Alberta, Canada Uses Claude Code for Security Reviews, Scans 466 Million Lines of Code in 20 Hours — a Job That Would Have Taken 6.5 Years
- Since 2025, Alberta's Ministry of Technology and Innovation has used Claude Code (paired with the Claude Opus and Claude Sonnet models) to review the security of government systems.
- About 50 agents worked autonomously in parallel, scanning 466 million lines of code in 20 hours — covering 27 provincial departments, roughly 1,280 applications, and 3,400 code repositories.
- The team estimates a traditional manual review of the same scale would have taken about 6.5 years.
- Claude Code doesn't just locate vulnerabilities — it also generates fixes, writes tests, and even rewrites outdated systems in modern languages. A 25-year-old Java subsidy system that originally took 5 months to build by hand was rebuilt in just 4 to 5 days.
- The team also built a continuously running red team/blue team security review agent system that checks roughly 95 security controls per application on every pass; Alberta has published a technical white paper for other governments to reference.
Who's using AI to check government system security
Since 2025, Alberta's Ministry of Technology and Innovation has been using Claude Code (paired with the Claude Opus and Claude Sonnet models) to review the security of provincial government systems — finding vulnerabilities, fixing them, and along the way building a security review toolset that keeps running continuously.
How old and tangled is this codebase
Alberta's Ministry of Technology and Innovation maintains systems for all 27 provincial departments — everything from social services to public safety to wildfire response runs on it. Behind that sits roughly 1,280 applications and 3,400 code repositories.
Most of it had never had a systematic security review. Years of accumulated technical debt — insecure code, unfixed bugs, outdated software — add up to an estimated value in the billions of dollars. And these are the very systems that hold the most sensitive information: tax records, government procurement data, social services case files.
How to surface the issues buried in 466 million lines of code
About 50 agents worked autonomously in parallel, each scanning through the code repositories to find not just security vulnerabilities, but also weak points in underlying infrastructure and deployment pipelines, as well as gaps in technical documentation.
The scan ran in two stages: first a rules engine did a fast pass, flagging code that matched known suspicious patterns; then Claude reviewed each flagged item, pointing to the exact file and line number for every issue so developers could go verify it directly. Information got filtered and refined step by step this way.
The rules engine here is a set of pre-written mechanical matching rules: code that fits a certain shape gets flagged. It only flags — it doesn't judge whether something is actually a real issue.
It's like an airport metal detector at security. The alarm going off doesn't mean there's definitely a problem — it just means someone gets pulled aside, and the finer check afterward confirms whether it's real. The rules engine's job is "make the alarm go off"; Claude's job is that finer check afterward — and it also tells you exactly which bag to open.
This single pass covered every code repository Alberta owns, and it also caught issues that traditional automated scanning tools had missed. The full scan finished in 20 hours; the team estimates the same scope via traditional manual review would take about 6.5 years.
What gets flagged, AI fixes next
Flagging issues is only half the job. Wherever the scan found a vulnerability, Claude Code could often write the patch directly: generate the fix, run tests, complete the build.
Where a system lacked automated tests and there was no way to confirm a patch was safe, Claude would add the tests first; where code was too old and too tangled for patching in place to make sense, it would simply rewrite it in a more modern, more maintainable language. All of this happened alongside the department's engineers — every patch had to be reviewed and approved by an engineer before going live.
Add tests first
or full rewrite
reviews and approves
The clearest illustration of the gap is a subsidy program portal. Hand-written in Java 25 years ago, it originally took a full 5 months to build. This time, rewriting it in a modern language took as little as 4 to 5 days.
Time it originally took to build the hand-coded Java subsidy program portal from scratch.
Shortest time needed to rewrite the same system in a modern language.
The scan isn't the end: red team and blue team keep watch around the clock
Scanning systems and applying patches isn't where it ends. Alberta's cybersecurity team also built a dedicated set of Claude review agents to run continuously throughout the development process, turning security review from a one-time special-purpose sweep into a routine part of everyday development.
Red team agents probe systems from the outside like an attacker would, figuring out how a vulnerability could be exploited; blue team agents then evaluate defenses against international security standards and write remediation plans down to the exact file. Together, the two teams put every application through roughly 95 security controls on each pass.
Plays the attacker, actively probing systems from the outside to work out how a vulnerability could be exploited.
Checks whether defenses hold up against international security standards, and writes a concrete remediation plan naming the file to change.
Every round, each application is checked line by line against roughly 95 security controls. These 95 items are broken out from international security standards into specific individual checks — like whether passwords are stored encrypted, or whether user input is validated. Together they form a 95-item security checklist that has to be run through from scratch every round.
Besides the red and blue teams, there are also agents dedicated to checking code quality and whether public-facing text is clear. This entire suite of review agents is built on the Claude Agent SDK.
Can other governments replicate this playbook
Alberta has no intention of keeping this playbook to itself. It has already written up the whole process into a series of technical white papers, published for other provincial, state, and federal governments to reference — because technical debt and security vulnerabilities like these show up in government systems worldwide.
Next, Alberta plans to have AI agents not just modify code, but build entirely new software and tools alongside engineers. For example, one department has 185 legacy applications still running in production — expensive to maintain and hard to update. The team plans to use Claude Code to untangle them and consolidate them into 16 reusable applications built on modern languages.
Legacy applications still running in production, expensive to maintain and hard to update.
Reusable modern applications built on modern languages.
At the same time, Alberta is also training government staff and the general public on how to use AI through the "Alberta AI Academy" — covering everything from prompt writing to shipping enterprise-grade applications.
The numbers say it
Here's the single most striking pair of numbers from the whole story, side by side: the same job, two very different timescales.
Using AI to find and fix the vulnerabilities in our systems, we accomplished in a matter of hours what the traditional approach would have taken years to finish.Nate Glubish, Minister of Technology and Innovation, Government of Alberta