DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
Claude Security Update: Scans, Webhooks, 6 Partners


Claude Security left its launch behind with scheduled scans, directory targeting, and CSV or Markdown exports.
Slack and Jira webhooks plus dismissals that stick turn a one-off scan into a weekly review loop.
Six security platforms now build on Opus 4.7, from CrowdStrike and Wiz to Microsoft Security.
It stays Enterprise-only in beta, so here is what a solo studio runs in its place today.

When Claude Security reached public beta about a month ago, it was a sharp scanner wrapped around a thin workflow. You pointed it at a repository, it reasoned through the code the way a security researcher would, and it handed back findings with suggested patches. Useful, but hard to live with day to day. The version sitting in the Claude.ai sidebar this week is a different animal. Scheduled scans, webhooks into Slack and Jira, directory-level targeting, and six security platforms now wiring the same Opus 4.7 model into their own tools.

From Launch to Workflow: What Actually Shipped

At launch the pitch was simple. Scan a repo, explain the vulnerability in plain language instead of a raw CVE dump, propose a fix, and leave the decision to a human. The public-beta launch a month ago covered that first version. The gap was everything around the scan.

This week that gap is mostly filled. You can schedule scans on a cadence instead of running them by hand, which matters because security debt accrues quietly between releases. You can target a single directory inside a large monorepo rather than waiting on the whole tree, so a focused review of the payments module finishes in minutes instead of an hour. You can export findings as CSV or Markdown and drop them straight into an existing tracker or an audit trail. And you can dismiss a finding with a documented reason, with that dismissal persisting across future runs so you are not re-triaging the same false positive every week.

Underneath all of it is a multi-stage validation pipeline. Each finding is checked before it ever reaches you, and every one carries a confidence rating. That validation step is the part that decides whether a scanner is worth keeping, because a tool that cries wolf gets muted within a week. The model reads imports, follows data flow, and reasons about whether a flagged pattern is actually reachable, which is the kind of judgment a regex-based scanner cannot make. You reach the whole thing from the Claude.ai sidebar or at claude.ai/security, with no API integration and no custom agent to build.

In practice the findings cluster around the same few classes: injection through unsanitised input, broken authorization checks, secrets committed by accident, server-side request forgery, and unsafe deserialization. The directory targeting is what makes that tractable on a real codebase. Instead of scanning a 200,000-line monorepo and drowning in a single report, you can scope a run to the service you just changed, review it, and move on. A scoped scan that finishes while you are still in the context of the change is a scan you will actually read.

The Webhook and Dismissal Loop

Two features do the real work of turning a scanner into a habit: webhooks and persistent dismissals.

Webhooks push results into Slack, Jira, or anything that accepts a hook. A scan becomes a ticket without a single copy-paste, and the finding lands where the team already works instead of in a dashboard nobody opens. Persistent dismissals mean a finding you reviewed and rejected stays gone instead of resurfacing on the next pass, which is the single biggest source of fatigue with older tools.

Put them together and you get a loop. Scan on a schedule, surface only the new findings, route them to wherever your team lives, dismiss the noise with a reason, and let the next scan respect that choice. That loop is the entire difference between a tool you run once for a screenshot and one you run every Friday.

It is also where the contrast with the rule-based generation shows. Snyk, Dependabot, and GitGuardian are good at matching known signatures and flagging dependencies with published advisories. They are far less good at explaining why a specific code path in your own logic is exploitable, and they tend to bury the signal under a wall of severity badges. Confidence ratings plus dismissals let you set a noise floor, so only the findings worth a human minute get through. The promise is fewer alerts, each one carrying more context.

Six Platforms Now Run on Opus 4.7

The bigger move is who is building on it. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI, and Wiz are embedding Opus 4.7 into their own security products. On the services side, Accenture, BCG, Deloitte, Infosys, and PwC are deploying Claude-integrated security work for their clients. Anthropic also opened a Cyber Verification Program for organisations doing high-risk cybersecurity work who need access to safeguarded capabilities.

