Claude Security public beta puts Opus 4.7 on your code

Claude Security is the May 2026 Anthropic launch that hands every Enterprise customer an automated penetration tester running on the Claude Opus 4.7 model. Anthropic moved the tool into public beta on 4 May, opening codebase vulnerability scanning and patch generation to any organisation on a Claude Enterprise plan with nothing more than an admin toggle. The pitch is blunt: point Opus 4.7 at your repository and it reasons through the code like a security researcher rather than pattern-matching like a legacy scanner. For mobile and app teams, that is either the most useful release of the year or a new way to drown in machine-generated findings.

Why Claude Security is a bigger deal than another scanner

Static analysis tools have existed for two decades and most developers ignore them, because they generate walls of low-confidence noise and miss the bugs that actually get exploited. Claude Security is interesting precisely because it does not work like that. Instead of matching code against a signature database, Opus 4.7 reads the source, traces how untrusted data flows through the application, and reasons about how components interact across files and modules. That is the workflow a competent human security researcher uses, and it is the reason Anthropic claims its February research preview found exploitable bugs that commercial scanners had been walking past for years across hundreds of organisations.

The structural shift matters more than the marketing. Claude Security is not an API you wire into a build server with a fortnight of integration work. It is a toggle inside the Claude Enterprise product an admin flips on, after which the tool lives in the Claude.ai sidebar and at claude.ai/security. That is the same low-friction packaging philosophy behind Claude for Small Business, and it is deliberately aimed at the gap legacy AppSec tooling never closed: the team that knows it should be scanning but never finds the engineering budget to stand up the pipeline.

What Claude Security actually does to your codebase

After a scan, Claude Security does not just throw a CVE list over the wall. Each finding ships with a plain-English explanation of the reasoning, a confidence level, a severity rating, the likely real-world impact and steps to reproduce. It then generates patch instructions you can review and apply in context, and the public beta added the practical glue teams asked for: target a scan at a single directory rather than the whole monorepo, dismiss findings with a documented reason so they do not resurface, export to CSV or Markdown for audit trails, and fire results into Slack, Jira or anything else via webhook.

The patching path is the part dev teams should care about most. Because the tool can open a Claude Code session against the same repository, a developer can move from “here is the SQL injection in the auth handler” to a tested, in-context fix without the usual relay race between the security team filing a ticket, an engineer picking it up a sprint later, and QA validating it a sprint after that. Compress that loop and the economics of fixing bugs before shipping change materially. That is a different proposition from a scanner that only ever tells you that you have a problem.

What automated scanning on Opus 4.7 means for mobile and app teams

Mobile app security has always been the awkward middle child of AppSec. A typical app is a thin client wrapping a sprawling backend, third-party SDKs you did not write, insecure local storage, hardcoded keys and a permissions model most teams treat as an afterthought. The classic OWASP Mobile failure modes — insecure data storage, weak crypto, leaky inter-process communication — are exactly the cross-file, data-flow problems a reasoning model is better placed to spot than a signature scanner that only inspects one file at a time. An Opus 4.7 model that follows a token from a login screen through the network layer into a logging call is genuinely useful to a mobile team that cannot afford a dedicated AppSec hire — and it is one more axis on which teams now weigh the major AI models against each other when picking a platform.

The catch is the same one that haunts every mobile shop: an app codebase is the part you control, and the SDK soup and backend you depend on is the part you do not. Claude Security scanning your repository will not see the analytics SDK exfiltrating data through an obfuscated binary, and it will not magically fix an insecure API your platform team owns. It is a strong tool for the code you can read, which is necessary but never sufficient for mobile. Treat it as a force multiplier on your own source, not a substitute for understanding what your dependencies do — the same discipline mature teams already apply to app security updates and forced client refreshes.

The dual-use problem Anthropic cannot wave away

A model good enough to find exploitable bugs in your code is, by definition, good enough to find them in someone else’s. Anthropic clearly knows this: Opus 4.7 ships with automated safeguards that detect and block requests indicating prohibited or high-risk cybersecurity use, and legitimate security professionals doing vulnerability research, penetration testing or red-teaming are routed through a new Cyber Verification Program. That is a sensible posture, but it is also an admission that the same capability cuts both ways. The honest reading is that defenders now get an industrialised researcher on tap — and so, eventually, will attackers using less scrupulous models. The window where defenders are ahead is the window worth exploiting.

The ecosystem move tells you how seriously the industry is taking this. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI and Wiz are all embedding Opus 4.7 into their own platforms, and the big consultancies are lining up deployment practices around it. When the incumbents fold a rival’s model into their flagship products within weeks, that is not a press release; that is the market conceding the capability is real — the same competitive scramble now playing out as OpenAI fights for the assistant on your phone.

MTW verdict: useful now, but do not fire your security team

Claude Security is the most credible automated vulnerability tool to ship in 2026, and the directory-targeting, dismissal and webhook features prove Anthropic listened to the people who actually triage findings rather than the people who buy them. If you are a mobile or app team on Claude Enterprise, switch it on this week, scan a non-trivial service, and judge it on the signal-to-noise of the first hundred findings — that, not the demo, is the real test. But it is still a tool that reads the code you give it. It will not audit your dependency tree, it will not replace a security engineer’s judgement on which findings actually matter, and a confidently-worded false positive is still a false positive. Use it as a tireless first-pass researcher that compresses the find-and-fix loop. Trust it the way you trust a sharp junior: extremely useful, occasionally wrong, and never the last word.