Capital One releases VulnHunter — open-source agentic AI security tool for finding software vulnerabilities
What happened
Capital One released VulnHunter as an open-source tool under the Apache 2.0 license. The tool is available on GitHub and runs on Anthropic's Claude Opus 4.8 model inside a Claude Code environment. VentureBeat covered VulnHunter on July 17, 2026.
Context and impact
VulnHunter represents a shift from traditional SAST tools that look for vulnerability patterns to agentic systems that simulate attacker behavior. The key innovation is a Falsification Engine — after every finding, the tool actively searches for reasons the finding doesn't hold, reducing false positives. Capital One sees it as a template for internal AI security tooling.
Details
- License: Apache 2.0, available at github.com/capitalone/VulnHunter
- Model: Anthropic Claude Opus 4.8 inside Claude Code environment
- Three innovations: Falsification Engine, Attacker-First Forward Analysis, Evidence-Backed Remediation
- Entry points analyzed: API endpoints, network messages, file uploads
- Generates targeted code fixes for engineer review
Open original source
VentureBeat