Claude launched security straight into the product and the market freaked out. A bunch of cybersecurity stocks tanked after the announcement: CrowdStrike dropped as did Palo Alto and Cloudflare. The narrative immediately became that this is the beginning of the end for traditional security tooling.

An overreaction, I think.

Opus 4.6 has already been outperforming a lot of purpose-built security tooling, even AI security tooling from just a few months ago. If you were watching closely, this direction was obvious. Researchers were already loading repos into Claude and asking it to find vulnerabilities and suggest fixes. The capability did not suddenly appear, Anthropic just formalized and integrated it.

Security is not one monolithic block. CrowdStrike makes its money on EDR. That is not source-code rewriting. Even companies that have vulnerability management offerings are often diversified across multiple categories. The market treated this as a universal threat to security vendors, ignoring the nuance.

There is a narrow slice of the market that should be paying attention. If your entire product story revolves around finding and fixing code vulnerabilities, you need to sharpen that story quickly.

The “Suggest Fix” Button Is the Real Story

The part that really matters is the “suggest fix” button. If you have ever worked in vulnerability management, you understand how long vendors have chased that feature. For more than a decade companies have tried to build automated remediation. I worked around dynamic scanners, static scanners, WAF integrations, and what we called virtual patching. The idea was simple. Detect the vulnerability and automatically mitigate or rewrite it.

In practice, it rarely worked cleanly.

Network scanners could tell you a package version had a CVE. Static tools could flag a pattern. Suggest a fix features existed, but they were limited and situational. Even vendors would admit the success rates were not something you blindly trusted.

Claude changes the equation because it can actually write code at a high level.

The quality of code coming out of Opus 4.6 over the last few weeks crossed a threshold. When Claude identifies a command injection vulnerability and rewrites the function securely with proper subprocess handling, it is not just matching signatures. It understands context. It understands the surrounding logic. It explains what it changed and why.

None of the traditional vulnerability management vendors had that capability at this level, which is why this launch feels different.

Vulnerability Management Is Still Hard

Finding a bug and fixing it are two different things at ecosystem scale.

For a vulnerability to actually get resolved, the responsible entity must still exist. They must be willing to patch it. The issue must be reported correctly. A fix must be written and tested. It must be distributed. Organizations must evaluate risk versus reliability. They must deploy it. If the patch breaks something, that has to be addressed. That chain does not disappear because a model suggests a patch.

Claude meaningfully improves the detection and initial remediation phase, lowers the skill barrier required to generate a first-pass fix, and increases velocity, giving developers a better starting point than we had before.

I choose to be cautiously optimistic. I use these tools heavily and see the improvements month over month. There are real concerns around automation and over-reliance, and we are too early to declare sweeping outcomes with certainty.

What I do know is that high-quality automated code rewriting is now widely accessible.