DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
Claude Security Update: Scans, Webhooks, 6 Partners


Claude Security left its launch behind with scheduled scans, directory targeting, and CSV or Markdown exports.
Slack and Jira webhooks plus dismissals that stick turn a one-off scan into a weekly review loop.
Six security platforms now build on Opus 4.7, from CrowdStrike and Wiz to Microsoft Security.
It stays Enterprise-only in beta, so here is what a solo studio runs in its place today.

When Claude Security reached public beta about a month ago, it was a sharp scanner wrapped around a thin workflow. You pointed it at a repository, it reasoned through the code the way a security researcher would, and it handed back findings with suggested patches. Useful, but hard to live with day to day. The version sitting in the Claude.ai sidebar this week is a different animal. Scheduled scans, webhooks into Slack and Jira, directory-level targeting, and six security platforms now wiring the same Opus 4.7 model into their own tools.

From Launch to Workflow: What Actually Shipped

At launch the pitch was simple. Scan a repo, explain the vulnerability in plain language instead of a raw CVE dump, propose a fix, and leave the decision to a human. The public-beta launch a month ago covered that first version. The gap was everything around the scan.

This week that gap is mostly filled. You can schedule scans on a cadence instead of running them by hand, which matters because security debt accrues quietly between releases. You can target a single directory inside a large monorepo rather than waiting on the whole tree, so a focused review of the payments module finishes in minutes instead of an hour. You can export findings as CSV or Markdown and drop them straight into an existing tracker or an audit trail. And you can dismiss a finding with a documented reason, with that dismissal persisting across future runs so you are not re-triaging the same false positive every week.

Underneath all of it is a multi-stage validation pipeline. Each finding is checked before it ever reaches you, and every one carries a confidence rating. That validation step is the part that decides whether a scanner is worth keeping, because a tool that cries wolf gets muted within a week. The model reads imports, follows data flow, and reasons about whether a flagged pattern is actually reachable, which is the kind of judgment a regex-based scanner cannot make. You reach the whole thing from the Claude.ai sidebar or at claude.ai/security, with no API integration and no custom agent to build.

In practice the findings cluster around the same few classes: injection through unsanitised input, broken authorization checks, secrets committed by accident, server-side request forgery, and unsafe deserialization. The directory targeting is what makes that tractable on a real codebase. Instead of scanning a 200,000-line monorepo and drowning in a single report, you can scope a run to the service you just changed, review it, and move on. A scoped scan that finishes while you are still in the context of the change is a scan you will actually read.

The Webhook and Dismissal Loop

Two features do the real work of turning a scanner into a habit: webhooks and persistent dismissals.

Webhooks push results into Slack, Jira, or anything that accepts a hook. A scan becomes a ticket without a single copy-paste, and the finding lands where the team already works instead of in a dashboard nobody opens. Persistent dismissals mean a finding you reviewed and rejected stays gone instead of resurfacing on the next pass, which is the single biggest source of fatigue with older tools.

Put them together and you get a loop. Scan on a schedule, surface only the new findings, route them to wherever your team lives, dismiss the noise with a reason, and let the next scan respect that choice. That loop is the entire difference between a tool you run once for a screenshot and one you run every Friday.

It is also where the contrast with the rule-based generation shows. Snyk, Dependabot, and GitGuardian are good at matching known signatures and flagging dependencies with published advisories. They are far less good at explaining why a specific code path in your own logic is exploitable, and they tend to bury the signal under a wall of severity badges. Confidence ratings plus dismissals let you set a noise floor, so only the findings worth a human minute get through. The promise is fewer alerts, each one carrying more context.

Six Platforms Now Run on Opus 4.7

The bigger move is who is building on it. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI, and Wiz are embedding Opus 4.7 into their own security products. On the services side, Accenture, BCG, Deloitte, Infosys, and PwC are deploying Claude-integrated security work for their clients. Anthropic also opened a Cyber Verification Program for organisations doing high-risk cybersecurity work who need access to safeguarded capabilities.

Last week added the governance half. The Compliance API, announced on May 21, exposes Claude Enterprise and Platform activity (prompts, responses, uploaded files, logs, and admin actions) to external security and governance tools. That is the unglamorous piece a security team needs before it will let any model near production code, because without an audit surface the model is a black box the compliance officer cannot sign off on.

