Anthropic has open-sourced the Defending Code Reference Harness, a reference implementation for building a vulnerability-finding pipeline around Claude, distilled from its work with corporate security teams.
The repo walks through a full recon, find, verify and report loop on a known-vulnerable open-source library, producing candidate patches, reproducible crashes and exploitability reports rather than a wall of unverified alerts. The honest part is the limits Anthropic names up front: the harness is good at memory-corruption and input-validation bugs, and weak on business-logic and architectural flaws, the classes that require understanding what the software is actually meant to do. A bundled customise skill adapts the autonomous scanner to your own stack.
It lands alongside Anthropic's claim that its internal Mythos preview found more than ten thousand high and critical-severity vulnerabilities across major systems in weeks, shifting the bottleneck from finding bugs to patching them fast enough. Open-sourcing the finding half hands that same pressure to everyone else's backlog.