Business News · XiaoHu Explainer

Alberta, Canada Uses Claude Code for Security Reviews, Scans 466 Million Lines of Code in 20 Hours — a Job That Would Have Taken 6.5 Years

50 agents worked autonomously in parallel, covering 27 provincial departments and 3,400 code repositories, while also auto-fixing vulnerabilities and rewriting legacy systems.
Quick take
  • Since 2025, Alberta's Ministry of Technology and Innovation has used Claude Code (paired with the Claude Opus and Claude Sonnet models) to review the security of government systems.
  • About 50 agents worked autonomously in parallel, scanning 466 million lines of code in 20 hours — covering 27 provincial departments, roughly 1,280 applications, and 3,400 code repositories.
  • The team estimates a traditional manual review of the same scale would have taken about 6.5 years.
  • Claude Code doesn't just locate vulnerabilities — it also generates fixes, writes tests, and even rewrites outdated systems in modern languages. A 25-year-old Java subsidy system that originally took 5 months to build by hand was rebuilt in just 4 to 5 days.
  • The team also built a continuously running red team/blue team security review agent system that checks roughly 95 security controls per application on every pass; Alberta has published a technical white paper for other governments to reference.
This article was published on Anthropic's official website, showcasing its own customer case study. The scale figures and time comparisons in the piece (like "6.5 years") are mostly self-estimated and disclosed by the Alberta team — reported below as stated in the original.
1Who's doing this

Who's using AI to check government system security

Since 2025, Alberta's Ministry of Technology and Innovation has been using Claude Code (paired with the Claude Opus and Claude Sonnet models) to review the security of provincial government systems — finding vulnerabilities, fixing them, and along the way building a security review toolset that keeps running continuously.

A team inside the ministry set roughly 50 agents to work autonomously in parallel, scanning 466 million lines of government code in 20 hours.
Why it matters: this is, by publicly known examples so far, the largest AI code security review ever done at government scale. The team estimates the same scope of work via traditional manual review would have taken about 6.5 years.
2How big is the problem

How old and tangled is this codebase

Alberta's Ministry of Technology and Innovation maintains systems for all 27 provincial departments — everything from social services to public safety to wildfire response runs on it. Behind that sits roughly 1,280 applications and 3,400 code repositories.

27provincial departments (social services / public safety / wildfire response...)
~1,280applications
3,400code repositories
466 million lines of code in total

Most of it had never had a systematic security review. Years of accumulated technical debt — insecure code, unfixed bugs, outdated software — add up to an estimated value in the billions of dollars. And these are the very systems that hold the most sensitive information: tax records, government procurement data, social services case files.

Accumulated technical debt in the billions of dollars · Most repositories had zero systematic security review
3How the issues were surfaced

How to surface the issues buried in 466 million lines of code

About 50 agents worked autonomously in parallel, each scanning through the code repositories to find not just security vulnerabilities, but also weak points in underlying infrastructure and deployment pipelines, as well as gaps in technical documentation.

Core method · Two-stage pipeline

The scan ran in two stages: first a rules engine did a fast pass, flagging code that matched known suspicious patterns; then Claude reviewed each flagged item, pointing to the exact file and line number for every issue so developers could go verify it directly. Information got filtered and refined step by step this way.

The rules engine here is a set of pre-written mechanical matching rules: code that fits a certain shape gets flagged. It only flags — it doesn't judge whether something is actually a real issue.

An analogy

It's like an airport metal detector at security. The alarm going off doesn't mean there's definitely a problem — it just means someone gets pulled aside, and the finer check afterward confirms whether it's real. The rules engine's job is "make the alarm go off"; Claude's job is that finer check afterward — and it also tells you exactly which bag to open.

466M lines of code · 50 agents, full parallel scan
Rules engine flags "known suspicious patterns"
Claude reviews · pinpoints exact file and line
Developers verify by line · confirm real issues

This single pass covered every code repository Alberta owns, and it also caught issues that traditional automated scanning tools had missed. The full scan finished in 20 hours; the team estimates the same scope via traditional manual review would take about 6.5 years.

~50
autonomous parallel scanning agents
20 hours
actual time for the full scan
466M lines
total government code covered
~6.5 years
estimated time for traditional manual review
4Fixing what got found

What gets flagged, AI fixes next

Flagging issues is only half the job. Wherever the scan found a vulnerability, Claude Code could often write the patch directly: generate the fix, run tests, complete the build.