The partner news matters even if you never touch the Enterprise product directly. When Wiz or CrowdStrike wires Opus 4.7 into a scanner you already run, the model’s reasoning reaches your pipeline through a tool you have already paid for and trust. That is the quieter distribution story. Not everyone signs up for Claude Security, but a lot of teams will end up running it without ever leaving the dashboard they know.

Read together, this is Anthropic positioning Claude as a layer that security vendors build on, not just a standalone scanner racing the incumbents. It rhymes with Anthropic’s wider cybersecurity bet, where the model is the engine and other companies ship the product on top of it.

What a Solo Studio Can Actually Use Today

Here is the honest part. Claude Security is an Enterprise public beta. Team and Max access is listed as coming soon, and there is no Pro tier in the announcement. As a one-person studio I cannot point it at my repositories yet, and I am not going to pretend otherwise.

So this is what I actually use in its place. Claude Code ships a built-in security review you run with the /security-review command, which makes an on-demand pass over a diff and flags issues before they land. There is also a Claude Code security action for GitHub that reviews pull requests automatically and leaves findings as inline comments on the PR. Both run for individual developers right now, both reason about code the same way the Enterprise product does, and both keep a human approving every patch.

My setup is small. The GitHub action runs on every pull request to main and comments anything it finds, so review happens before merge without me remembering to trigger it. When I am touching auth, payments, or anything that handles a token, I run the review command locally first and read the reasoning, not just the verdict. It catches the boring but dangerous things: a secret about to be committed, an unescaped query, a missing check on a webhook signature. Last month it stopped me from shipping a webhook endpoint that trusted its payload without verifying the signature header, the kind of mistake that reads as fine in review and bites in production. The reasoning, not just the flag, is what made me fix it properly instead of papering over it.

It is worth being clear about what this does not replace. It reasons about your own code, so it complements rather than supplants dependency scanning for known advisories, secret rotation, and the rest of a real security posture. Treat it as a very good reviewer, not a finished program. It is not the scheduled, webhook-routed, dismissal-tracking product either. It is the same instinct at solo scale, and the habits carry straight over if Team access lands the way it is promised.

Bottom Line

Claude Security went from a demo to a workflow in about a month. The scanner was never the hard part. Scheduled runs, dismissals that stick, and webhooks that file the ticket are what make a security tool something you keep instead of something you screenshot once. The model underneath is now shared by six security platforms and a governance API, which says more about the strategy than any single feature does.

For now it sits behind the Enterprise tier, so solo builders get the same engine through Claude Code review instead. Wire the GitHub action into your pull requests, run the review command before you touch anything sensitive, and watch the Team and Max rollout. Read the rest of the Claude coverage in the Lab while you wait.



Source link

We Asked 10 LLMs to Write Efficient Code. Only 4 Got Better.



By Vilius Vystartas | May 2026

Every LLM can write code that works. The question is: can they write code that’s efficient — and does telling them to be efficient actually help?

I tested 10 models on 10 coding tasks, each in two phases: unprompted (the model writes its own code) and prompted (explicitly told to write clean, DRY, efficient code). That’s 200 API calls, $0.56 total. The results are… not what most prompt engineers would predict.

GPT-5.4 was the only model where prompting gave a substantial boost (+0.20). For most models, the “write efficient code” prompt was meaningless or actively harmful.

How the Metric Works

Each task has a known optimal token budget — the minimum tokens needed to produce correct, DRY code for that task (e.g., 70 tokens for 10 styled buttons using CSS classes vs 340 tokens for 10 separate button blocks). The efficiency score is optimal_tokens / actual_tokens, capped at 1.0.

A score of 0.63 means the model used about 1.6x the optimal — not bad. A score of 0.43 means it used about 2.3x the optimal. The gap between unprompted and prompted tells you whether the “write efficient code” instruction actually changes behaviour.

