Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- AI vulnerability scanning is moving into the developer workflow.
- Cloud Security transforms the findings into prioritized improvement guidance.
- Protecting these devices from attackers is a big challenge.
Anthropic has announced a new defensive cybersecurity product, Cloud Security. Right now, it’s available in public beta for enterprise-tier cloud users, with availability for cloud team and max-tier users “coming soon.”
Also: Apple, Google and Microsoft join forces with Anthropic’s Project Glasswing to protect the world’s most critical software
Cloud Security is another tool in Anthropic’s cyberdefense toolbox. This gives security teams a way to “scan the codebase for vulnerabilities and generate targeted patches” using the Cloud Opus 4.7 model.
At the beginning of the month, Anthropic launched Project Glasswing, an AI Manhattan project aimed at finding vulnerabilities in the world’s open-source software infrastructure.
Glasswing uses an anthropic model called Mythos, a model considered so dangerous that it is not being released to the public. It is being shared with Glasswing participants, which include former competitors such as Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks.
vulnerability scanning
Vulnerability scanning is at the core of both Project Glasswing and cloud security. Most cyberattacks begin with an enemy actor exploiting a vulnerability. Therefore, if defenders can find and fix vulnerabilities, the malicious criminal has a smaller attack surface.
Memorization Star Wars? the whole plot of a new Hope Revolves around the plans for the Death Star that Princess Leia stores in R2-D2. Once rebels have those plans, they are able to find a vulnerability. All Luke and the other pilots have to do is fire a torpedo down the exhaust port on the Death Star, and… BOOM!
That, boys and girls, is a vulnerability. The Death Star had a fatal flaw. There are probably more in your codebase. Anthropic’s new cloud security tool wants to find attackers before they get there.
In the real world, everything runs on software, which is inherently insecure. Vulnerabilities not only open doors for adversaries to exploit, but they can also cause harm due to bugs existing and experienced by users of the software.
Also: I linked two AI tools together to solve a major bug – but they couldn’t do it without me
I first used AI to perform vulnerability scanning with OpenAI’s Codex in September. At that time, it failed because it could not handle the project-wide context. But when I combined the AI pair programming tool with ChatGPT’s Deep Research, which is better with lots of data, both found several critical vulnerabilities in my security software, which I immediately fixed.
Since then, both codecs and cloud code have gotten better in terms of how much code they can process in a context, but neither has been able to handle entire large codebases at once.
However, Mythos can. It can also handle relationships between codebases on a large scale. But it is not available to the public, even through enterprise-level fees. last month, OpenAI introduces codec protectionWhich also provides a wide range of context analysis. And now cloud security can perform similar large-scale scans.
This new product is capable of scanning the entire repository or target directory. According to Anthropic, “The cloud reasons about code the same way a security researcher does, tracing data flows, reading source code, and figuring out how components interact in files and modules.”
There’s more to cloud security, but first let’s talk about the big vulnerability introduced by vulnerability-scanning AI.
weapons of digital destruction
Vulnerability scanners help defenders defend themselves. But they also help attackers figure out where to attack. That was the whole point of the Rebels’ attack on the Death Star. Once they discovered a vulnerability, they could exploit it.
For example, both Microsoft And OpenAI State-affiliated actors in China, Iran, Russia, and North Korea have been reported to have used large language models to research various companies and cybersecurity tools, debug code, generate scripts, and create potential content for use in phishing and spear-phishing campaigns.
Too: AI is becoming very good at finding hidden software bugs – even in decades-old code
Anthropic is trying to prevent its models from being used in a similar manner. With the launch of Opus 4.7, the company includes new cybersecurity measures that automatically detect and block requests that indicate prohibited or high-risk cybersecurity use.
For example, Opus 4.7 now blocks “activities that are almost always used maliciously and that have no legitimate defensive application, such as large-scale data exfiltration or ransomware code development.”
On the other hand, what about activities that have legitimate defensive applications, such as vulnerability exploitation or offensive security tool development? Opus 4.7 also prevents these activities, but only cyber security researchers who have been approved to engage in Anthropic’s Cyber Verification Program Get access to AI capabilities in this restricted gray zone.
Too: This new cloud code review tool uses AI agents to check your pull requests for bugs – here’s how
Effectively, those who are able to obtain security clearance from Anthropic can use Opus 4.7 to perform blocked security activities while doing their job. Disclosure: I am an authorized member of Anthropic’s Cyber Verification program, so I have access to these capabilities as part of my cyberwarfare, cyberdefense, and counterterrorism work.
Making vulnerabilities actionable
The problem with vulnerability scanning is that it can become a source of noise. Every little thing can be flagged, and you can spend hours or days chasing down that bug instead of fixing a vulnerability that has consequences small enough to cause an extinction-level event.
Cloud Security is introducing a “multi-stage verification pipeline that independently verifies each search before it reaches the analyst, and each result gets a trust rating.”
The AI is able to explain each “finding” in detail, including factors such as confidence, severity, potential impact, remediation steps, and recommended solutions. This can be extremely helpful, as developers can prioritize working on those high-confidence, large-impact, critically troubling problems first without wasting time on lesser issues.
Too: Why is AI both a curse and a boon for open-source software, according to developers?
From these findings, cloud security gives defenders the ability to open code in cloud code in context, so they can view and modify areas that need work directly from search results.
Anthropic has also added a series of workflow optimizations. It says, “We’ve added scheduled scans for ongoing coverage, the ability to dismiss findings for documented reasons (so future reviewers can rely on prior triage decisions), and CSV and Markdown exports to integrate findings into existing tracking and audit systems.”
stay safe out there
Cloud security customers can work with technology and security partners. Anthropic specifically pointed to technology partners including CrowdStrike, Palo Alto Networks, SentinelOne, Trend.AI, and Viz that are integrating Opus 4.7 into their cybersecurity platforms.
Also: Google bets $32B on AI agent Cyber Force as security arms race rages on
The company is also working with security partners including Accenture, BCG, Deloitte, Infosys and PwC who are deploying cloud security to help enterprises strengthen their security posture.
Do you find AI vulnerability scanning more useful for finding dangerous flaws or helping developers prioritize faster fixes? Let us know in the comments below.
You can follow my daily project updates on social media. Be sure to subscribe My weekly update newsletterAnd follow me on Twitter/X @davidgewirtzon facebook Facebook.com/DavidGewirtzon instagram Instagram.com/DavidGewirtzon bluesky @DavidGewirtz.comand on youtube YouTube.com/DavidGewirtzTV.
