting something, while also working on building or maintaining a security service I own. The only limit is my ability to context switch.
Claude Code Security
It should also be noted that Anthropic also just recently announced Claude Code Security, but it remains to be seen what improvements this might add into the process.
Conclusion
Claude Code won’t replace you or your security team, but it can help you spend less time on routine analysis and more time on the complex, creative security work that only humans (and experienced security engineers in particular) can do well.