The Leaderboard (Sorted by Prompted Efficiency)

#
Model
Unprompted
Prompted
Δ
Frugal
Cost
Correctness

🥇
GPT-5.4
0.43
0.63
+0.20
30%
$0.096
78% → 85%

🥈
Qwen 3.6 Plus
0.44
0.60
+0.17
40%
$0.158
78% → 87%

🥉
Gemma 4 31B
0.54
0.58
+0.04
50%
$0.003
92% both

4
DeepSeek Chat
0.51
0.55
+0.04
30%
$0.006
91% → 80%

5
Claude Sonnet 4
0.47
0.52
+0.04
40%
$0.121
92% both

6
LFM 2 24B A2B
0.54
0.47
-0.06
30%
$0.001
90% → 80%

7
Mistral Large 2411
0.54
0.46
-0.08
40%
$0.050
90% → 82%

8
Gemini 2.5 Flash
0.47
0.46
-0.01
50%
$0.020
92% → 90%

9
Cohere Command A
0.60
0.44
-0.17
40%
$0.071
90% → 82%

10
Kimi K2.6
0.34
0.43
+0.09
30%
$0.029
76% → 86%

What Stands Out

GPT-5.4 Is the Prompt Whisperer

GPT-5.4 improved on 7 of 10 tasks when prompted for efficiency. The biggest wins were config-generation (+0.81 — went from 12 inline JSON blocks to a template loop), html-from-data (+0.71), and magic-strings (+0.38 — switched to an Enum). It’s the only model in the batch where the “write efficient code” instruction consistently produces different (and better) output.

The cost is notable — $0.10 for 20 tasks is mid-range, not cheap, not expensive. But the efficiency gain is real.

Gemma 4 31B: The Quiet Winner

Half of Gemma 4’s tasks were already “frugal” — naturally efficient without being told. It scored 92% correctness on both phases at just $0.003 total. That’s a 40x cost advantage over GPT-5.4 with higher correctness and competitive efficiency. For high-volume production where you want concise, correct code, Gemma 4 31B is the value pick of this batch.

Cohere Command A: Prompting Backfires

Cohere Command A had the highest unprompted efficiency in the batch (0.60) — it naturally writes concise code. But when told “write efficient code,” it ballooned output on several tasks. html-from-data went from a tight 45-token solution to a 600+-token monstrosity (-0.92 gap). The prompt made it overthink.

Lesson: if a model is already efficient, don’t prompt it to be more efficient.

Qwen 3.6 Plus: Second Place, Slowest

Qwen 3.6 Plus scored second in prompted efficiency (+0.17 improvement) but took 26 minutes for 20 tasks — by far the slowest model. The efficiency gain is real (especially on html-from-data where it went from hardcoded rows to a map/join pattern), but you’re waiting for it. Batch workloads only.

The Kimi Surprise

Kimi K2.6 had the lowest unprompted efficiency (0.34 — verbose, boilerplate-heavy code) but improved the most at the bottom end (+0.09). Still last place, but the prompt actually helped it compress — which is the opposite of the Cohere effect. Some models need the nudge.

Frugality: What Does It Mean?

“Frugal” means the model naturally produced code at or near the optimal token count without being asked. Gemma 4 31B and Gemini 2.5 Flash led at 50% — half their tasks were already efficient. GPT-5.4, DeepSeek Chat, and Kimi K2.6 were only 30% frugal — they needed the prompt to tighten up.

The Bigger Picture

Group
Models
Behaviour

Prompt-responsive
GPT-5.4, Qwen 3.6 Plus
Efficiency improves substantially with prompting

Prompt-neutral
Gemma 4 31B, DeepSeek Chat, Claude Sonnet 4, Gemini 2.5 Flash, Kimi K2.6
Prompt has little effect (±0.04)

Prompt-antagonistic
LFM 2 24B A2B, Mistral Large 2411, Cohere Command A
Efficiency drops when prompted

The prompt-antagonistic group is the most interesting. These models know how to write efficient code (0.54-0.60 unprompted), but the explicit instruction triggers over-engineering — they add abstractions, comments, error handling, and other bloat that makes the output less efficient by the metric.

If the prompt says “write efficient code” and the model responds by writing more tokens, something in the training signal is misaligned.

My Picks

Best prompted efficiency: GPT-5.4 — 0.63, $0.10 for 20 tasks. The only model where prompting reliably improves output.

