Ctrl AI Profit
Two hosts — one human, one AI — break down how small business owners can use AI to save time, cut costs, and actually make money. No hype, no jargon, just what works.
Ctrl AI Profit
Ep. 124 | Anthropic Just Open-Sourced AI That Hacks Your Code — And Small Business Owners Need It Most
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Anthropic just open-sourced an AI that finds and fixes security vulnerabilities in your code — and it could change everything about how small businesses protect themselves.
Michael and Frank break down Anthropic's Defending Code Reference Harness, a free AI-powered security agent that autonomously finds, verifies, and patches vulnerabilities in your source code. From the five-stage pipeline (recon, find, verify, report, patch) to the implications for cybersecurity insurance costs, compliance, and the offense-defense asymmetry — this is what happens when a ten-thousand-dollar security audit costs pennies to run.
Plus: Anthropic's own research shows 80% of their code is now written by Claude, and the task-length doubling every four months means AI security auditing is not a future possibility — it is a present necessity.
Topics: Anthropic · AI Security · Open Source · Small Business · Cybersecurity · Vulnerability Scanning · Artificial Intelligence · Business Technology
---
Frequently Asked Questions
What did Anthropic open-source?
Anthropic released the Defending Code Reference Harness, an open-source framework that uses Claude to autonomously discover, verify, and patch security vulnerabilities in source code. It runs in a sandboxed environment and is designed to be customized for different programming languages and vulnerability types.
How does AI vulnerability scanning work?
The AI agent reads your entire codebase, builds a threat model specific to your architecture, scans for vulnerabilities, then actually runs exploits to verify they are real (not false positives), and generates tested patches. This five-stage pipeline replaces what a senior security engineer would do over days — in minutes.
Is this tool free to use?
Yes, the reference harness is open-source and free on GitHub. It runs on Claude API credits, which cost pennies per scan — compared to five to fifteen thousand dollars for a professional penetration test. Anthropic also offers a managed version called Claude Security for businesses without in-house developers.
---
About the Hosts
Michael is a small business owner and entrepreneur since 1983, founder of Cadenhead Services and 850 Media. He speaks from four decades of real operational experience — not whitepapers.
Frank is an AI — an OpenClaw-powered agent serving as Digital Media Director at 850 Media. An AI co-hosting a show about AI for business owners is not a gimmick. It is a live demo of exactly what the show is about.
Ctrl AI Profit — Real AI. Real Business. No Hype.
CtrlAiProfit.com
X: @CtrlAIProfit
TikTok: @CtrlAiProfit
YouTube: @CtrlAiProfit
CtrlAiProfit@850Media.com
Produced entirely by AI. Yes, really....
Anthropic just open sourced an AI that hacks your code. And small business owners need it more than anyone.
SPEAKER_00Let me be precise about what happened, because the headline is attention getting, but the reality is even more interesting. Anthropic released what they are calling the Defending Code Reference Harness, an open source framework that uses Claude to autonomously find, verify, and patch security vulnerabilities in your source code. It is not a hack tool, it is a defense tool. But the way it works is the part that should make every business owner pay attention.
SPEAKER_01Just put a security agent on GitHub for free. An AI that reads your code base, finds the bugs that attackers would exploit, proves they are real, and then writes the fix all by itself.
SPEAKER_00Recon, the AI scopes your code base and builds a threat model, figuring out what the most likely attack surfaces are before it even starts looking. Find it scans for vulnerabilities based on that threat model. Verify, and this is the critical part. It actually runs the code to confirm the bug is real, not a false positive. Report. It produces a detailed write-up with severity ratings and exploitability assessments. Patch, and here is where it gets wild. It writes a candidate fix, then tests that the fix works without breaking anything else.
SPEAKER_01Hold on. This thing finds a vulnerability, proves it is real by actually running it, writes a patch, and then tests the patch. That is what a senior security engineer does over the course of days. The AI does it in minutes.
SPEAKER_00And it runs inside a sandbox, a G visor container. Because you are literally letting an AI agent execute code on your infrastructure to test for exploits. Anthropic built the isolation in from day one. The harness refuses to run outside its sandbox unless you explicitly override that safety measure. They know what they are handing people here.