Last week added the governance half. The Compliance API, announced on May 21, exposes Claude Enterprise and Platform activity (prompts, responses, uploaded files, logs, and admin actions) to external security and governance tools. That is the unglamorous piece a security team needs before it will let any model near production code, because without an audit surface the model is a black box the compliance officer cannot sign off on.

The partner news matters even if you never touch the Enterprise product directly. When Wiz or CrowdStrike wires Opus 4.7 into a scanner you already run, the model’s reasoning reaches your pipeline through a tool you have already paid for and trust. That is the quieter distribution story. Not everyone signs up for Claude Security, but a lot of teams will end up running it without ever leaving the dashboard they know.

Read together, this is Anthropic positioning Claude as a layer that security vendors build on, not just a standalone scanner racing the incumbents. It rhymes with Anthropic’s wider cybersecurity bet, where the model is the engine and other companies ship the product on top of it.

What a Solo Studio Can Actually Use Today

Here is the honest part. Claude Security is an Enterprise public beta. Team and Max access is listed as coming soon, and there is no Pro tier in the announcement. As a one-person studio I cannot point it at my repositories yet, and I am not going to pretend otherwise.

So this is what I actually use in its place. Claude Code ships a built-in security review you run with the /security-review command, which makes an on-demand pass over a diff and flags issues before they land. There is also a Claude Code security action for GitHub that reviews pull requests automatically and leaves findings as inline comments on the PR. Both run for individual developers right now, both reason about code the same way the Enterprise product does, and both keep a human approving every patch.

My setup is small. The GitHub action runs on every pull request to main and comments anything it finds, so review happens before merge without me remembering to trigger it. When I am touching auth, payments, or anything that handles a token, I run the review command locally first and read the reasoning, not just the verdict. It catches the boring but dangerous things: a secret about to be committed, an unescaped query, a missing check on a webhook signature. Last month it stopped me from shipping a webhook endpoint that trusted its payload without verifying the signature header, the kind of mistake that reads as fine in review and bites in production. The reasoning, not just the flag, is what made me fix it properly instead of papering over it.

It is worth being clear about what this does not replace. It reasons about your own code, so it complements rather than supplants dependency scanning for known advisories, secret rotation, and the rest of a real security posture. Treat it as a very good reviewer, not a finished program. It is not the scheduled, webhook-routed, dismissal-tracking product either. It is the same instinct at solo scale, and the habits carry straight over if Team access lands the way it is promised.

Bottom Line

Claude Security went from a demo to a workflow in about a month. The scanner was never the hard part. Scheduled runs, dismissals that stick, and webhooks that file the ticket are what make a security tool something you keep instead of something you screenshot once. The model underneath is now shared by six security platforms and a governance API, which says more about the strategy than any single feature does.

For now it sits behind the Enterprise tier, so solo builders get the same engine through Claude Code review instead. Wire the GitHub action into your pull requests, run the review command before you touch anything sensitive, and watch the Team and Max rollout. Read the rest of the Claude coverage in the Lab while you wait.



Source link

We Asked 10 LLMs to Write Efficient Code. Only 4 Got Better.



By Vilius Vystartas | May 2026

Every LLM can write code that works. The question is: can they write code that’s efficient — and does telling them to be efficient actually help?

I tested 10 models on 10 coding tasks, each in two phases: unprompted (the model writes its own code) and prompted (explicitly told to write clean, DRY, efficient code). That’s 200 API calls, $0.56 total. The results are… not what most prompt engineers would predict.

GPT-5.4 was the only model where prompting gave a substantial boost (+0.20). For most models, the “write efficient code” prompt was meaningless or actively harmful.

How the Metric Works

Each task has a known optimal token budget — the minimum tokens needed to produce correct, DRY code for that task (e.g., 70 tokens for 10 styled buttons using CSS classes vs 340 tokens for 10 separate button blocks). The efficiency score is optimal_tokens / actual_tokens, capped at 1.0.

A score of 0.63 means the model used about 1.6x the optimal — not bad. A score of 0.43 means it used about 2.3x the optimal. The gap between unprompted and prompted tells you whether the “write efficient code” instruction actually changes behaviour.

