DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
Claude Security Update: Scans, Webhooks, 6 Partners


Claude Security left its launch behind with scheduled scans, directory targeting, and CSV or Markdown exports.
Slack and Jira webhooks plus dismissals that stick turn a one-off scan into a weekly review loop.
Six security platforms now build on Opus 4.7, from CrowdStrike and Wiz to Microsoft Security.
It stays Enterprise-only in beta, so here is what a solo studio runs in its place today.

When Claude Security reached public beta about a month ago, it was a sharp scanner wrapped around a thin workflow. You pointed it at a repository, it reasoned through the code the way a security researcher would, and it handed back findings with suggested patches. Useful, but hard to live with day to day. The version sitting in the Claude.ai sidebar this week is a different animal. Scheduled scans, webhooks into Slack and Jira, directory-level targeting, and six security platforms now wiring the same Opus 4.7 model into their own tools.

From Launch to Workflow: What Actually Shipped

At launch the pitch was simple. Scan a repo, explain the vulnerability in plain language instead of a raw CVE dump, propose a fix, and leave the decision to a human. The public-beta launch a month ago covered that first version. The gap was everything around the scan.

This week that gap is mostly filled. You can schedule scans on a cadence instead of running them by hand, which matters because security debt accrues quietly between releases. You can target a single directory inside a large monorepo rather than waiting on the whole tree, so a focused review of the payments module finishes in minutes instead of an hour. You can export findings as CSV or Markdown and drop them straight into an existing tracker or an audit trail. And you can dismiss a finding with a documented reason, with that dismissal persisting across future runs so you are not re-triaging the same false positive every week.

Underneath all of it is a multi-stage validation pipeline. Each finding is checked before it ever reaches you, and every one carries a confidence rating. That validation step is the part that decides whether a scanner is worth keeping, because a tool that cries wolf gets muted within a week. The model reads imports, follows data flow, and reasons about whether a flagged pattern is actually reachable, which is the kind of judgment a regex-based scanner cannot make. You reach the whole thing from the Claude.ai sidebar or at claude.ai/security, with no API integration and no custom agent to build.

In practice the findings cluster around the same few classes: injection through unsanitised input, broken authorization checks, secrets committed by accident, server-side request forgery, and unsafe deserialization. The directory targeting is what makes that tractable on a real codebase. Instead of scanning a 200,000-line monorepo and drowning in a single report, you can scope a run to the service you just changed, review it, and move on. A scoped scan that finishes while you are still in the context of the change is a scan you will actually read.

The Webhook and Dismissal Loop

Two features do the real work of turning a scanner into a habit: webhooks and persistent dismissals.

Webhooks push results into Slack, Jira, or anything that accepts a hook. A scan becomes a ticket without a single copy-paste, and the finding lands where the team already works instead of in a dashboard nobody opens. Persistent dismissals mean a finding you reviewed and rejected stays gone instead of resurfacing on the next pass, which is the single biggest source of fatigue with older tools.

Put them together and you get a loop. Scan on a schedule, surface only the new findings, route them to wherever your team lives, dismiss the noise with a reason, and let the next scan respect that choice. That loop is the entire difference between a tool you run once for a screenshot and one you run every Friday.

It is also where the contrast with the rule-based generation shows. Snyk, Dependabot, and GitGuardian are good at matching known signatures and flagging dependencies with published advisories. They are far less good at explaining why a specific code path in your own logic is exploitable, and they tend to bury the signal under a wall of severity badges. Confidence ratings plus dismissals let you set a noise floor, so only the findings worth a human minute get through. The promise is fewer alerts, each one carrying more context.

Six Platforms Now Run on Opus 4.7

The bigger move is who is building on it. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI, and Wiz are embedding Opus 4.7 into their own security products. On the services side, Accenture, BCG, Deloitte, Infosys, and PwC are deploying Claude-integrated security work for their clients. Anthropic also opened a Cyber Verification Program for organisations doing high-risk cybersecurity work who need access to safeguarded capabilities.

Last week added the governance half. The Compliance API, announced on May 21, exposes Claude Enterprise and Platform activity (prompts, responses, uploaded files, logs, and admin actions) to external security and governance tools. That is the unglamorous piece a security team needs before it will let any model near production code, because without an audit surface the model is a black box the compliance officer cannot sign off on.

The partner news matters even if you never touch the Enterprise product directly. When Wiz or CrowdStrike wires Opus 4.7 into a scanner you already run, the model’s reasoning reaches your pipeline through a tool you have already paid for and trust. That is the quieter distribution story. Not everyone signs up for Claude Security, but a lot of teams will end up running it without ever leaving the dashboard they know.

Read together, this is Anthropic positioning Claude as a layer that security vendors build on, not just a standalone scanner racing the incumbents. It rhymes with Anthropic’s wider cybersecurity bet, where the model is the engine and other companies ship the product on top of it.

