CHAPTERS
Why cybersecurity at Anthropic is a “new frontier”
Jackie frames Anthropic’s security work as uniquely challenging because the company is building systems without much precedent. That novelty means traditional security approaches don’t always map cleanly to what needs to be protected.
The investigation pain: too many tools, too many languages, too much time
She explains how conventional security investigations often require jumping between multiple tools and query languages. Even “simple” investigations can take hours to days due to fragmented data and workflows.
What CLUE is and why Anthropic built it
CLUE is introduced as Anthropic’s internal detection and response platform, built using Claude Code. The core goal is to streamline investigations and make analyst workflows faster and more coherent.
The differentiator: deep internal context via tool access
Jackie highlights that CLUE’s power comes from being connected to internal systems—not just logs, but also organizational context. This helps alerts become meaningful within the specific environment rather than generic signals.
Demo setup and privacy note: sample data, real workflow
Before demonstrating, she clarifies that the data shown is a sample import and not Anthropic’s real internal information. The walkthrough focuses on how an investigation flows rather than exposing sensitive details.
Natural-language investigation kickoff: a privilege escalation question
The investigation begins with a plain-English prompt about a developer granting themselves admin access. The goal is to determine authorization, potential credential compromise, and subsequent actions taken.
Claude generates an investigation plan and executes queries
Claude responds by outlining a multi-step plan and then launching a set of queries through connected tools. The system gathers evidence iteratively, refining hypotheses as more data comes in.
Attribution signals and risk assessment: suspicious IP intelligence
As the investigation proceeds, Claude flags indicators consistent with classic privilege escalation. Enrichment like IP reputation and threat intel (e.g., VirusTotal) contributes to evaluating malicious likelihood.
Outcome + remediation thinking: isolated incident, posture gaps, after-actions
Claude concludes that the activity appears isolated while still surfacing security posture gaps that need attention. The system not only answers “what happened,” but also identifies follow-up improvements.
Final investigation summary: compressing complexity into human review
The platform culminates with a concise investigation summary listing actions taken and key findings. Jackie emphasizes that CLUE helps sift massive alert/data volumes and elevate what truly needs human attention.
Developer velocity and onboarding: Claude Code as force multiplier
Jackie shares an example where a suppression engine she expected to take 1–2 months was built by a new hire in a week. Claude Code helps explain existing systems and gives newcomers autonomy faster.
From practitioner to “security scientist”: expanding what’s possible
She closes by describing how these tools let her move beyond day-to-day operational firefighting into more experimental, research-like work. With greater visibility and scalable analysis, the team can test ideas that were previously out of reach.
Get more out of YouTube videos.
High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.
Add to Chrome