The Intelligent Layer
Claude Orchestrates Every Stage
Claude AI is the connective tissue across your entire DevSecOps pipeline — triaging findings, correlating signals between stages, generating fixes, and writing the reports humans actually read.
Triage
Deduplicates findings across scanners, classifies false positives, and prioritizes by real-world exploitability.
Correlate
Connects signals across stages — links a DAST finding to its SAST root cause and the threat model that predicted it.
Fix
Generates remediation PRs, IaC patches, and policy updates — developers review fixes, not raw vulnerability reports.
Report
Writes executive summaries, compliance evidence, and trend analysis — from board decks to audit artifacts.
Full Pipeline Scan
$ claude orchestrate --pipeline antos --scope full Scanning 8 pipeline stages... [1/8] Plan ✓ 14 threats modeled, 6 mitigations required [2/8] Code ✓ 3 PRs reviewed, 1 fix generated [3/8] Build ✓ 47 findings → 31 unique, 12 false positives [4/8] Test ✓ 18 DAST results correlated with 4 CVEs [5/8] Release ✓ SBOM clean, 2 license risks flagged [6/8] Deploy ✓ 3 IaC violations — auto-fix PRs ready [7/8] Operate ✓ 2 alert clusters → 1 incident narrative [8/8] Monitor ✓ Posture: 92% — MTTR improved 18% MoM Summary: 6 actions recommended, 4 auto-fixes ready. Security posture: STRONG — trend improving.
See the Pipeline Run
Watch Claude orchestrate 17 enterprise tools across 8 stages — from threat modelling to executive reporting in under 40 seconds.
Organisation-Wide Posture
Six services running the same 8-stage pipeline in parallel — findings accumulate, risk is scored live, and Claude triages everything in real time.
Active Pipelines
Risk Heatmap
✨ Claude Activity Feed
Real Pipeline, Real Tools
This GitHub Actions workflow runs on every push — open-source security tools validating the same pipeline ANTOS demonstrates.
name: ANTOS Security Pipeline
on:
push:
branches: [master]
pull_request:
branches: [master]
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
# ── Stage 1: Plan ──────────────────────────────────
plan:
name: "Plan — Threat Model Validation"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate Mermaid diagrams
run: |
npm install -g @mermaid-js/mermaid-cli
find . -name "*.mmd" -exec mmdc -i {} -o /dev/null \;
echo "✓ All Mermaid diagrams are valid"
- name: Check threat model docs exist
run: |
if [ -d "docs/threat-models" ] || [ -d "arch" ]; then
echo "✓ Threat model directory found"
else
echo "ℹ No threat model docs yet — consider adding arch/ or docs/threat-models/"
fi
# ── Stage 2: Code ──────────────────────────────────
code:
name: "Code — SAST + Secret Detection"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Semgrep SAST scan
uses: semgrep/semgrep-action@v1
with:
config: >-
p/owasp-top-ten
p/typescript
p/react
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
- name: Gitleaks secret detection
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ── Stage 3: Build ─────────────────────────────────
build:
name: "Build — Compile + Audit"
runs-on: ubuntu-latest
needs: [code]
defaults:
run:
working-directory: ui-app
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
cache-dependency-path: ui-app/package-lock.json
- name: Install dependencies
run: npm ci
- name: npm audit (production)
run: npm audit --production --audit-level=high || true
- name: Build application
run: npm run build
# ── Stage 5: Release ───────────────────────────────
release:
name: "Release — Image Scan + SBOM"
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: |
docker build -t antos-ui:ci -f ui-app/Dockerfile ui-app/
- name: Trivy container scan
uses: aquasecurity/trivy-action@master
with:
image-ref: antos-ui:ci
format: table
severity: HIGH,CRITICAL
exit-code: 0
- name: Syft SBOM generation
uses: anchore/sbom-action@v0
with:
image: antos-ui:ci
format: cyclonedx-json
output-file: sbom.json
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
# Cosign signing — uncomment when pushing to a container registry
# - name: Cosign sign image
# uses: sigstore/cosign-installer@v3
# - run: cosign sign --yes antos-ui:ci
# ── Stage 6: Deploy ────────────────────────────────
deploy:
name: "Deploy — IaC + Policy Scan"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov IaC scan
uses: bridgecrewio/checkov-action@v12
with:
directory: .
