How Anthropic uses Claude in Cybersecurity

1. JBJackie Bow0:00

   [gentle music] Cybersecurity at Anthropic, I would say, is... I'm biased, but I think it's one of the most interesting parts of the company. There's no precedent for what we're building, and so securing it is also kind of, you know, a new frontier. The thing that I've always kind of been stuck on is that we have these tools to do this work, but a lot of them don't actually fit what the analysts or investigators, people with boots on the ground are doing. Before, investigating a security event would be jumping between five to six different tools, running, you know, three to four different query languages over different databases. For a simple investigation, it would take a couple hours at least and a couple days at most, and that is part of why we built CLUE. CLUE is a detection and response platform that we built with Claude Code. One thing that makes CLUE so powerful is it is connected to our internal system, so it has access via tool use to query our data warehouses, but it also has the ability to query, like, internal knowledge of our company, so Slack messages and our code bases. That is usually, like, that missing piece that really helps alerts be contextualized for your environment. To note, this is just a sample set of data that I've imported into CLUE, so this isn't actually Anthropic internal information. How we start in CLUE Investigate is the user, being me, would ask a question. So I say, "A developer just gave themselves admin access. Is this authorized? Can you check for credential compromise and what actions they took afterwards?" And so we have asked Claude to come up with a plan on how it would investigate this. Comes up with these six steps. Then it will kick off a bunch of queries, and so these are the tools that's reaching out for more information to help us figure out what's going on. And we see the assistant Claude has come back and has gathered some more information, and it says, "You know, this kind of looks like a pretty classic privilege escalation. Here's some of the reasons I'm coming to that verdict." And it's gonna issue some more queries. This is, again, this is sample data, but it, the source IP, when looked up, was a Russian data center, and it was flagged as malicious by VirusTotal. And it then actually comes to, "You know, good news. This seems to be isolated," but it's also identifying there's some gaps in our security posture on this system, so there's some after-action items that we could take. And then finally, the final investigation summary that Claude will come up with and share with you all the investigations that were taken and the findings. We have this ability to go through immense amounts of data, immense amounts of alerts, and then just raise what actually a human should look at. I had been working on our Q4 plans, and I was like, "Okay, we're going to work on this suppression engine, and this is going to take, you know, at least one to two months." One of our new hires built it in a week. Most of it is because Claude Code is able to explain to them, "Here's how this is set up. Here's how it's working." And it feels like, for me, when I bring people on, that I'm giving them a tool that will give them that autonomy rather than them having to, you know, kind of, like, swim in the deep end immediately. I'm building the tools that I wish that I had, and I'm actually able to do what I feel like is pushing from being a practitioner to being a researcher, kind of a scientist, because I'm getting to test out a lot of the ways that, you know, I've only imagined us being able to process, you know, this immense amount of data and have more visibility into our systems that previously was just out of reach. [music fades]

Episode duration: 3:41