How Anthropic's Cybersecurity Team Built a Threat Detection Platform with Claude Code

How Anthropic's Cybersecurity Team Built a Threat Detection Platform with Claude Code

Anthropic's Detection Platform Engineering team, led by Technical Lead Jackie Bow, faced a challenge familiar to security organizations everywhere: analysts juggling multiple disconnected tools, each with its own query language and interface, while racing to triage an unrelenting stream of alerts. Alert enrichment and investigation routinely consumed hours before a human analyst could make a meaningful determination — and the alert volume continued to grow faster than headcount.

Rather than build another dashboard, the team used Claude Code to create CLUE — Claude Looks Up Evidence — a natural language platform that connects directly to Anthropic's internal systems via tool use.

From Proof of Concept to Production in One Week

The development timeline stands out. Using Claude Code as both design partner and implementation collaborator, the team had a working proof of concept within a single day. Full design documentation and a production-ready implementation followed within a week.

Bow described the experience as qualitatively different from conventional development: "So much of what we built was us talking to Claude Code. It was both a design partner and collaborator." She noted a pivotal moment when she asked for a button feature, expecting the usual round of JavaScript and CSS debugging — instead, Claude Code implemented it immediately and more effectively than she had anticipated. The interaction encapsulated how much the feedback loop between idea and working code had compressed.

What CLUE Does

CLUE is structured around two core capabilities that address distinct stages of the security workflow.

CLUE Triage

Before a human analyst reviews any alert, CLUE Triage enriches it automatically. Claude pulls in context from Slack conversations, internal documentation, code repositories, and data warehouses, then assigns each alert a disposition — false positive, true positive, malicious, or expected behavior — along with a confidence score. Every incoming alert passes through this enrichment layer, including thousands of signals that would previously have been dismissed without examination simply due to analyst bandwidth constraints.

CLUE Investigate

When analysts need deeper analysis, CLUE Investigate replaces complex, tool-specific query languages with plain natural language. Claude orchestrates an agentic loop of parallel sub-agents that execute queries across security logs, synthesize the results, and produce investigation summaries. Work that previously required hours of manual effort across multiple systems now completes in 3 to 4 minutes.

Measured Impact

Anthropic shared concrete metrics from CLUE's deployment:

• False positive rate dropped from approximately 33% to 7%, allowing analysts to spend their attention on genuine signals instead of noise.
• Alert coverage expanded to every incoming alert — a scope previously impossible given team capacity.
• Automation volume: Over 30 days, CLUE ran approximately 12,000 queries and 27,000 tool calls.
• Time saved: Those automated actions represent an estimated 1,870 hours — roughly 234 person-days — of manual work, reflecting 5–10x efficiency gains.

What This Signals for Security Teams

The CLUE case study is significant for two reasons beyond raw productivity numbers. First, it documents Claude Code being used to build a production AI system — not just to write application code — compressing a week's worth of design and implementation into a day. Second, the platform it produced is itself powered by Claude, demonstrating a compounding pattern: AI accelerates the construction of AI-native systems.

The Anthropic team is now exploring proactive threat hunting (moving beyond reactive alert triage), building organizational memory from accumulated investigation transcripts, and treating investigation non-determinism — the fact that Claude may approach the same problem differently across runs — as a feature rather than a liability.

For security engineering teams evaluating AI-assisted operations, this case study provides one of the most detailed published accounts of what a Claude Code-built, Claude-powered production security pipeline looks like in practice.