framework: dockerfile,github_actions
quiet: true
soft_fail: true
# ── Security extras ────────────────────────────────
security:
name: "Security — Policy + Detection Rules"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install OPA
run: |
curl -sSL -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static
chmod +x opa
sudo mv opa /usr/local/bin/
- name: Validate Rego policies
run: |
if [ -d "policies" ]; then
opa check policies/
echo "✓ All Rego policies are valid"
else
echo "ℹ No policies/ directory — consider adding OPA/Rego policies"
fi
- name: Validate Sigma rules
run: |
pip install sigma-cli
if [ -d "rules/sigma" ]; then
sigma check rules/sigma/
echo "✓ All Sigma rules are valid"
else
echo "ℹ No rules/sigma/ directory — consider adding Sigma detection rules"
fi
# ── Stages 7-8: Runtime (not CI) ───────────────────
# Operate & Monitor are runtime concerns, not CI jobs.
# In production these are handled by:
# - Microsoft Sentinel (SIEM + KQL analytics)
# - Wiz (CNAPP + runtime threat detection)
# - ServiceNow (incident management + CMDB)
# - Defender for Cloud (CSPM + secure score)
# - AWS SecurityHub (compliance standards)
# Claude orchestrates across all of these continuously.
Open-Source Tools
Lightweight SAST with OWASP, TypeScript, and React rulesets
Secret detection across git history and staged changes
Container image, filesystem, and IaC vulnerability scanning
SBOM generation in CycloneDX and SPDX formats
IaC scanning for Dockerfiles, Terraform, and CI configs
Keyless container signing via Sigstore transparency logs
Plan
Threat model before you build
Security starts at design time. We decompose every feature into trust boundaries, data flows, and threat surfaces using STRIDE methodology. Risk is rated before a single line of code is written.
Tools & Technologies
STRIDE
Systematic threat categorization framework
OWASP Risk Rating
Likelihood × impact scoring
Mermaid
MITDiagramming-as-code for threat models and architecture
Design Reviews
Peer-reviewed architecture decisions
Abuse Cases
Anti-requirements from attacker perspective
Key Metrics
Example Output
┌─────────────────────────────────────────┐ │ STRIDE Analysis — Auth Service v2.3 │ ├──────────┬──────────────────────────────┤ │ Spoofing │ JWT forgery via weak secret │ │ Tamper │ Session cookie manipulation │ │ Repud. │ Missing audit trail on MFA │ │ Info │ Token leakage in error resp │ │ DoS │ Brute-force login endpoint │ │ EoP │ Role escalation via API │ ├──────────┴──────────────────────────────┤ │ Risk: HIGH │ Mitigations: 6 required │ └─────────────────────────────────────────┘
Claude's Role
Generates threat models from architecture descriptions
- STRIDE analysis from design documents and architecture diagrams
- Risk prioritization based on business context and attack surface
- Attack tree generation from user stories and data flows
- Abuse case derivation from functional requirements
> Analyze this microservice architecture for STRIDE threats Claude: Identified 14 threats across 5 trust boundaries. Top risk: Token replay on inter-service bus (Impact: HIGH) Generating attack tree and mitigation recommendations...
Code
Shift left — catch it at the keyboard
Developers get real-time security feedback in their IDE. Pre-commit hooks block secrets and vulnerable patterns before they enter version control. Branch protection enforces review requirements.
Tools & Technologies
Semgrep
LGPLLightweight static analysis with custom rules
Gitleaks
MITPre-commit secret detection
Pre-commit Hooks
Automated gates before code enters VCS
Branch Protection
Enforced review + status checks
IDE Security Plugins
Real-time vulnerability highlighting
Key Metrics
Example Output
$ git commit -m "feat: add payment endpoint"
Gitleaks .......................... PASSED
Semgrep (OWASP Top 10) ........... PASSED
Semgrep (custom rules) ........... FAILED
⚠ sql-injection: Unsanitized input in query
→ src/payments/handler.py:42
Fix: Use parameterized query
Commit blocked — 1 finding to resolve.Claude's Role
Reviews every PR for security issues in real time
- PR-level security review with inline fix suggestions
- Custom Semgrep rule generation from vulnerability patterns
- Semantic secret detection beyond regex — context-aware classification
- Dependency risk assessment on every package change
> Review PR #412: Add payment processing endpoint Claude: Found 3 issues in src/payments/handler.py: L42: SQL injection — use parameterized query (fix attached) L67: PII logged in plaintext — redact card_number L89: Missing rate limit on POST /charge
Build
Every build is a security checkpoint
CI pipelines run SAST, software composition analysis, and secrets detection on every push. Builds fail fast on critical findings — no vulnerable artifact reaches the registry.
