Capital One Open-Sources VulnHunter Agentic Code Security Tool for Claude Code
Capital One has released VulnHunter, an open-source agentic security tool built on Claude Opus 4.8. Operating as a Claude Code skill, it simulates real-world attacker behaviors to trace and auto-remediate vulnerabilities while minimizing false positives.
Impact: Medium
Why it matters
You can now run proactive, agentic penetration testing and automated security patching directly inside your local terminal using Claude Code.
TL;DR
- 01VulnHunter shifts vulnerability scanning from passive pattern matching to active, attacker-first path simulation.
- 02A built-in self-falsification engine reduces developer friction by filtering out speculative findings.
- 03The framework requires Claude Opus 4.8 and runs as a custom skill inside the local Claude Code terminal client.
Key facts
- Supported Model
- Claude Opus 4.8
- Environment Integration
- Claude Code skill
- Author
- Capital One
Dev-First Agentic Auditing
Traditional static application security testing tools analyze code patterns in isolation, leading to high alert fatigue. VulnHunter is designed as a developer-first tool that runs locally as a skill inside the Claude Code environment. By operating from the attacker's perspective, it traces input paths from untrusted entries to internal sinks. It is built to minimize friction, shifting the developer's focus from triaging false alarms to executing verified code repairs.
The Falsification Reasoning Loop
The core innovation under the hood is the automated falsification engine. Unlike basic LLM security wrappers, VulnHunter uses Claude Opus 4.8 to run a structured, multi-step reasoning workflow to challenge its own findings. It actively searches for missing logical links, sanitization steps, or environment constraints that would prevent an exploit from succeeding. If it finds any reason why the attack would fail, the vulnerability is silently dropped. Only high-confidence, verified vulnerabilities survive this internal challenge and are surfaced to the developer.
Requirements and Getting Started
To use VulnHunter, developers must have active access to the Claude Opus 4.8 model and a configured Claude Code CLI environment. The tool is available as an open-source repository on GitHub under the Capital One organization. The repository includes step-by-step guides, architectural blueprints, and sample workflows showing how the tool maps out exploit paths and formats remediation code directly for engineering pull requests.
Try it in 2 minutes
# Clone the repository and review the configuration within Claude Code
git clone https://github.com/capitalone/vulnhunter.git
cd vulnhunterbash
✓ When to use
- When you want to identify complex, multi-step logical exploit paths before merging code to main.
- When you are already heavily utilizing Claude Code as your primary terminal-based coding agent.
- When you need verified, actionable code repairs rather than high volumes of speculative SAST warnings.
✕ When NOT to use
- When you do not have active access to Claude Opus 4.8 or the Claude Code terminal client.
- When security compliance rules completely prohibit sending proprietary code paths to external LLM APIs.
What to do today
- Clone the VulnHunter open-source repository from GitHub.
- Ensure your local Claude Code terminal environment is up-to-date and configured.
- Review the quickstart guide and test the security agent against a sample API endpoint.
What the community says
“Wasn't Capital One founded on the premise of massive-scale market and product experimentation? Makes sense that they would design tools that match that approach.”
“An end product to justify the Billions spent on AI”
Sources