The Leaderboard (Sorted by Prompted Efficiency)

#
Model
Unprompted
Prompted
Δ
Frugal
Cost
Correctness

🥇
GPT-5.4
0.43
0.63
+0.20
30%
$0.096
78% → 85%

🥈
Qwen 3.6 Plus
0.44
0.60
+0.17
40%
$0.158
78% → 87%

🥉
Gemma 4 31B
0.54
0.58
+0.04
50%
$0.003
92% both

4
DeepSeek Chat
0.51
0.55
+0.04
30%
$0.006
91% → 80%

5
Claude Sonnet 4
0.47
0.52
+0.04
40%
$0.121
92% both

6
LFM 2 24B A2B
0.54
0.47
-0.06
30%
$0.001
90% → 80%

7
Mistral Large 2411
0.54
0.46
-0.08
40%
$0.050
90% → 82%

8
Gemini 2.5 Flash
0.47
0.46
-0.01
50%
$0.020
92% → 90%

9
Cohere Command A
0.60
0.44
-0.17
40%
$0.071
90% → 82%

10
Kimi K2.6
0.34
0.43
+0.09
30%
$0.029
76% → 86%

What Stands Out

GPT-5.4 Is the Prompt Whisperer

GPT-5.4 improved on 7 of 10 tasks when prompted for efficiency. The biggest wins were config-generation (+0.81 — went from 12 inline JSON blocks to a template loop), html-from-data (+0.71), and magic-strings (+0.38 — switched to an Enum). It’s the only model in the batch where the “write efficient code” instruction consistently produces different (and better) output.

The cost is notable — $0.10 for 20 tasks is mid-range, not cheap, not expensive. But the efficiency gain is real.

Gemma 4 31B: The Quiet Winner

Half of Gemma 4’s tasks were already “frugal” — naturally efficient without being told. It scored 92% correctness on both phases at just $0.003 total. That’s a 40x cost advantage over GPT-5.4 with higher correctness and competitive efficiency. For high-volume production where you want concise, correct code, Gemma 4 31B is the value pick of this batch.

Cohere Command A: Prompting Backfires

Cohere Command A had the highest unprompted efficiency in the batch (0.60) — it naturally writes concise code. But when told “write efficient code,” it ballooned output on several tasks. html-from-data went from a tight 45-token solution to a 600+-token monstrosity (-0.92 gap). The prompt made it overthink.

Lesson: if a model is already efficient, don’t prompt it to be more efficient.

Qwen 3.6 Plus: Second Place, Slowest

Qwen 3.6 Plus scored second in prompted efficiency (+0.17 improvement) but took 26 minutes for 20 tasks — by far the slowest model. The efficiency gain is real (especially on html-from-data where it went from hardcoded rows to a map/join pattern), but you’re waiting for it. Batch workloads only.

The Kimi Surprise

Kimi K2.6 had the lowest unprompted efficiency (0.34 — verbose, boilerplate-heavy code) but improved the most at the bottom end (+0.09). Still last place, but the prompt actually helped it compress — which is the opposite of the Cohere effect. Some models need the nudge.

Frugality: What Does It Mean?

“Frugal” means the model naturally produced code at or near the optimal token count without being asked. Gemma 4 31B and Gemini 2.5 Flash led at 50% — half their tasks were already efficient. GPT-5.4, DeepSeek Chat, and Kimi K2.6 were only 30% frugal — they needed the prompt to tighten up.

The Bigger Picture

Group
Models
Behaviour

Prompt-responsive
GPT-5.4, Qwen 3.6 Plus
Efficiency improves substantially with prompting

Prompt-neutral
Gemma 4 31B, DeepSeek Chat, Claude Sonnet 4, Gemini 2.5 Flash, Kimi K2.6
Prompt has little effect (±0.04)

Prompt-antagonistic
LFM 2 24B A2B, Mistral Large 2411, Cohere Command A
Efficiency drops when prompted

The prompt-antagonistic group is the most interesting. These models know how to write efficient code (0.54-0.60 unprompted), but the explicit instruction triggers over-engineering — they add abstractions, comments, error handling, and other bloat that makes the output less efficient by the metric.

If the prompt says “write efficient code” and the model responds by writing more tokens, something in the training signal is misaligned.