Tools & Technologies
SAST
Deep static analysis of compiled artifacts
Snyk
SCA — known vulnerabilities in dependencies
TruffleHog
Entropy-based secrets detection in git history
License Compliance
OSS license risk analysis
Key Metrics
Example Output
▶ Build Pipeline — commit a3f8c21
✓ SAST scan .................. 0 critical, 2 medium
✓ Snyk SCA ................... 0 critical, 1 high
✗ TruffleHog ................. 1 SECRET FOUND
→ AWS_SECRET_ACCESS_KEY in config/deploy.yml:18
→ Entropy: 4.92 (threshold: 4.5)
BUILD FAILED — secret detected in source tree.
Rotate credential immediately.Claude's Role
Triages and deduplicates SAST/SCA findings
- Cross-scanner deduplication — merges overlapping findings
- False positive classification using code context analysis
- Auto-remediation PR generation for common vulnerability patterns
- Contextual CVE impact assessment per application
> Triage 47 findings from SAST + Snyk scan Claude: Deduplicated to 31 unique issues. 12 false positives (test fixtures, dead code paths) 8 auto-fix PRs generated (dependency bumps) 11 require manual review — prioritized by reachability
Test
Attack your own software first
Dynamic testing hammers running applications with real attack payloads. OWASP ZAP crawls every endpoint, Nuclei fires targeted exploit checks, and API fuzzers probe edge cases your unit tests miss.
Tools & Technologies
OWASP ZAP
Full-spectrum DAST scanner
Nuclei
MITTemplate-based vulnerability scanner
API Fuzzing
Schema-aware input mutation testing
Sigma
LGPLCross-platform detection format — compiles to KQL, SPL, etc.
Key Metrics
Example Output
▶ DAST Scan — staging.example.com ZAP Spider: 847 URLs discovered Active Scan: 12,340 requests sent FINDINGS: ┌──────┬───────────────────────────────────┐ │ HIGH │ SQL Injection — /api/users?id= │ │ MED │ Missing CSP header on /dashboard │ │ MED │ CORS wildcard on /api/public │ │ LOW │ Server version disclosure │ └──────┴───────────────────────────────────┘ Total: 1 High, 2 Medium, 1 Low
Claude's Role
Correlates DAST results with known exploit chains
- Prioritization by real-world exploitability, not just CVSS
- CVE correlation — maps findings to active exploit campaigns
- Attack chain reconstruction from individual findings
- Test coverage gap identification across endpoints
> Correlate 18 DAST findings with threat intel Claude: SQL injection on /api/users matches CVE-2024-3094 exploit chain. Active exploitation seen in the wild. Priority: CRITICAL — patch within 24 hours. 3 findings linked to same root cause (input validation).
Release
Sign it, scan it, ship it
Container images are scanned for OS and library vulnerabilities before registry push. Artifacts are cryptographically signed for supply chain integrity. SBOMs provide full transparency.
Tools & Technologies
Trivy
Apache 2.0Container image + filesystem + IaC + SCA scanning
Cosign / Sigstore
Artifact signing and verification
Syft
SBOM generation (SPDX / CycloneDX)
Registry Policies
Admission rules for image provenance
Key Metrics
Example Output
▶ Release Gate — myapp:v2.3.1-rc1
Trivy Scan:
OS Packages ............ 0 critical, 3 high
Language Libs .......... 0 critical, 0 high
IaC Misconfigs ......... 0
Cosign:
✓ Image signed with keyless (Fulcio + Rekor)
✓ Signature verified
✓ SBOM attached (CycloneDX, 342 components)
RELEASE APPROVED — promoting to production registry.Claude's Role
Validates supply chain integrity end-to-end
- SBOM license risk analysis — flags viral/copyleft conflicts
- Dependency risk scoring based on maintainer activity and CVE history
- Automated security release notes from changelog + diff analysis
- Supply chain anomaly detection — unexpected dependency changes
> Analyze SBOM for myapp:v2.3.1-rc1 Claude: 342 components scanned. 2 license conflicts (GPL in MIT-licensed project) 1 abandoned dependency (no commits in 18 months) Supply chain integrity: VERIFIED — all signatures valid
Deploy
Infrastructure as code, policy as code
Every Terraform plan, CloudFormation template, and Kubernetes manifest is scanned for misconfigurations. OPA policy gates enforce organizational standards before any resource is provisioned.
