VulnHunter: Capital One's agentic AI code security tool Capital One has open-sourced VulnHunter, an agentic AI security tool that proactively analyzes source code from an attacker's perspective to identify vulnerabilities and propose fixes. The tool uses a falsification engine to minimize false positives and is designed to integrate into developer workflows, aiming to help organizations defend against AI-powered cyberattacks. Announcing VulnHunter Capital One’s open-source, agentic AI code security tool. The rules of software security are changing faster than most defenders can keep pace. Advanced AI models have dramatically lowered the barrier for bad actors to discover and exploit vulnerabilities in software. What once required significant skill and time can now be automated, accelerated, and scaled. The world faces an increasingly short window of time before highly sophisticated, next-generation AI attack capabilities become affordable and accessible to virtually every adversary. Across the industry, organizations are racing to prepare for this paradigm shift. Traditional environmental protections like network segmentation, identity controls, and monitoring remain essential, but are no longer sufficient on their own. The ultimate defense in this new reality requires a shift in approach: organizations need to consider and detect the vulnerabilities in their code and fix them before adversaries can deploy advanced models to discover and exploit them. At Capital One, we decided that the right response to AI-enabled threats wasn't to wait, but to build cutting-edge AI-driven defenses and put them in the hands of defenders everywhere. That’s why we are announcing today the open-source release of VulnHunter , an advanced agentic AI security tool designed to apply proactive, attacker-perspective analysis directly to the source code. Developed internally at Capital One, VulnHunter is not a traditional, passive vulnerability scanner. It represents a shift in defensive tooling with an agentic reasoning workflow to identify potentially exploitable defects, map prospective attack paths, and propose highly targeted code remediations. Built for the developer experience To fully unlock the utility of VulnHunter, we knew ease of use mattered. A persistent challenge with traditional security tools is that they are often built primarily to enforce rigid cybersecurity practices, without much consideration for a developer’s actual day-to-day workflow. We brought a developer-first mindset when building VulnHunter. We knew the only way a security tool can be successful at enterprise scale is if it is something developers actually want to use. We focused on making the developer experience highly efficient in the moments that matter. By intentionally rounding out and minimizing traditional points of friction throughout the development process, VulnHunter shifts the developer's burden away from triaging false alarms. Instead, the workflow is focused on immediate, evidence-backed code repair. Under the hood: the unique capabilities of VulnHunter VulnHunter introduces several key technical innovations designed to minimize speculative alerts and maximize actionable repair: - Falsification engine designed to challenge its own conclusions: Our goal is to minimize false positives before they ever reach a developer. After surfacing any finding, VulnHunter runs a structured reasoning workflow specifically designed to disprove its own argument. This falsification engine actively searches for assumptions that don't hold, logical gaps in the exploit path, and conditions that would prevent the attack from succeeding. It is designed to immediately discard findings that rely on unsupported assumptions. The result: what reaches a developer's attention has already survived a rigorous internal challenge. Every flagged vulnerability is one the tool has tried and failed to rule out. - Attacker-first forward analysis: Conventional tools often leverage “sink-first” analysis, looking at potentially dangerous code patterns in isolation to search backward for a hypothetical attacker. This approach can flood engineering teams with false positives. VulnHunter flips this model to simulate a bad actor’s exact journey. It begins at potential attacker-accessible entry points — such as APIs, network messages, or file uploads — and reasons forward through application logic, data transformations, and internal security checkpoints. By modeling how an attacker actually interacts with a system, VulnHunter evaluates whether an attacker can truly break through. - Evidence-backed remediation modeling: When a defect survives the falsification engine, VulnHunter doesn't just sound the alarm and leave the guesswork to developers. It shifts from finding the problem to working to solve it. VulnHunter gathers supporting evidence across the codebase to map out the entire surviving exploit path. It is designed to provide a clear explanation of the defect, detail the specific capabilities or access an attacker would gain, and generate focused, targeted code changes for engineering review. Validation Before releasing VulnHunter to the community, we ran it on our own code. We were able to identify and remediate vulnerabilities across thousands of repositories, spanning tens of business areas, with speed and efficiency. What took our teams significant time and manual triage before now produces verified, actionable findings quickly and effectively. A commitment to collective defense Modern software supply chains are deeply interconnected. A single vulnerability in a widely-used open-source component can ripple across thousands of enterprises simultaneously. We’re open-sourcing VulnHunter because no single organization can solve this challenge alone. The defensive tools to address this reality need to be just as widely distributed, tested, and improved as the codebases they protect. Building on Capital One’s commitment to open collaboration, the release of VulnHunter enables the broader tech and security community to inspect the workflow, challenge its assumptions, and contribute improvements to this new defensive approach. Get started with VulnHunter on GitHub VulnHunter is available now. To run it, you will need access to Claude Opus 4.8 and access to a working Claude Code environment. The repository includes a Quickstart guide, architecture documentation, and annotated example workflows showing how VulnHunter traces code paths and generates remediations. Known limitations and the active development roadmap are documented in the repository. If you want to contribute — whether that's reporting a bug, proposing a change to the reasoning workflow, or expanding model support — the CONTRIBUTING.md outlines the process for submitting issues and pull requests. - Repository: github.com/capitalone/vulnhunter https://github.com/capitalone/vulnhunter - License: Apache License 2.0 - Model Optimization: Claude Opus 4.8 model - Initial Implementation: Claude Code skill While VulnHunter was authored and leveraged with Claude Opus 4.8 and Claude Code in mind, the framework and skills have potential to be leveraged across coding harnesses and foundation models. The threat landscape isn't waiting. We built VulnHunter to give defenders a more rigorous, evidence-driven way to find and fix vulnerabilities before attackers can reach them. We're releasing it because secure software is a shared foundation that benefits developers, enterprises, and the people who depend on the systems we all build. We look forward to seeing what the community builds with this next. Learn more about Capital One Tech - Get started with VulnHunter on GitHub https://github.com/capitalone/vulnhunter . - Explore how Capital one is building AI to solve complex challenges at scale https://www.capitalone.com/tech/ai/ . - Discover career opportunities https://www.capitalonecareers.com/tech .