What a Solo Studio Can Actually Use Today

Here is the honest part. Claude Security is an Enterprise public beta. Team and Max access is listed as coming soon, and there is no Pro tier in the announcement. As a one-person studio I cannot point it at my repositories yet, and I am not going to pretend otherwise.

So this is what I actually use in its place. Claude Code ships a built-in security review you run with the /security-review command, which makes an on-demand pass over a diff and flags issues before they land. There is also a Claude Code security action for GitHub that reviews pull requests automatically and leaves findings as inline comments on the PR. Both run for individual developers right now, both reason about code the same way the Enterprise product does, and both keep a human approving every patch.

My setup is small. The GitHub action runs on every pull request to main and comments anything it finds, so review happens before merge without me remembering to trigger it. When I am touching auth, payments, or anything that handles a token, I run the review command locally first and read the reasoning, not just the verdict. It catches the boring but dangerous things: a secret about to be committed, an unescaped query, a missing check on a webhook signature. Last month it stopped me from shipping a webhook endpoint that trusted its payload without verifying the signature header, the kind of mistake that reads as fine in review and bites in production. The reasoning, not just the flag, is what made me fix it properly instead of papering over it.

It is worth being clear about what this does not replace. It reasons about your own code, so it complements rather than supplants dependency scanning for known advisories, secret rotation, and the rest of a real security posture. Treat it as a very good reviewer, not a finished program. It is not the scheduled, webhook-routed, dismissal-tracking product either. It is the same instinct at solo scale, and the habits carry straight over if Team access lands the way it is promised.

Bottom Line

Claude Security went from a demo to a workflow in about a month. The scanner was never the hard part. Scheduled runs, dismissals that stick, and webhooks that file the ticket are what make a security tool something you keep instead of something you screenshot once. The model underneath is now shared by six security platforms and a governance API, which says more about the strategy than any single feature does.

For now it sits behind the Enterprise tier, so solo builders get the same engine through Claude Code review instead. Wire the GitHub action into your pull requests, run the review command before you touch anything sensitive, and watch the Team and Max rollout. Read the rest of the Claude coverage in the Lab while you wait.



