Anthropic and OpenAI's Free LLM-Based Security Scanners Expose Critical Blind Spots in Traditional SAST Tools, Reshaping Application Security Market
Anthropic and OpenAI have independently launched new reasoning-based vulnerability scanners, Claude Code Security and Codex Security, respectively, disrupting the application security market. These tools, which leverage large language model (LLM) reasoning instead of traditional pattern matching, have demonstrated the structural inability of existing Static Application Security Testing (SAST) tools to detect entire classes of vulnerabilities. Anthropic's Claude Opus 4.6, for instance, identified over 500 previously unknown high-severity flaws in open-source codebases, including a heap buffer overflow that even advanced fuzzing missed. Both Claude Code Security and Codex Security are currently offered free to enterprise customers, signaling a permanent shift in procurement strategies for security solutions. The competitive landscape, driven by these two tech giants, is expected to rapidly enhance detection quality, prompting security directors to evaluate these new tools.
OpenAI and Anthropic have independently entered the application security market with new vulnerability scanners that utilize large language model (LLM) reasoning, fundamentally challenging traditional static application security testing (SAST) tools. OpenAI launched Codex Security on March 6, following Anthropic's introduction of Claude Code Security 14 days prior. Both scanners diverge from conventional pattern matching, instead employing LLM reasoning to identify vulnerabilities.
These new tools have exposed a significant structural blind spot in traditional SAST, revealing entire classes of vulnerabilities that existing solutions were not designed to detect. The competitive dynamic between Anthropic and OpenAI, with a combined private-market valuation exceeding $1.1 trillion, is expected to accelerate improvements in detection quality at a pace unmatched by single vendors.
Anthropic's zero-day research, published on February 5 alongside Claude Opus 4.6, highlighted its capabilities. Anthropic stated that Claude Opus 4.6 discovered more than 500 previously unknown high-severity vulnerabilities in production open-source codebases. These flaws had eluded detection through decades of expert review and millions of hours of fuzzing. A notable example includes a heap buffer overflow found in the CGIF library, which Claude identified by reasoning about the LZW compression algorithm – a flaw that coverage-guided fuzzing, even with 100% code coverage, failed to catch.
Claude Code Security was released as a limited research preview on February 20, made available to Enterprise and Team customers, with free expedited access for open-source maintainers. Gabby Curtis, Anthropic’s communications lead, indicated that Anthropic developed Claude Code Security to enhance security efforts. Both Claude Code Security and Codex Security are currently offered free to enterprise customers, a move that is expected to permanently alter procurement considerations for security solutions. While neither tool is intended to replace existing security stacks, their emergence necessitates that security directors evaluate their potential impact and integration strategies.