Three findings on my e-commerce SaaS. Two I already knew about and had been procrastinating on. One Supabase RLS policy that had been wide open since day one — the kind of bug that works perfectly until someone decides to poke your API with a crafted payload.
I fixed all three, pushed, went back to grilling shrimp on my terrace in Cancún. Then I opened Twitter and watched $15 billion evaporate from cybersecurity stocks. CrowdStrike down 8%. Okta down 9.2%. SailPoint down 9.4%. The entire cybersecurity ETF at its lowest since November 2023.
Because of the thing I just used. The thing thats been sitting in everyones terminal for six months.
TL;DR: Anthropic launched “Claude Code Security” on Feb 20 and tanked $15B in cybersecurity stocks. But the core feature — /security-review — has been a free slash command in Claude Code since August 2025. Wall Street panicked because they confused code scanning with endpoint protection (it's like dumping your car insurance because someone opened a driving school). The enterprise dashboard is nice, but the CLI version already catches real bugs. I'll show you both, including how to customize it for your exact stack.
The Slash Command Nobody Read the Changelog For (except me 🤓)
/security-review
No flags, no config, no setup wizard.
You type this in Claude Code and it rips through your pending changes looking for SQL injection, XSS, command injection, auth bypasses, IDOR, session flaws, hardcoded secrets, and about a dozen other vuln categories.
I started running it on my SaaS projects back in September. That first Supabase RLS finding? It had been there for four months. The policy said “allow all” on a table that stored API keys. Not “allow authenticated.” Not “allow where user_id matches.” Just… allow all. And it worked. Every test passed. Every feature behaved correctly. That’s the thing about security bugs — they’re invisible until they’re catastrophic.
If you’ve read my piece on Prompt Contracts, you know I’m obsessed with pre-deploy checks. /security-review is the check I didn't know I needed until it found something I'd been living with for months.
Why I Even Care About Security (Most Devs Don’t)
Every developer I’ve ever worked with thinks in features. Does the button work? Does the form submit? Cool, ship it.
I’ve always been the annoying one who thinks in systems — what happens when someone sends a malformed JWT, what if the cron job fires twice, what if someone curls your endpoint with a payload you didn’t anticipate.
This didn’t come from a CS degree or a security certification. It came from TryHackMe.
I remember the exact room — it was a beginner-level CTF, something about a vulnerable web app with a file upload feature. The walkthrough showed how a path traversal in the upload handler let you write to arbitrary locations on the server. The dev had validated the file extension but not the path. Classic mistake. The attacker uploaded a PHP shell to /var/www/html/ and had full RCE in about 40 seconds.
I closed the tab, opened my own project, and found the exact same pattern in my upload handler. Not identical code, but the same category of mistake — validating the thing you expect while ignoring the thing you don’t. I stayed up until the shrimp went cold rewriting that entire module.
That’s the thing about CTF writeups. They don’t teach you security theory. They teach you paranoia. And once you’ve watched someone pop a shell through a bug you also have, you never ship the same way again.
Most devs don’t have that paranoia. They shouldn’t need to. /security-review is paranoia-as-a-service.
Customizing the Scan for YOUR Stack
The default scan catches the OWASP greatest hits. Good enough for most people. But if you copy the security-review.md file from Anthropic's GitHub repo into your project's .claude/commands/ directory, you unlock something better.
# .claude/commands/security-review.md
---
allowed-tools: Bash, Read, Write
description: "Custom security review for PropulseCom "
model: claude-opus-4-6
---
Analyze the current codebase for:
- Supabase RLS policy gaps (check every table)
- Clerk webhook signature verification
- API routes missing auth middleware
- Hardcoded API keys in .env.example files
- Convex function input validation
That frontmatter is all it takes.
Now when I run /security-review, it doesn't just check generic OWASP stuff — it knows my stack. Clerk for auth, Convex for the backend, Supabase for the database layer. It checks for the bugs that show up in _my_architecture.
The GitHub Action version does the same thing on every PR. You drop anthropics/claude-code-security-review@main into your workflow YAML, give it a Claude API key as a secret, and every pull request gets a security review before any human looks at it. Anthropic caught a DNS rebinding RCE in their own codebase with this exact action. Also caught an SSRF in their internal credential proxy. Both before merge.
The bugs that keep CISOs up at night, caught by a YAML file in your .github/workflows/ directory.
Security isn’t a feature you ship. It’s a surface you maintain.
The Enterprise Dashboard (a.k.a. Why Wall Street Panicked)
On February 20, Anthropic launched “Claude Code Security” — the enterprise version. Dashboard, severity ratings, confidence scores, multi-stage verification, one-click patch approval.