Best value overall: Gemma 4 31B — 0.58 prompted, 92% correctness, $0.003. Absurd price/performance.

Best natural efficiency: Cohere Command A — 0.60 unprompted. Don’t prompt it, just let it work.

Most consistent: Claude Sonnet 4 — 92% correctness on both phases, small +0.04 efficiency gain. Reliable.

Skip if you’re in a hurry: Qwen 3.6 Plus — 26 minutes for 20 tasks. Great efficiency gains, terrible latency.

Watch list: Kimi K2.6 — low base efficiency but the prompt actually helps. Worth retesting with a better prompt.

Methodology

Ten real-world coding tasks across CSS, JavaScript, Python, SQL, and bash — each with a known optimal token budget for a correct, DRY solution. Tasks included: styling 10 buttons (CSS), rendering 20 data rows as HTML (JS/HTML), bulk renaming (shell), form validation (Python), parametrized tests (Python), unit conversion (Python), SQL reporting queries, config generation (JSON), magic string replacement (Python/Enum), and middleware decorator pattern (Python/Flask).

Each model ran 10 tasks unprompted, then the same 10 tasks with an efficiency prompt appended. Scoring: efficiency_ratio = optimal_tokens / actual_tokens (capped at 1.0). Correctness scored against expected output patterns.

Total cost: $0.56 for 200 API calls (10 models × 10 tasks × 2 phases). Temperature: 0.1. Max tokens: 600.

Full results: benchmarks.workswithagents.dev



Source link

Building a Terminal AI Agent (v9)