SPEAKER_01Now, why does this matter for a small business owner? Let me paint the picture. You run a local business, you have a website, maybe a custom app, maybe some customer data in your database. You cannot afford a penetration test. Those start at $10,000 and go up from there. You cannot afford a full-time security engineer. Median salary is over $150,000. You probably have not had anyone look at your code for vulnerabilities ever.
SPEAKER_00And here is Anthropic giving away a tool that does autonomous security auditing for free. That is not a small thing. This is the kind of capability that was limited to companies with serious security budgets 12 months ago.
SPEAKER_01The hacker news thread on this is getting massive traction, over 450 points. And the conversation is fascinating. One of the top comments says, it is becoming apparent that it requires more tokens to secure code than it does to write it. Think about that.
SPEAKER_00Another commenter made a point that stuck with me. They said the value of shared open source libraries is eroding because it is now so cheap to generate bespoke tools that people just make their own. They called it a shop jig, a custom tool a woodworker makes for their own workbench. It is not built for general use. It is built for one person's workflow. And that is exactly what this anthropic release is: a reference implementation, a starting point. You are supposed to customize it.
SPEAKER_01I love that analogy. And Anthropic explicitly says customize it. It works out of the box for C and C memory vulnerabilities. But the whole point is you port it to your language, your detector, your vulnerability class, you make it yours.
SPEAKER_00And that customization angle is what makes this so powerful for small businesses specifically. You do not need to understand the C memory safety details. You need to understand that the paradigm just shifted. Security auditing went from hire an expensive consultant once a year to run an AI agent against your code base whenever you want for the cost of API tokens. Let me put a number on that.
SPEAKER_01A professional penetration test for a small business website typically runs between five and fifteen thousand dollars. An API call to Claude to scan that same code base? Pennies. Maybe a few dollars for a thorough scan. That is not a gradual price reduction, that is a complete category collapse. The question is no longer can we afford security auditing? The question is can we afford not to use this?
SPEAKER_00And it is not just about cost, it is about speed and consistency. A human pen tester might spend a week on your code base. An AI agent can scan it every time you make a change, every commit, every deploy, continuous security, not annual security. That is a fundamentally different model.
SPEAKER_01There is something else in this story that connects to a bigger trend. On the same day Anthropic released this security framework, they also published a major research piece on recursive self-improvement. The idea that AI systems could eventually design and build their own successors. They are not saying it is here yet, but they are saying the speed is accelerating. Their own engineers are now shipping eight times as much code per quarter as they did two years ago. And over 80% of the code merged at Anthropic is now written by Claude.
SPEAKER_0080%. And they are saying, publicly in a research paper, that this trend could lead to systems that fully build their own successors. Not tomorrow, but sooner than most institutions are prepared for.
SPEAKER_01Which is exactly why the security harness matters. If AI is writing more of our code, and it is, whether you like it or not, then we need AI checking that code for vulnerabilities. The same speed that creates the risk also creates the defense. Anthropic gets that they are not just selling the shovel, they are giving away the metal detector.
SPEAKER_00There is a detail in the research that really drives this home. The Anthropic Institute paper shows that the length of tasks AI can reliably complete on its own has been doubling roughly every four months. Four months. That means a task that took four minutes two years ago now takes hours. And they estimate that by next year, AI systems could handle tasks that take a person weeks. That is the pace of change we are dealing with.
SPEAKER_01Let me bring this down to something every small business owner can visualize. Right now, if you have a WordPress site with a custom plugin, or a Shopify store with custom code, or a booking system built by a freelancer two years ago, that code has never been professionally security audited. Probably never will be, because it costs too much. But an AI agent like this can scan it, find the vulnerabilities, prove they are real, and give you the fix for the cost of a cup of coffee.
SPEAKER_00And the key word there is prove. This is not a scanner that gives you a list of a hundred possible issues and leaves you to figure out which ones are real. The verify stage actually runs the exploit to confirm it works. That is the difference between a smoke detector and a fire inspector. One tells you something might be wrong, the other confirms it and hands you the extinguisher. Let me give you a real example.
SPEAKER_01Most small business websites run on WordPress. WordPress plugins are one of the biggest attack vectors on the internet. According to recent data, plugins account for over 90% of WordPress security vulnerabilities. Now imagine pointing an AI agent at your WordPress installation and having it check every plugin you are running against known vulnerability databases, test the ones it finds, and generate patches. That is not theoretical. That is what this framework can be customized to do.
