CHAPTERS
- 0:00 – 0:30
Why Anthropic’s cybersecurity work is a “new frontier”
Jackie Bow frames security at Anthropic as uniquely challenging because the company is building systems with little precedent. That novelty creates both new risks and new opportunities for how security work is done.
- •Securing frontier AI systems has few established playbooks
- •Security needs to evolve alongside what’s being built
- •Motivation to rethink tooling around real investigator workflows
- 0:30 – 0:45
The investigation pain: too many tools, too many query languages
Jackie describes the traditional security investigation workflow as fragmented and slow. Analysts often bounce between multiple tools and databases, stretching simple investigations into hours or days.
- •Investigations require jumping across 5–6 tools
- •Multiple query languages across disparate data sources
- •High time cost even for straightforward triage
- •Tooling often doesn’t match “boots on the ground” needs
- 0:45 – 1:00
Introducing CLUE: a Claude Code–built detection & response platform
To address these workflow gaps, Anthropic built CLUE, a detection and response platform created with Claude Code. The goal is to streamline investigations by unifying access to relevant systems and context.
- •CLUE is built as an internal detection/response platform
- •Developed with Claude Code to accelerate building and iteration
- •Designed to reduce investigation time and tool-switching
- 1:00 – 1:15
What makes CLUE powerful: deep internal context via tool access
CLUE connects directly to internal systems so it can query data warehouses and also pull organizational context. This includes knowledge sources like Slack and codebases that often provide the missing investigative details.
- •Tool use to query internal data warehouses
- •Ability to incorporate internal knowledge (e.g., Slack, codebases)
- •Environment-specific context helps interpret alerts
- •Contextualization closes gaps that generic tools miss
- 1:15 – 1:30
Walkthrough setup: a privilege escalation question (sample data)
Jackie demonstrates CLUE Investigate using a hypothetical scenario: a developer granted themselves admin access. She notes the dataset shown is imported sample data, not real Anthropic internal information.
- •User asks: was admin access authorized?
- •Request includes checking credential compromise and follow-on actions
- •Demo uses sample/imported data (not real internal data)
- 1:30 – 2:00
Claude proposes an investigation plan and starts executing queries
CLUE has Claude generate a multi-step investigation plan and then automatically run queries to gather evidence. The platform uses connected tools to pull the information needed to validate or refute hypotheses.
- •Claude outlines a structured multi-step plan (six steps)
- •Automated query execution across relevant sources
- •Tool-driven enrichment to accelerate evidence gathering
- 2:00 – 2:16
Findings: classic privilege escalation signals and malicious infrastructure
As results come back, Claude interprets them as consistent with privilege escalation. The investigation flags a suspicious source IP associated with a Russian data center and marked malicious by VirusTotal.
- •Claude identifies indicators consistent with privilege escalation
- •Source IP enrichment indicates suspicious origin
- •VirusTotal flags the IP as malicious (in sample data)
- •Continues issuing follow-up queries to confirm scope
- 2:16 – 2:31
Outcome: incident appears isolated, plus security posture gaps and actions
Claude concludes the activity looks isolated while still surfacing weaknesses in the system’s security posture. The output includes after-action items to improve defenses, not just incident closure.
- •Preliminary “good news”: activity seems contained
- •Highlights gaps in security posture on the affected system
- •Generates practical after-action remediation items
- 2:31 – 2:46
Final deliverable: investigation summary and human-focused escalation
The platform produces a final investigation summary detailing actions taken and findings. Jackie emphasizes CLUE’s role in processing massive alert volumes and escalating only what warrants human attention.
- •Automated, readable summary of steps and conclusions
- •Handles large volumes of data and alerts
- •Prioritizes what a human should review
- •Improves signal-to-noise in security operations
- 2:46 – 3:02
Developer velocity: building a suppression engine in a week with Claude Code
Jackie shares a concrete example of accelerated engineering: a suppression engine she expected to take 1–2 months was built by a new hire in a week. Claude Code helped by explaining existing system design and behavior.
- •Planned effort: 1–2 months; actual: ~1 week
- •Claude Code helps new engineers understand systems quickly
- •Documentation/knowledge transfer becomes interactive and immediate
- 3:02 – 3:32
Onboarding and autonomy: giving new hires a “deep end” floatation device
Claude Code is positioned as an enabler for faster onboarding and greater autonomy. Instead of relying on slow tribal knowledge transfer, new team members can self-serve understanding and contribute sooner.
- •Reduces dependency on senior staff for basic system comprehension
- •Enables autonomous problem-solving for new hires
- •Improves ramp time and confidence for contributors
- 3:32 – 3:41
From practitioner to researcher: expanding visibility and experimentation
Jackie closes by describing how these tools let her move beyond day-to-day operations into more exploratory, research-like work. With increased visibility and scalable analysis, the team can test ideas that were previously out of reach.
- •Building tools she wished existed as a practitioner
- •More capacity to experiment with large-scale data processing
- •Improved visibility into systems enables new security approaches
- •Shifts focus toward research and advanced detection ideas