Building AI agents that operate directly in the terminal offers huge productivity gains for developers. In this guide, we will provide hands-on, hands-on instructions on how to build a custom CLI AI agent based on a local LLM. 1. Analysis of CLI AI Agent Ecosystem Currently, there are several solutions in the CLI AI agent market: Key tools: Aider: GitHub Copilot-based, real-time code modification function Continue.dev: VSCode-based, handle complex tasks OpenCode: Open source, simple coding help Custom Scripts: Customize with your own script Current problems: Most tools rely on cloud API Poor performance when running locally Lack of complex tooling features Cost issues 2. Setting up local LLM API endpoint locally To run LLM, follow these steps: 1. Install LM Studio: # macOS brew install lm-studio # or download directly wget https://github.com/lmstudio-ai/LMStudio/releases/latest/download/LMStudio-MacOS.dmg Enter fullscreen mode Exit fullscreen mode 2. Run local model: # Download model and run lm-studio –model “Nous-Hermes-2-Mistral-7B-DPO.Q4_K_M.gguf” Enter fullscreen mode Exit fullscreen mode 3. API server settings: # Install Ollama curl -fsSL https://ollama.com/install.sh | sh # Download model ollama pull mistral # Run API server ollama serve Enter fullscreen mode Exit fullscreen mode 3. Building a simple Python CLI agent Now let’s create a basic CLI agent: # ai_agent.py import os import json import subprocess from typing import Dict, List, Any import openai class TerminalAIAgent: def __init__(self, model=”ollama/mistral”): self.model = model self.client = openai.OpenAI( base_url=”http://localhost:11434/v1″, api_key=”ollama” ) self.conversation_history = () def run_command(self, command: str) -> str: “””Execute the command and return the result””” try: result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30 ) return result.stdout + result.stderr except Exception as e: return f”Error: {str(e)}” def get_context(self) -> str: “””Collect current working directory information””” pwd = os.getcwd() files = os.listdir(pwd) return f”Working directory: {pwd}\nFiles: {‘, ‘.join(files(:10))}” def chat(self, user_input: str) -> str: “””Conversation with AI””” self.conversation_history.append({ “role”: “user”, “content”: user_input }) # System prompt system_prompt = “”” You are a helpful AI assistant that helps developers with coding tasks. Your responses should be concise and actionable. You can execute shell commands and modify files. “”” messages = ( {“role”: “system”, “content”: system_prompt}, {“role”: “user”, “content”: f”Context: {self.get_context()}”}, ) + self.conversation_history response = self.client.chat.completions.create( model=self.model, messages=messages, temperature=0.3 ) ai_response = response.choices(0).message.content self.conversation_history.append({ “role”: “assistant”, “content”: ai_response }) return ai_response # Usage if __name__ == “__main__”: agent = TerminalAIAgent() print(“Start AI Agent (type ‘exit’ to exit)”) while True: user_input = input(“\n> “) if user_input.lower() == ‘exit’: break response = agent.chat(user_input) print(response) Enter fullscreen mode Exit fullscreen mode 4. Integrate with tmux Integrate with terminal multiplexers to improve workflow: # Create a tmux session tmux new-session -d -s ai_agent # Run the agent within a session tmux send-keys -t ai_agent “python ai_agent.py” Enter Enter fullscreen mode Exit fullscreen mode tmux script: # tmux_ai.sh #!/bin/bash SESSION=”ai_agent” # Check whether session exists if ! tmux has-session -t $SESSION 2>/dev/null; then tmux new-session -d -s $SESSION tmux send-keys -t $SESSION “python ai_agent.py” Enter fi tmux attach -t $SESSION Enter fullscreen mode Exit fullscreen mode 5. Custom tool development Code search tool: # tools/code_search.py import os import re from typing import List, Dict class CodeSearchTool: def __init__(self, root_dir: str = “.”): self.root_dir = root_dir def search_in_files(self, pattern: str, file_extensions: List(str) = None) -> List(Dict): “””Search for a pattern within a file””” results = () if file_extensions is None: file_extensions = (‘.py’, ‘.js’, ‘.ts’, ‘.java’, ‘.cpp’) for root, dirs, files in os.walk(self.root_dir): for file in files: if any(file.endswith(ext) for ext in file_extensions): file_path = os.path.join(root, file) try: with open(file_path, ‘r’, encoding=’utf-8′) as f: content = f.read() matches = re.finditer(pattern, content) for match in matches: results.append({ ‘file’: file_path, ‘line’: content(:match.start()).count(‘\n’) + 1, ‘context’: self.get_context(content, match.start()) }) except Exception: continue return results def get_context(self, content: str, position: int, context_lines: int = 3) -> str: “””Context Extraction””” lines = content.split(‘\n’) line_num = content(:position).count(‘\n’) start = max(0, line_num – context_lines) end = min(len(lines), line_num + context_lines + 1) return ‘\n’.join(lines(start:end)) # Usage example search_tool = CodeSearchTool() results = search_tool.search_in_files(r”def\s+(\w+)\s*\(“) print(json.dumps(results, indent=2)) Enter fullscreen mode Exit fullscreen mode Git tools: # tools/git_tool.py import subprocess import json from typing import Dict, List class GitTool: def get_status(self) -> Dict: “””Check Git status””” try: result = subprocess.run((‘git’, ‘status’, ‘–porcelain’), capture_output=True, text=True) return { ‘status’: result.stdout.strip(), ‘has_changes’: bool(result.stdout.strip()) } except Exception as e: return {‘error’: str(e)} def get_branch_info(self) -> Dict: “””Branch information””” try: branch = subprocess.run((‘git’, ‘branch’, ‘–show-current’), capture_output=True, text=True).stdout.strip() return {‘branch’: branch} except Exception as e: return {‘error’: str(e)} def commit_changes(self, message: str) -> Dict: “””Commit changes””” try: subprocess.run((‘git’, ‘add’, ‘.’), capture_output=True) result = subprocess.run((‘git’, ‘commit’, ‘-m’, message), capture_output=True, text=True) return { ‘success’: True, ‘output’: result.stdout, ‘error’: result.stderr } except Exception as e: return {‘success’: False, ‘error’: str(e)} # Usage example git_tool = GitTool() status = git_tool.get_status() print(json.dumps(status, indent=2)) Enter fullscreen mode Exit fullscreen mode 6. Context window management Context management for handling large code bases: python # context_manager.py import os import hashlib from typing import List, Dict, Set class ContextManager: def __init__(self, max_tokens: int = 8000): self.max_tokens = max_tokens self.token_cache = {} def calculate_tokens(self, text: str) — 📥 **Get the full guide on Gumroad**: https://gumroad.com/l/auto ($5) Enter fullscreen mode Exit fullscreen mode



Source link