Anthropic’s Claude Code Security Launch Triggers Market Shift and Threatens Traditional AppSec Vendors

Forrester· June 23, 2026

Anthropic has introduced Claude Code Security, a suite of autonomous AI agents capable of ingesting enterprise codebases to identify and remediate vulnerabilities. This launch follows similar moves by Google and OpenAI, signaling a strategic shift where AI providers bundle security capabilities into existing licensing to displace specialized incumbents. The development is forcing a significant re-evaluation of the application security market as autonomous reasoning begins to replace traditional rules-based scanning tools.

On February 20, Anthropic released Claude Code Security, a move that Forrester analysts suggest follows a familiar hyperscaler playbook of bundling security features to neutralize renewal cycles for specialized vendors. The market response was immediate and severe; JFrog’s valuation plummeted by nearly 25% in a single session, while the Global X Cybersecurity ETF hit a two-year low. Although companies like CrowdStrike, Okta, and Zscaler saw sentiment-driven declines, the primary impact is felt by vendors in the SAST, SCA, and ASPM categories. These incumbents, which rely on structured detection and pattern matching, now face direct competition from frontier AI models that offer native semantic reasoning and automated remediation as part of broader enterprise subscriptions.

Anthropic’s entry joins Google’s CodeMender and OpenAI’s Aardvark in a race to collapse the separation between software engineering and security. By embedding security analysis directly into the CI/CD pipeline and pull request workflows, these platforms allow AI agents to identify, test, and deploy fixes in near real-time. This shift moves the competitive landscape away from feature-to-feature comparisons toward a battle over economics and productivity. Forrester notes that while traditional tools often overlook complex flaws, Claude Code Security functions more like a human expert, potentially rendering six-figure contracts for rules-based scanners obsolete as CFOs and CEOs prioritize the efficiency of integrated AI platforms.

Despite the efficiency gains, the rise of autonomous agents introduces significant operational risks, highlighted by a 13-hour outage at Amazon caused by its internal AI tool, Kiro, which erroneously deleted and recreated a production environment. This incident underscores the tension between agentic autonomy and the persistent reality of permission drift in mature environments, where an agent's infinite willpower can lead to irreversible choices that human developers would avoid. For cybersecurity leaders, the emergence of these tools necessitates a rigorous inventory of the AppSec stack to identify redundant capabilities. While AI agents excel at maintaining new, AI-generated code, they currently lack the context for autonomous large-scale refactoring of legacy systems, meaning risk-based prioritization and human oversight remain essential components of a modern security strategy.

Read the full story at Forrester

Summary generated by RabbitReport AI from public reporting. The full article and original reporting belong to Forrester.