The big upgrade over the CLI: it scans your entire codebase, not just pending changes. And it runs a self-critique loop where the model tries to disprove its own findings before bothering you. Fewer false positives, higher confidence scores.
The stat that made every SAST vendor choke on their coffee: Anthropic’s red team used Opus 4.6 to find over 500 previously unknown high-severity vulnerabilities in production open-source codebases. Bugs that had survived years — decades, in some cases — of human review and traditional scanning. Responsible disclosure is still ongoing.
Five hundred bugs. Decades old. Found by a model that reasons about code instead of matching regex patterns.
But — and I want to be honest here — the dashboard is essentially a productized version of what the CLI already does. If you’re a solo dev or a small team, the slash command gets you 80% of the way. The enterprise version adds the verification loop and the dashboard. Worth it if you run a 50-person eng team. Overkill if you’re shipping from your apartment on a Hostinger VPS like I described in my Anthropic Killed My Setup piece.
Wall Street Lost $15B Over a Category Error
Ok this is the part that actually made me laugh out loud. Lets break down what happened.
- CrowdStrike dropped 8%. CrowdStrike does endpoint detection and response — EDR. They monitor your running servers for active threats in real-time. Claude Code Security scans your source code for bugs before you deploy. These two things have literally nothing to do with each other.
- Okta dropped 9.2%. Okta handles identity management — SSO, MFA, user lifecycle stuff. Claude Code Security doesn’t touch authentication infrastructure. Not even a little.
- Cloudflare dropped 8.1%. Cloudflare runs WAFs, DDoS mitigation, CDN. They protect your app after it’s live. Claude reviews your code before it ships.
- SailPoint dropped 9.4%. Identity governance. Zscaler dropped 5.5%. Zero-trust networking.
None of these companies do what Claude Code Security does.
Barclays called the selloff “illogical.” One post on X nailed it: investors couldn’t differentiate between AppSec and endpoint security, so they dumped everything with “cyber” in the description. It’s like selling your plumber’s stock because someone invented a better fire extinguisher. Same house, completely different problem.
Wall Street sold the wrong companies.
The companies that should actually be sweating are the pure-play SAST vendors — Snyk, SonarQube, Semgrep, Checkmarx, CodeQL. The ones that do pattern-based code scanning. That’s the actual competitive overlap.
But — and this is a big but — Claude isn’t replacing them today. The reasoning-based approach excels at business logic flaws, auth bypasses, and multi-file vulnerability chains that pattern matchers literally cannot see. But for the boring, well-documented vulns like standard SQL injection, Semgrep still catches them faster and more reliably.
The real play isn’t “Claude replaces Snyk.” It’s running both. Pattern matching for the known bugs. AI reasoning for the bugs only a human would catch — except now you don’t need the human.
The best lock on your door means nothing if there’s a window you forgot existed.
What This Means If You Ship Code From Your Apartment
You don’t have a security team. You don’t have a CISO. You have a MacBook, Claude Code, and a $5 VPS. Welcome to the club.
Here’s your entire security stack in 2026:
Before every deploy: type /security-review in Claude Code. Takes 30 seconds. Catches the stuff you're too deep in feature-mode to notice.
On every PR: add the GitHub Action. Costs a few cents in API calls. Reviews every pull request before merge.
Once: copy security-review.md to .claude/commands/ and customize it for your stack. Five minutes of setup, permanent improvement.
That’s it. That’s the security budget for a solo SaaS founder. And honestly — but I digress, this is going to sound like a flex — it’s more than what half the “enterprise” teams I’ve consulted for had in place three years ago. They had Jira tickets labeled “security review” that nobody ever opened. You have a model that actually reads the code.
If you’re the kind of dev who’s never thought about security — no shade, genuinely — this is the lowest-effort entry point that exists. You don’t need to understand OWASP. You don’t need to know what IDOR stands for. You type six words and Claude tells you whats broken.
Security has always been the tax devs refuse to pay. Anthropic just made the tax rate near zero. The question isn’t wether you’ll use it. It’s how long you’ll wait before your first scan finds something that’s been sitting there for months. Like mine did.
If you ship code with Claude Code and haven’t run /security-review yet — tonight. Not tomorrow.
I write about the tools and workflows I actually use to ship SaaS from a cheap server — the stuff I test in prod, not the stuff I read about on Hacker News. If your security stack today is “hope nobody finds my endpoints,” subscribe. Next week I’m tearing apart something else nobody’s talking about.
Top comments (0)