Tools & Technologies
Checkov
Apache 2.0IaC scanning for TF, CFN, Bicep, K8s manifests
tfsec
Terraform-specific static analysis
OPA / Rego
Apache 2.0Policy engine — cloud-agnostic, pipeline-integrated
GitOps
Declarative deployment via pull-based reconciliation
Key Metrics
Example Output
▶ IaC Scan — terraform/production/
Checkov:
✓ CKV_AWS_18: S3 bucket logging enabled
✓ CKV_AWS_19: S3 bucket encryption enabled
✗ CKV_AWS_145: KMS CMK not configured
✗ CKV_AWS_144: Cross-region replication disabled
OPA Policy Gate:
✗ DENY: Instance type m5.24xlarge exceeds
budget policy (max: m5.4xlarge)
DEPLOY BLOCKED — 3 policy violations.Claude's Role
Enforces infrastructure policy with plain-language explanations
- IaC misconfiguration fixes with human-readable explanations
- OPA/Rego policy generation from natural language requirements
- Drift analysis — detects and explains infrastructure state divergence
- Least-privilege IAM policy generation from access patterns
> Explain IaC violation CKV_AWS_145 and generate fix Claude: KMS CMK not configured on S3 bucket "data-lake". Risk: Data encrypted with AWS-managed keys only. Fix: Add aws_kms_key resource + server_side_encryption configuration block. Terraform diff attached.
Operate
Detect threats in real time
Runtime security monitors container behavior, network traffic, and system calls. WAF blocks application-layer attacks. SIEM correlates events across the entire stack for threat detection.
Tools & Technologies
Falco
Runtime container threat detection via syscall monitoring
WAF
Application-layer attack prevention
Microsoft Sentinel
Cloud-native SIEM with KQL analytics
EDR
Endpoint detection and response
Key Metrics
Example Output
▶ Falco Alert — production-cluster
14:23:07 CRITICAL: Shell spawned in container
rule: Terminal shell in container
output: Shell (bash) spawned by httpd
(user=www container=api-prod-7f8c9
image=myapp:v2.3.1)
fields: proc.name=bash proc.pname=httpd
container.name=api-prod-7f8c9
→ Auto-response: Container isolated,
SOC notified, forensic snapshot captured.Claude's Role
Correlates alerts and writes incident summaries
- Cross-source correlation — Falco + SIEM + EDR event fusion
- Incident narrative generation with timeline reconstruction
- Automated containment action recommendations
- MITRE ATT&CK technique mapping for every alert cluster
> Correlate Falco alert with SIEM events Claude: Shell spawn in api-prod-7f8c9 correlates with: - 14:22:51 Brute-force on /login (SIEM: 340 attempts) - 14:23:03 Successful auth from 185.x.x.x (new IP) ATT&CK: T1110.001 → T1059.004. Recommend: isolate pod.
Monitor
Measure, report, improve
Continuous visibility across the entire pipeline. Vulnerability dashboards track mean time to remediate. Compliance evidence is automatically collected for SOC 2 and ISO 27001 audits.
Tools & Technologies
Vuln Dashboards
Real-time vulnerability posture visualization
SOC 2 / ISO 27001
Automated compliance evidence collection
IR Playbooks
Documented incident response procedures
Security KPIs
MTTR, coverage, SLA adherence tracking
Key Metrics
Example Output
▶ Security Posture — February 2026 ┌─────────────────────────────────────┐ │ Vulnerability Summary │ ├───────────┬─────┬───────┬──────────┤ │ Severity │ Open│ Fixed │ MTTR │ ├───────────┼─────┼───────┼──────────┤ │ Critical │ 0 │ 12 │ 3.2 hrs │ │ High │ 3 │ 89 │ 18 hrs │ │ Medium │ 14 │ 247 │ 4.2 days │ │ Low │ 31 │ 580 │ 12 days │ └───────────┴─────┴───────┴──────────┘ Compliance: SOC 2 Type II — PASSED Next audit: ISO 27001 — March 2026
Claude's Role
Generates executive reports and identifies cross-stage trends
- Board-ready security posture reports in plain language
- Cross-stage trend analysis — spots systemic weaknesses
- Compliance gap detection across SOC 2, ISO 27001, NIST
- SLA breach prediction based on current remediation velocity
> Generate executive security summary for February Claude: Security posture improved 12% MoM. Critical MTTR: 3.2h (target: <4h) ✓ Trend: 60% of high findings originate in Build stage → Recommend: additional SAST rules for Go services Compliance: SOC 2 Type II — all controls passing
AI-Orchestrated DevSecOps
Claude orchestrates all 8 stages — triaging findings, correlating signals, generating fixes, and writing reports. This is what a mature, AI-driven security pipeline looks like.