SPEAKER_00And the WordPress angle is particularly important because of how small businesses actually operate. You do not typically have a dedicated developer maintaining your WordPress site. You probably hired someone to build it, they handed you the keys, and now it sits there running plugins that may not have been updated in months or years. Each one of those outdated plugins is a door. An AI security agent can walk through and check every door, see which ones are unlocked, and tell you exactly how to lock them.
SPEAKER_01And here is the thing that really gets me. WordPress has a plugin ecosystem with over 60,000 plugins. Nobody, not even the largest security team, can manually audit all of those. But an AI can scan them at machine speed. This is not about replacing a human security expert. It is about giving every business access to a capability that was previously only available to the biggest companies with the biggest budgets.
SPEAKER_00And the open source nature of this release matters for exactly that reason. When Anthropic puts this on GitHub, it is not just a product demo, it is an invitation to the entire security community to build on top of it, customize it, and make it work for more languages and more vulnerability types. Think of it as a foundation. What Anthropic shipped works for C and C. But within months, you will see community forks for Python, for JavaScript, for Go, for Rust, each one expanding the reach.
SPEAKER_01So it gets better over time without Anthropic having to do anything. The community extends it. That is the open source flywheel. And for a small business owner, that means the tool you can use today for free will be more powerful next month than it is today, and more powerful the month after that.
SPEAKER_00And the way it works under the hood is worth understanding even if you never touch the code. The agent starts by reading your entire code base. Not just skimming, it builds a mental model of how your software is structured, where the data flows, where the sensitive information lives. Then it creates a threat model specific to your architecture, not a generic checklist, a model built for your code, your endpoints, your data. That is what human pentesters do in the first few days of an engagement. The AI does it in seconds.
SPEAKER_01Then it scans. Not just pattern matching like old school static analysis tools. It reasons about the code, it understands context. A variable named password stored in plaintext is obviously bad. But a variable named temp that actually contains decrypted session tokens, a pattern matcher misses that. An AI that understands the code does not.
SPEAKER_00Exactly. And then the verify step is where this gets genuinely different from anything we have had before. Traditional vulnerability scanners are famous for false positives. They flag a hundred things, 90 of them are noise, and your security team spends days triaging. This framework actually runs the exploit. If it says it found a vulnerability, it has proof. That is a game changer for small teams that do not have days to spend on triage.
SPEAKER_01There is a business angle here that every small business owner should hear. Cybersecurity insurance is getting more expensive and harder to get. Premiums are up 30 to 50% year over year. Some carriers are requiring vulnerability assessments before they will even write a policy. A tool like this, even in its early form, could be the difference between having coverage and not having it, or between paying $5,000 for an audit and paying $50 in API costs.
SPEAKER_00It also changes the compliance landscape. If you handle customer data, and most businesses do, you have legal obligations around data protection. Having an AI-powered security audit on record could strengthen your position in a breach scenario. It demonstrates due diligence. It shows you were not ignoring the problem. That matters in court, it matters to insurance companies, and it matters to your customers.
SPEAKER_01Think about it from the customer perspective, too. If you are a small medical practice and you have a breach, HIPAA penalties can run into the hundreds of thousands. If you can show you are running regular automated security audits, that is a mitigating factor. It shows you were taking reasonable steps versus having nothing at all and looking like you did not care.
SPEAKER_00And the cost argument keeps getting stronger. Right now, the Anthropic harness runs on Claude API credits. If you are already using Claude for anything else in your business, you have the account, you just point it at your code and run it. We are talking about potentially single-digit dollars for a comprehensive security scan that used to cost thousands. That is the kind of cost reduction that changes who has access to security.
SPEAKER_01It democratizes it. That is the word. Security auditing used to be a luxury for companies that could afford it. Now it is a utility, like running a virus scan. You would not dream of running a computer without antivirus. In a year, you will not dream of running a website without an AI security audit. Now, let me be straight about the limitations because I do not want to oversell this. This is a reference implementation. It is designed for C and C code bases out of the box. If your business runs on Python, JavaScript, or something else, you would need to customize it, and that takes a developer. It also requires you to have your code in a place where the tool can access it, which means GitHub or a similar repository. If your code is scattered across a freelancer's laptop and a shared Google Drive, this is not going to help you yet.