Where a system lacked automated tests and there was no way to confirm a patch was safe, Claude would add the tests first; where code was too old and too tangled for patching in place to make sense, it would simply rewrite it in a more modern, more maintainable language. All of this happened alongside the department's engineers — every patch had to be reviewed and approved by an engineer before going live.

Scan finds vulnerability
Missing tests?
Add tests first
Generate fix
or full rewrite
Engineer
reviews and approves

The clearest illustration of the gap is a subsidy program portal. Hand-written in Java 25 years ago, it originally took a full 5 months to build. This time, rewriting it in a modern language took as little as 4 to 5 days.

25 years ago · Built by hand
5 months

Time it originally took to build the hand-coded Java subsidy program portal from scratch.

Now · Rebuilt with Claude Code
4 to 5 days

Shortest time needed to rewrite the same system in a modern language.

5Ongoing oversight

The scan isn't the end: red team and blue team keep watch around the clock

Scanning systems and applying patches isn't where it ends. Alberta's cybersecurity team also built a dedicated set of Claude review agents to run continuously throughout the development process, turning security review from a one-time special-purpose sweep into a routine part of everyday development.

Core method · Continuous red team/blue team review

Red team agents probe systems from the outside like an attacker would, figuring out how a vulnerability could be exploited; blue team agents then evaluate defenses against international security standards and write remediation plans down to the exact file. Together, the two teams put every application through roughly 95 security controls on each pass.

Red Team · Offense

Plays the attacker, actively probing systems from the outside to work out how a vulnerability could be exploited.

Blue Team · Defense

Checks whether defenses hold up against international security standards, and writes a concrete remediation plan naming the file to change.

① Red team probesProbes the system from outside like an attacker, finding vulnerabilities that could be exploited
② Blue team evaluatesChecks defenses against international security standards, writes remediation plans down to the file
③ Fix goes liveAfter engineer review and approval, the patch enters the system
↻ Back to step ①, next round · ~95 security controls per application, per round

Every round, each application is checked line by line against roughly 95 security controls. These 95 items are broken out from international security standards into specific individual checks — like whether passwords are stored encrypted, or whether user input is validated. Together they form a 95-item security checklist that has to be run through from scratch every round.

Besides the red and blue teams, there are also agents dedicated to checking code quality and whether public-facing text is clear. This entire suite of review agents is built on the Claude Agent SDK.

6Can it be replicated

Can other governments replicate this playbook

Alberta has no intention of keeping this playbook to itself. It has already written up the whole process into a series of technical white papers, published for other provincial, state, and federal governments to reference — because technical debt and security vulnerabilities like these show up in government systems worldwide.

2025
The ministry forms an internal team and starts using Claude for security review and hardening of its systems.
Following that
466 million lines of code scanned in 20 hours; vulnerabilities fixed, legacy systems rewritten.
Following that
Builds continuous red team/blue team review agents, making security oversight a standing routine.
Now published
Publishes technical white papers, giving other governments a blueprint they can follow.
July 2026
Hosts an industry day in Edmonton to share what it learned from this approach.
Starting this fall
Launches an initiative to roll this approach out across the provincial government.

Next, Alberta plans to have AI agents not just modify code, but build entirely new software and tools alongside engineers. For example, one department has 185 legacy applications still running in production — expensive to maintain and hard to update. The team plans to use Claude Code to untangle them and consolidate them into 16 reusable applications built on modern languages.

Now
185

Legacy applications still running in production, expensive to maintain and hard to update.

Planned consolidation to
16

Reusable modern applications built on modern languages.

At the same time, Alberta is also training government staff and the general public on how to use AI through the "Alberta AI Academy" — covering everything from prompt writing to shipping enterprise-grade applications.

Thousands of
government staff who've learned AI through the platform
10,000+
members of the public who've used the platform to learn AI
7The numbers say it

The numbers say it

Here's the single most striking pair of numbers from the whole story, side by side: the same job, two very different timescales.

Actual time with Claude Code20hours
Traditional manual review · team estimate≈6.5years
Same 466-million-line code security review — that sliver of a bar above, barely visible, is those 20 hours.
Using AI to find and fix the vulnerabilities in our systems, we accomplished in a matter of hours what the traditional approach would have taken years to finish.Nate Glubish, Minister of Technology and Innovation, Government of Alberta
Source: Anthropic's official website, "Government of Alberta uses Claude to find and fix cybersecurity vulnerabilities." The scale figures and time comparisons in this article (including "6.5 years" and "185 → 16") are mostly self-estimated and disclosed by Alberta's Ministry of Technology and Innovation. Alberta's published technical white papers are available at thevelocitywhitepapers.com.