A bank shipping an offensive-security tool under Apache 2.0 is not what anyone expected. But VulnHunter (Capital One) is exactly that: an agentic AI tool that reads your source code the way an attacker would, not the way a linter does.
What it actually is
Not another SAST scanner spraying pattern-matches at you. VulnHunter starts at real entry points — APIs, file uploads, network messages — and reasons forward through your application logic to see if a bug is actually reachable. It’s an agent, running on Claude Opus 4.8 inside a Claude Code environment.
Why it’s worth watching
The trick is the falsification engine. After finding a vulnerability, it tries to disprove itself — hunting for broken assumptions and gaps in the exploit path. Only findings that survive get reported, with a mapped attack path and a targeted patch. That kills the false-positive flood that makes people ignore security tools. Capital One already ran it across thousands of repos internally.
You Might Also Like
- From Claude Flow to Ruflo 22k Stars 5900 Commits and the Multi Agent Swarm Taking Over Claude Code
- Oh my Claudecode Turns Claude Code Into a 32 Agent dev Team and 11 8k Stars Agree
- Claude Code Source Leak Kairos how a 59 8 mb File Exposed Anthropics Entire Agent Playbook
- Claude Code Found 5 Linux Kernel Vulnerabilities one was Hidden for 23 Years
- Hiveterm Bets on the Multi Agent Workspace Claude Codex and Gemini in one Terminal

Leave a comment