Alberta government uses Claude to discover and fix cybersecurity vulnerabilities \ Anthropic

Applications of AI


Since 2025, the Government of Alberta has used Claude code in both the Opus and Sonnet models to review systems, find and fix vulnerabilities. A team within Alberta’s Ministry of Technology and Innovation scanned 466 million lines of code in 20 hours, fixed security gaps across systems, and built new tools to make those systems more secure.

We’re sharing details of that experience as an example of how government agencies can use Claude and Claude code to secure large systems. This is an important challenge because governments rely on these systems to provide benefits and keep services running. However, the code is often outdated, insecure, and poorly documented. Alberta has also published a collection of technical white papers documenting its efforts so other governments can learn from. You can read it here.

“Albertans trust our government with the most sensitive information in their lives, and it is our responsibility to protect it,” said Nate Grubish, Alberta’s Minister of Technology and Innovation. “By using AI to find and fix system-wide vulnerabilities, we accomplished in hours what traditional approaches would take years to complete. This is what responsible government looks like in the AI ​​era, and the best is still ahead of us.”

Alberta’s approach

Alberta’s Ministry of Innovation and Innovation maintains systems for all 27 provinces’ departments, from social services to public safety to wildfire response. This includes approximately 1,280 applications and 3,400 code repositories. Most do not undergo systematic security reviews, and their accumulated technical debt, including insecure code, unaddressed bugs, and outdated software, reaches billions of dollars.

The department’s systems store sensitive information such as tax records, government procurement data, and social welfare case files. So in 2025, the department created an internal team with the mission of making these systems safer and easier to maintain over time, and worked with Claude to make that happen.

The department is already using Claude to:

Evaluate 466 million lines of government code in 20 hours. The team used Claude Code with the Claude Opus and Sonnet models to get Claude working in the codebase they managed. Approximately 50 agents scanned systems autonomously and in parallel, finding security vulnerabilities, weaknesses in the underlying infrastructure and deployment process, and gaps in technical documentation. Claude Code ran a two-step routine that first scanned each repository with its rules engine to flag known patterns, then reviewed those flags and cited the exact files and lines for each finding for developers to verify. The scan covered all Alberta-owned repositories and identified issues that were missed by traditional automated scanning tools. Alberta’s implementation took approximately 20 hours. The research team estimates that this type of study could have otherwise taken about six and a half years.

Fix any vulnerabilities found in the scan. If a scan identifies a vulnerability, Claude Code can often generate, test, and build a fix. If the system didn’t have the automated tests needed to ensure the patch was secure, Claude would write the tests first. When the code was too old or complex to be patched effectively in its existing format, Claude restructured it in a more modern and maintainable language. In some scenarios, these systems can be rebuilt in just four to five days, including a grant program portal that was hand-coded in Java nearly 25 years ago and took five months to initially build. All of this was done in collaboration with the ministry’s engineers. The patch was reviewed and approved by our team before it was shipped.

Perform ongoing security reviews. Alberta’s cybersecurity team also built a set of specialized Claude review agents that run throughout the development process. “Red Team” agents inspect applications from the outside, much like an attacker would, and map how vulnerabilities are exploited. A “blue team” agent then evaluates the application’s defenses against international security standards and creates a remediation plan that indicates the exact files to be fixed. Additional agents check the quality of the code and the clarity of the writing that the public sees. Every application is checked against approximately 95 security controls per pass. These agents are built on the Claude Agent SDK and perform a robust set of checks and analysis on all your applications.

In addition to scanning, securing, and modernizing its own systems, Alberta is training both government officials and the public in the use of AI through the Alberta AI Academy. Thousands of government employees and more than 10,000 members of the public have used the platform to learn the fundamentals of effectively using AI, from prompts to enterprise application delivery. Through the Academy, the Ministry of Innovation and Innovation aims to extend its approach beyond a single team or project to all ministries that need it.

Looking to the future

Currently, Claude helps write, review, and deploy code that helps the department in its modernization efforts. Next, we plan to expand our work with AI agents that can work with engineers to build entirely new software and tools.

The Government of Alberta also plans to continue modernization work. For example, one department has 185 legacy applications running in production that are expensive to maintain and difficult to update. The government plans to use Claude Code to analyze these systems, understand their behavior, and integrate them into 16 reusable applications built on modern coding languages ​​and conventions. The goal is to reduce complexity, reduce maintenance costs and speed up modernization efforts that would otherwise take years to complete.

Case studies for government

The technical debt and security vulnerabilities that the Alberta government is working to address are far from unique. These exist in the systems of many states, states, and federal agencies around the world. A technology white paper released by Alberta provides a blueprint for other governments to address similar issues.

In addition to the white paper, Alberta will host an industry day in Edmonton in July to share learnings. And this fall, the company plans to launch a program to expand that approach across state government. We continue to work with Alberta as it scales these efforts, and we hope that the approach it has documented will help other governments protect their own systems.



Source link