My Picks

Best prompted efficiency: GPT-5.4 — 0.63, $0.10 for 20 tasks. The only model where prompting reliably improves output.

Best value overall: Gemma 4 31B — 0.58 prompted, 92% correctness, $0.003. Absurd price/performance.

Best natural efficiency: Cohere Command A — 0.60 unprompted. Don’t prompt it, just let it work.

Most consistent: Claude Sonnet 4 — 92% correctness on both phases, small +0.04 efficiency gain. Reliable.

Skip if you’re in a hurry: Qwen 3.6 Plus — 26 minutes for 20 tasks. Great efficiency gains, terrible latency.

Watch list: Kimi K2.6 — low base efficiency but the prompt actually helps. Worth retesting with a better prompt.

Methodology

Ten real-world coding tasks across CSS, JavaScript, Python, SQL, and bash — each with a known optimal token budget for a correct, DRY solution. Tasks included: styling 10 buttons (CSS), rendering 20 data rows as HTML (JS/HTML), bulk renaming (shell), form validation (Python), parametrized tests (Python), unit conversion (Python), SQL reporting queries, config generation (JSON), magic string replacement (Python/Enum), and middleware decorator pattern (Python/Flask).

Each model ran 10 tasks unprompted, then the same 10 tasks with an efficiency prompt appended. Scoring: efficiency_ratio = optimal_tokens / actual_tokens (capped at 1.0). Correctness scored against expected output patterns.

Total cost: $0.56 for 200 API calls (10 models × 10 tasks × 2 phases). Temperature: 0.1. Max tokens: 600.

Full results: benchmarks.workswithagents.dev



Source link

Espressif Reveals CoreBoard and Korvo Dev Kits for ESP32-S31



Espressif just pulled the wraps off two fresh development kits aimed at one of its most ambitious chips yet: the dual-core RISC-V ESP32-S31. If you’ve been waiting for a board that blends heavy IoT muscle with edge AI capability, this pair is worth a long look.
What’s the big deal with the ESP32-S31?
The new chip pairs two RISC-V cores in a heterogeneous setup. One runs up to 320 MHz for performance-hungry workloads, while the other sips power for everyday microcontroller chores. Espressif is pitching it at advanced IoT, machine learning inference, computer vision, and smart audio — all from a single chip with 60 GPIOs to spare.
On the radio side you get Wi-Fi 6 on 2.4 GHz, Bluetooth 5.4 Classic and Low Energy, plus an 802.15.4 radio with Thread and Zigbee. There’s even an integrated gigabit Ethernet MAC, which is rare for an ESP32. RAM-wise, you’re looking at 512 KB of on-chip SRAM and an eight-bit 250 MHz DDR bus for external PSRAM. One core also packs a 128-bit data path with SIMD for parallel number crunching.
CoreBoard vs. Korvo: pick your flavour
The ESP32-S31-Function-CoreBoard-1 is the workhorse. It carries 16 MB of PSRAM, a choice of 8, 16, or 32 MB of flash, an on-board microphone, a mono audio codec with amplified speaker output, wired Ethernet, USB 2.0 High Speed Type-A and Full Speed Type-C ports, a 40-pin GPIO header, a built-in current measurement header, and a user-addressable RGB LED. Ideal if you want to prototype anything from sensor hubs to networked controllers.
The ESP32-S31-Korvo-1 trades Ethernet for human-machine interface (HMI) gear. The same module — this time with 16 MB of flash — is wired to an Omnivision OV3660 camera, a 4.3-inch 800×480 LCD, two independent speaker outputs, two analog microphones, four user buttons, an RGB LED, a microSD slot, and USB Type-A and Type-C. It’s basically a ready-made smart display reference design.
Build it yourself
Want to hack on one of these straight away? You’ll need the ESP32-S31 module itself, and depending on which board you’re cloning: an Omnivision OV3660 camera module, a 4.3-inch 800×480 LCD panel, analog microphones, a mono audio codec and speaker driver, a microSD card slot, and USB Type-A plus Type-C ports. Pricing and general availability haven’t been confirmed yet, but Espressif’s documentation pages for the CoreBoard and Korvo are already live.

Originally published on blog.circuit.rocks.



Source link