Code security isn’t dead

We launched two code security products last week, which is either brilliant or terrible timing depending on who you ask. It’s not long since the market lost its mind over Anthropic launching a SAST product, triggering a wave of online chatter claiming that “code security is dead”, destined to be owned by the AI labs.

Unsurprisingly, I disagree. There is a good argument that securing code is about to become the most difficult and important area of security. 

Code commits are set to increase by at least 14x from 2025 to 2026. AI models are being banned by governments because of their ability to exploit vulnerabilities. And, thanks to AI, software now controls everything from our cars to our vacuum cleaners. 

Still, many look at Claude Code Security and Mythos and think code security is going to be solved soon. As reasonable as that view seems at first, let me explain why it’s far from true. 

Myth 1: “AI will write perfectly secure code”

Some argue that AI models will soon get so good they’ll write perfectly secure code, meaning there will be no need for code security. The problem is, there’s no such thing as perfectly secure code. Yes, AI models will keep getting better at coding, but vulnerabilities don’t come from bad syntax alone. To understand if an application is secure, you need to look at a lot more than the code. You need to understand what the application is for, what business logic should be allowed, how the infrastructure is configured, what controls sit around it, and much more. 

Maybe killing off the most obvious vulnerabilities in code is enough? Unfortunately not. As the models get better at writing code, they get better at breaking it too. As the more obvious syntax mistakes disappear, the models get better at subtle attacks, the ones that chain vulnerabilities or exploit business logic flaws. Better technology benefits both attackers and defenders, leaving us with a similar problem in a different form. 

Myth 2: “ASI will solve vulnerabilities entirely”

When challenged on the idea that better models won’t write perfectly secure code, people often claim that eventually AI will become so smart that it will be able to solve any problem. 

Maybe there’s a point where that’s true, but it doesn’t seem likely any time soon. The problem of writing and maintaining an application that is both useful and perfectly secure (i.e. not even an all-powerful AI could break into it) is so hard that we’re basically into Artificial Superintelligence (ASI) territory. 

If AI becomes this powerful, the world will be unrecognizable. If that happens, there would probably be no security industry left to argue about. 

Myth 3: “The AI labs will own code security”

Even if we agree software vulnerabilities will persist, skeptics argue that AI labs like Anthropic and OpenAI are going to dominate code security anyway. That doesn’t stack up either.

The labs have no incentive to crush all competition in a single area of security. OpenAI and Anthropic are chasing multi-trillion-dollar valuations. Even if the code security market grows as fast as it looks like it will, dominating it doesn’t move the needle for the labs. They do have an incentive to produce secure code and to sell good-enough security products to their install base, but they don’t have an incentive to direct enough resources to dominate the market.

The past gives us a good sense of what’s going to happen here. Microsoft, Google, and Amazon compete in pretty much every area of security today, and dominate none of them. You might say ‘but the labs own the models, they’re best placed to build this’, but that doesn’t hold up either. Microsoft owned the OS but didn’t crush CrowdStrike. AWS owned the cloud but didn’t crush Wiz. 

For all the talk of consolidation recently, security-conscious enterprises continue to buy best-in-class products. In code security, there will always be room to add value on top of what the underlying models can do. The real value lies in the orchestration layer built on top of the models. We cannot live in a world where attacks are launched with Claude and defended by Claude. We need specialist tools that give defenders an advantage.

Early product releases from the labs back this up. Testing found Claude Code Security to perform poorly against other AI SAST scanners on the market, and using models like Mythos out of the box is prohibitively expensive for even the biggest enterprises. Anthropic rightly don’t care. They’re incentivised to sell more tokens and have bigger fish to fry.

Could an enterprise ever rely on a single model provider for code security? What happens if the model falls behind? How can one vendor deliver the most cost-efficient mix of models? What about downtime? Enterprises need an independent vendor who can orchestrate the right combination of frontier, open-source, and fine-tuned models from different providers. Much like most enterprises don’t use AWS or Microsoft’s cloud security product because they need multi-cloud support, enterprises won’t rely solely on Anthropic or OpenAI’s code security products because they need multi-model support. 

Code security matters now more than ever

For years, code security has been a space full of unloved products that most security teams saw as a compliance checkbox. It’s always been sold as a detection problem. Buy the scanner, generate thousands of issues, reach compliance. Everyone knew almost all the findings were BS, so some teams spent endless hours triaging them to figure out what matters. Others saw that a breach being caused by a code vulnerability was unlikely, and pretty much ignored the problem altogether. 

Two things have changed now. We’re writing code faster than any human can review it, and attackers can now automate the kind of attacks we always knew we were vulnerable to but thought were unlikely to happen. 

Code security has stopped being about detection and compliance, and started becoming a serious security problem. Generating findings is easy, working out what matters and fixing them in time is not. 

We can’t rely on the AI labs to solve this, otherwise we’ll never have an advantage over attackers. We need to build specialized tools designed to give defenders the upper hand. The edge will come from pre-gathering the right context for agents to use, training agents on millions of real investigations, automatically routing requests across different model providers, and aggressively optimizing token spend. 

It’s hard to think of a time when a security problem has changed as fast as code security is changing right now. When else have we expanded the attack surface by more than 10x in a year, while also creating technology so good at exploiting it that governments had to ban it? 

Code security is far from dead. It’s about to become the most important problem in security. 

Software has eaten the world, now we need to secure it.