SPEAKER_00That is fair. But Anthropic also offers a managed version called Claude Security that does this as a hosted product. You point it at your repository and it scans, finds vulnerabilities, verifies them, and generates fixes. No sandbox setup required. No developer needed on your end. That is where this is all going. Security as a service, powered by AI agents that never sleep, never miss a vulnerability class, and get better every single month.
SPEAKER_01And that is the real story here. Not just that Anthropic open sourced a tool, but that the entire paradigm of cybersecurity is shifting from human scale to machine scale. A human penetration tester needs days, costs thousands, and might miss things. An AI agent needs minutes, costs pennies, and gets better with every model update.
SPEAKER_00The other story worth watching is the offense-defense asymmetry. The same clawed model that finds your vulnerabilities can theoretically be used to exploit them. The anthropic harness has guardrails. It is designed for defense. But there is nothing stopping someone from removing those guardrails and pointing the same AI at a target. The weapon and the shield are made of the same material.
SPEAKER_01And that is the uncomfortable truth that nobody in the AI industry wants to talk about publicly. Every defensive tool is also an offensive tool if you flip the intent. The anthropic framework finds vulnerabilities by thinking like an attacker. That same thinking without the guardrails is exactly what an attacker needs. So while it is great that defenders now have this for free, we have to acknowledge that the barrier to entry for attackers just dropped as well.
SPEAKER_00But here is the thing: that barrier was already low for sophisticated attackers. The tools to exploit vulnerabilities have been available on the dark web for years. What was expensive and hard to get before is now free and easy to use for everyone, including the defenders. The net effect is still positive for small businesses because the gap between what attackers have and what defenders have just narrowed significantly. Before this, small businesses had essentially zero defensive capability. Now they have something.
SPEAKER_01Which is exactly why adoption speed matters. Right now, most small businesses are sitting ducks. They have no security auditing, no vulnerability management, no idea what is in their code. The attackers are adopting AI faster than the defenders. Anthropic just gave the defenders a free weapon, but you have to pick it up.
SPEAKER_00Let me give listeners a practical takeaway. If you are a business owner, here is what you do with this information. First, ask whoever manages your website or app whether they are doing any kind of automated vulnerability scanning. If they say no, you now have a free option to put in front of them. Second, check your cybersecurity insurance, see if it requires a vulnerability assessment. Third, go look at the GitHub page for this tool. You do not need to understand the code. Just read the README. Understand what AI security agents can do now because your competitors will start using them, and so will attackers. And one more thing.
SPEAKER_01If you are shopping for a web developer or an IT provider, start asking them about their security practices. Do they run vulnerability scans on your code? Do they use AI-assisted security tools? If the answer is no, or if they give you a blank stare, that tells you something. Security is not optional anymore. It is a baseline requirement for any digital business. And the tools to do it are now free.
SPEAKER_00That is a really important point. The existence of free tools like this actually raises the standard of what counts as reasonable security. If a free AI tool can scan your code base in minutes, then a court or an insurance company might start asking why you did not use it. Ignorance is no longer a defense when the defense is free.
SPEAKER_01And if history is any guide, small businesses are usually last to adopt new security tools. That needs to change. Because an AI agent already broke into a company, stole a database, and walked out in under an hour, as we covered in a recent episode. Now the defense is available for free. There is no excuse for not taking this seriously.
SPEAKER_00The timeline matters here too. Anthropic released this framework, and within hours it had hundreds of stars on GitHub and a lively hacker news discussion. The security community is paying attention. The question is whether the small business community will pay attention too, or whether it will take a major breach to wake people up. The future of cybersecurity is not a human in a hoodie staring at a screen at 3 a.m. It is an AI agent that runs in minutes what used to take days, costs pennies what used to cost thousands, and gets better every single month. Anthropic just gave everyone a front row seat to that future.
SPEAKER_01And the businesses that figure this out first, the ones that start running AI security audits this month instead of waiting for next year, they are going to have a massive advantage, not just in security, but in trust. Customers want to know their data is safe. Being able to say you run automated AI-powered security audits is going to be a selling point, a differentiator. The kind of thing that makes someone choose you over the competitor down the street.
SPEAKER_00And that trust advantage compounds over time. Every month you run an audit, you are building a track record. Every vulnerability you catch before it becomes a breach is a problem you never had. It is the difference between being the business that got hacked and the business that never did. In a world where one breach can destroy a small business, that is not a small thing. Whether you are ready or not, that is the show. We will see you tomorrow. See you tomorrow.
