In January 2026, Anthropic and Mozilla ran a two-week experiment. They turned Claude Opus 4.6 loose on roughly 6,000 C++ files in the Firefox codebase, the JavaScript engine, the rendering path, the parts of a browser that have been picked over by human security researchers for twenty years.
Claude found 22 new vulnerabilities. Fourteen were rated high severity. That single two-week run accounted for nearly a fifth of all the high-severity bugs Mozilla patched in the entire previous year. Total API spend was about $4,000.
For a Fortune 500 company, that is a rounding error in a single security team's coffee budget. If you are a CISO at a public company, this news probably made your last quarterly board deck look expensive.
"Claude found 22 new vulnerabilities in Firefox. Fourteen were high severity. Total spend: $4,000. Duration: two weeks."
The reaction from the market was immediate. Static analysis vendors, SAST tools, bug bounty platforms, any company whose moat was "we scan your code for vulnerabilities your devs missed", suddenly had to explain to their investors what their defensibility looks like when a general-purpose AI can out-audit them for the price of a cheap laptop.
Anthropic also shipped something called Claude Code Security, a limited research preview that builds this capability directly into their developer tooling. It scans, validates, and proposes patches. It's available today to Enterprise and Team customers, with a waitlist for everyone else.
The direction is obvious. Code security is being commoditized in real time.
Here's what the headline misses.
Claude did not find those 22 vulnerabilities by logging into Firefox. It did not sign in as a developer, check group memberships, review the MFA policy, look for orphaned service accounts, or ask anyone why a contractor from three acquisitions ago still has access to the build pipeline.
It read source code. That is a very specific kind of security problem.
The breaches I've walked through over the last eighteen months have almost never been source code bugs. They were:
— A BeyondTrust API key with standing privilege that Treasury never rotated, used by Chinese state actors to access 400 workstations in December 2024.
, Snowflake customer environments with MFA not enforced, credentials harvested from infostealer malware, 165 companies compromised including AT&T and Ticketmaster.
. An eighteen-year-old push-bombing an Uber contractor's MFA prompt until they tapped approve, walking into the crown jewels from there.
, A Capital One IAM role with a permissions boundary nobody reviewed, 106 million records exfiltrated through a door nobody closed.
Not one of those was in the source code. Every one of them was in the identity configuration.
AI is coming for SAST. It is not coming for IAM governance, because IAM governance is not a text-analysis problem. It is a problem of asking the IT director why the former VP of sales still has an active SailPoint identity, and hearing the answer "because we weren't sure if we were allowed to delete it."
If you are running a growing small business or mid-market company, especially one that's been through an acquisition, a funding round, or a pace of hiring that outstripped your IT process, here is the practical read.
Your code, if you write any, will increasingly be scanned cheaply and well by tools like Claude Code Security. That is a good thing. You will spend less on SAST and get more coverage.
But the identity surface your business has actually accumulated, the Okta tenant that a consultant set up three years ago, the leftover AD groups from when you were half the size you are today, the service accounts running the ETL pipeline that touches your data warehouse, the admin credentials an IT contractor baked into a Jenkins job in 2021, the Copilot and Claude instances that got provisioned last quarter without anyone defining what data they can see, none of that gets scanned by an LLM looking at your repo.
It has to be walked through by someone who knows what to look for, who has logged into a SailPoint tenant before, who can read an Okta policy and tell you whether "Everyone" means what you think it means.
That work is still done by humans. The $4,000 Firefox audit changes nothing about it.
The companies that will come out ahead over the next twelve months are the ones that recognize what just got commoditized and what didn't. Code security is getting cheaper and better. Identity configuration review is still a specialist problem, and for a growing business without a dedicated IAM team, still the single most underserved area of the security budget.
The $4,000 audit should make you reallocate. Not retreat.
Know what's in your identity stack before an attacker does
Risk Ready Identity conducts focused Identity Security assessments for growing companies. Purpose-built to surface the gaps AI code scanners can't see, in two weeks, for a fixed $10K fee. You get written findings, a prioritized remediation roadmap, and an executive readout. No open-ended billing, no discovery phase that expands into a six-month retainer.
The next one goes deeper.
First-hand observations from inside the identity environments where security programs quietly break down. No pitch. No filler. Straight to your inbox when it publishes.
Subscribe, it's freeSources. Anthropic, "Partnering with Mozilla to improve Firefox's security" (March 6, 2026). Axios, "Anthropic's Claude uncovers 22 Firefox security vulnerabilities" (March 6, 2026). TechCrunch, "Anthropic's Claude found 22 vulnerabilities in Firefox over two weeks" (March 6, 2026). The Hacker News, "Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model" (March 2026). Anthropic, Claude Code Security limited research preview announcement and product page at claude.com/solutions/claude-code-security (2026). Risk Ready Identity case studies on Capital One, Uber, Snowflake, and the U.S. Treasury / BeyondTrust incident.