The landscape of software security is shifting rapidly with the emergence of powerful new tools. Last week, Anthropic promoted Claude Code Security, a research preview capability that utilizes its Claude Opus 4.6 model to hunt for software vulnerabilities. In a significant demonstration of AI’s reach, Anthropic claimed its red team surfaced over 500 bugs in production open-source codebases.
While the ability to discover flaws so efficiently is an impressive technical feat, security researchers noted in The Register that the real bottleneck in cybersecurity has never been discovery. Finding a bug is only the first step in a much longer, more complex journey toward a secure fix.
The Growing Backlog of Vulnerabilities
The sheer volume of potential issues identified by AI is beginning to overwhelm the human systems designed to manage them. Reports from researchers like Guy Azari highlight that out of the 500 vulnerabilities surfaced by the Claude model, only two to three have actually been fixed, and none have received CVE assignments.
This disparity is compounded by a massive global backlog. By 2025, the National Vulnerability Database (NVD) already carried a backlog of roughly 30,000 CVE entries awaiting analysis. Furthermore, nearly two-thirds of reported open-source vulnerabilities lacked an NVD severity score. At Vertex, we believe that average or “good enough” is not sufficient to protect against the latest cyber attacks.
Why Discovery is Not the Same as Recovery
It is important to understand why finding a bug does not immediately lead to a safer system. As noted by Feross Aboukhadijeh, CEO of Socket, while discovery is becoming dramatically cheaper, the following remain slow, human-intensive tasks:
- Validation: Every AI-generated report must be hand-vetted to ensure it is accurate and not a “false positive”.
- Coordination: Findings must be coordinated with software maintainers, which is a delicate and time-consuming process.
- Patch Development: Developing architecture-aligned patches requires a deep understanding of the original code to ensure a fix doesn’t break other features.
- Resource Constraints: Many open-source projects are managed by small teams who simply do not have the hours to process a sudden flood of automated reports.
The Risk of “AI Noise”
The influx of AI-generated reports is already causing strain. The curl project recently closed its bug bounty program because maintainers could no longer handle the flood of poorly crafted reports from both AI tools and humans. When the signal-to-noise ratio becomes too high, truly critical vulnerabilities can easily be missed among hundreds of minor or incorrect findings.
How Organisations Can Manage the Shift
As discovery becomes faster and cheaper, businesses should consider how they balance automated tools with expert human oversight. Simply running a scanner is no longer enough; the real value lies in the ability to prioritise and remediate the risks that actually matter to your specific environment.
Consider the following strategies to enhance your security posture:
- Expert Penetration Testing: Our expert penetration testers are experienced and trained in hacking complex computer networks and apps to identify and document vulnerabilities with recommended rectification actions.
- Managed Security Services: We formulate custom monthly packages that can include monitoring systems for security events and penetration testing of systems and websites.
- Vulnerability Retesting: For most engagements, we perform a retest of resolved vulnerabilities to confirm the effectiveness of the applied fixes.
- Cyber Security Training: We provide employee awareness training to help your team understand the human element of security.
Navigating the complexities of AI-driven threats and the resulting flood of vulnerabilities can be challenging. If you have concerns about your current security posture or need assistance validating and fixing identified bugs, reach out to the experts at Vertex Cyber Security. We provide tailored solutions that prioritise genuine, high-quality protection to help protect businesses, employees, and lives from cyber threats.