Anthropic open-sources the harness behind its vulnerability-hunting agent

Anthropic has open-sourced the Defending Code Reference Harness, a reference build of the autonomous agent it uses to hunt software vulnerabilities. The harness drives Claude through a full loop: reconnaissance, finding candidate flaws, verifying them, reporting, and generating a candidate patch.

The detail worth noting is the containment. The harness refuses to spawn agents outside a gVisor sandbox, and everything routes through a wrapper script you have to set up before the first run. It is built on lessons from Anthropic's work with security teams since the Mythos Preview, and ships with skills for threat modelling, scanning and triage plus an interactive walkthrough on a demo target.

Two caveats temper the release. The repo is explicitly not maintained and not accepting contributions, and Anthropic points serious users to Claude Security, its hosted product with a multi-stage verification pipeline to cut false positives. So this is a blueprint, not a tool you adopt off the shelf. The open question: how many defenders can stand up a sandboxed scanning agent from a reference design before the managed version becomes the only practical path.