AI-powered reasoning scanners from Anthropic and OpenAI have uncovered hundreds of previously unknown vulnerabilities in widely used open source software, exposing structural limits in traditional SAST tools and potentially reshaping how security flaws are detected.
AI-powered reasoning scanners from Anthropic and OpenAI are exposing long-hidden vulnerabilities in widely used open-source software, highlighting structural limitations in traditional Static Application Security Testing (SAST) tools.
Both companies recently introduced vulnerability scanners that use large language model reasoning rather than pattern matching to analyse source code. The approach allows the tools to identify vulnerability classes that conventional SAST solutions were never designed to detect, signalling a shift in how application security scanning may evolve.
Anthropic released Claude Code Security alongside Claude Opus 4.6 and reported that the model identified more than 500 previously unknown high-severity vulnerabilities in production open-source codebases. One example included a heap buffer overflow in the CGIF library, discovered through reasoning about the LZW compression algorithm. The flaw had previously escaped detection despite extensive fuzz testing with full code coverage.
OpenAI launched Codex Security on March 6, just 14 days after Anthropic’s announcement. Developed from an internal GPT-5 powered tool called Aardvark, Codex Security scanned more than 1.2 million commits during beta testing and surfaced 792 critical findings and 10,561 high-severity issues. Vulnerabilities were identified in major open-source projects including OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP and Chromium, resulting in 14 assigned CVEs.
Both scanners are currently available free to enterprise users, with Anthropic also offering expedited access for open-source maintainers. Security experts warn that the tools could dramatically accelerate vulnerability discovery.
“If code reasoning scanners from major AI labs are effectively free to enterprise customers, then static code scanning commoditizes overnight,” said Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS.
Baer added that open-source vulnerabilities identified by reasoning models should be treated closer to zero-day discoveries as the window between discovery and exploitation continues to shrink.