Source link

29 Zapier + Make automations replaced in four weeks


The bill that I no longer understood One morning in March, I reread the list of recurring direct debits from L’Atelier Palissy, and I came across a line that surprised me by its regularity: Zapier Pro, $73.50, every month for eighteen months. Next to it, a smaller but equally discreet Make Pro. I count: twenty-one active Zaps, nine Make scenarios, a few stopped, a few obviously broken for weeks. Nobody noticed, because each automation lived on its own dashboard, with its own history, its own logs that no one ever looked at. I didn’t know exactly what each one did. I knew there were about thirty of them, that they passed data from Formidable to Mailchimp, from Meta Lead Ads to a shared Google Sheet, from Stripe to a confirmation email, that they triggered on webhook, on polling, on schedule, and that half of the silent system failures probably came from there. I didn’t have the energy to go look, because going to look meant opening a tool in which I wasn’t at home. Twenty-eight days later, it was gone. Zero Zap, zero Make scenario, everything replaced by three hundred lines of TypeScript running in my Rembrandt ERP, under Sentry, under tests, with a single overview that I look at in the morning at coffee. If you have 30 seconds. Zapier/Make automations pay three invisible debts: they live outside your database, they log elsewhere than your monitoring, and they are triggered by rules that we end up no longer reading. Replacing thirty automations with a single event pipeline takes four weeks, not six months, provided you follow a golden rule: never cut a Zap before having validated its replacement in double writing for three to five days. The article gives the method, timetable and cost avoided. Three invisible debts The first debt that no-code tools produce is called, in internal literature which does not yet exist, distributed debt. Your data lives in three places at once, and none of the three are canonical. My CRM thought the truth was in Google Sheets. Mailchimp believed the truth came from Zapier. Supabase didn’t think anything because I only wrote part of what was happening there. The day a lead lands in three different tabs with three different spellings, no one knows which record is the real one. The only way to decide is to choose a place that wins by construction, and do everything else as a slave. The second debt is the absence of unified monitoring. A broken Zap sends an email to the address that created the Zapier account, possibly to no one. A Make scenario that fails in its third step leaves the first two consuming quotas, and the only trace is a small red number in a dashboard that no one opens. Sentry, Datadog, Grafana — none aggregate. You learn that your automation is dead when a customer calls to say that they have not received their confirmation email. The third debt is the most silent, and it is that of the rules that we forget to have written. A Zap created eleven months ago to manage a particular case of the summer season continues to run the following winter, and it routes a Paris lead to the email address of a colleague who has left the house. You don’t see it, because the lead is still coming, apparently. Nobody rereads a Zap. It’s done so that we don’t have to read it. This is precisely what makes it a debt. The golden rule that took me two weeks to accept. My first attempt, at the beginning of April, was naive. I’d write a Rembrandt replacement, cut the Zap, move on to the next one. My third attempt ended in Slack at 11 p.m., a Meta lead lost because my webhook was not deployed on the correct Vercel environment, and the certainty that if I continued like this, I was going to break at least one critical element before the end of the week. I set the following rule, which I kept until the last Zap. Never cut a Zap before having validated its replacement in double writing for three to five days. Concretely: I write the replacement, I deploy it, it runs at the same time as the Zap. Each lead arrives in duplicate in my Supabase, and in the email address of the team that receives the notification. For three to five days, I compare: same lead, same data, same timings, same emails sent? If so, I cut the Zap. If not, I disable my code and I still have a spinning net while I figure out what broke. The worst possible side effect during the transition is a lead received twice by the sales team. It’s an annoyance, not a disaster. A lost lead is a silent catastrophe that we discover a month later. The architecture that replaced the thirty automations The target is of a simplicity that was not visible as long as I stayed in the no-code tools. Meta Ads ──┐ Formidable ──┤ Stripe ──┤──► Webhooks Rembrandt ──► Supabase (single source) Manual ──┘ │ ├── Gmail SMTP (internal notifications) ├── Slack (team alerts) ├── Meta CAPI (campaign feedback) ├── automation_logs (traceability) └── Cron → Mailchimp then Brevo Enter fullscreen mode Exit fullscreen mode A single entry point per source, a single storage location, a parallel fan-out to the notification tools. The core is contained in a file called lib/lead-pipeline.ts which executes the outgoing integrations in parallel after each insert in the contacts table. export async function runLeadPipeline(lead: Lead) { await Promise.allSettled(( syncMailchimp(lead), notifySlack(lead), notifyGmail(lead), sendMetaCapi(lead), generateFirstContactDraft(lead), )) await logAutomation(lead, /* status by tool */) } Enter fullscreen mode Exit fullscreen mode Promise.allSettled rather than Promise.all because if Slack is down, I still want to send the email. Each result feeds an automation_logs table which is the only thing I look at in the morning: how many leads arrived, which tools succeeded, which failed, over what time window. The schedule as it really happened Week What I did Zaps cut S1 Central pipeline + Slack client + automation_logs table 0 S2 Great direct in double write 0 S3 Cut of ten Zaps Great + webhook Meta in duplicate 10 S4 Cut of eight Zaps Meta + webhook Stripe 18 S5 Scenarios Make (PDFs, crons) and cleanup 21 S6 Kill Zapier Pro, planned downgrade 21/21 The day of the final cut, I didn’t sleep the night before, and the next day I opened my automation_logs dashboard every hour. Thirteen days later, nothing had broken. Today I still maintain a dead route, sync-gsheets-leads, which I never call but which serves as a reactivable net until the end of the month. What we gain that we never suspected The economic gain is obvious – around a hundred euros per month in consolidated subscriptions. But what surprised me was a gain in understanding. The first week after the cut, I found that I understood my system for the first time in eighteen months. I could open a file, reread a routing rule, modify it, test it, deploy it in twenty minutes. Before, even a trivial modification – changing the recipient address of a notification email – went through five Zapier tabs and a dull fear of breaking one by moving another. Two short scenes come to mind. The first, I had to call Gaspard, our IT service provider, to retrieve the password for the Zapier account. He had it, he gave it to me, he didn’t ask why I wanted to go. The second, earlier in the morning, Françoise came out of her office with her cup in her hand and stood in front of mine: “Good. How long do you plan to keep your Meta duplicates? Because Hélène receives two emails for the same lead, she is starting to get annoyed. » It was the third week, I told her “Two more days”, she agreed, put down her cup, and the cup was made the next evening. I learned that double writing has a cost in team patience that should neither be minimized nor stretched beyond what is necessary. There is a particular hygiene to having a system held in one place. We underestimate it until it is there, because no-code tools sell precisely the promise that it is everywhere, that it no longer has to be thought about. The truth is that if it’s not thought of in one place, it’s just buried. It costs less to write, and much more expensive to live. What you can copy into your project Reusable patterns extracted from this migration, independent of my stack: The golden rule — double writing three to five days before cutting. Not negotiable. A duplicate lead is better than a lost lead. The additional time is paid once and is reimbursed for each incident avoided A unique event pipeline — a runPipeline(event) function called after each insert, which executes the outgoing integrations in parallel (Promise.allSettled) and traces the result of each in a dedicated table An automation_logs table — one row per event, one column per outgoing tool with its status. It’s the only dashboard we look at in the morning, and it replaces all the separate dashboards for no-code tools. A reactivable post-cut net — keeps the road dead for two more weeks. The day a bug surprises you, it takes fifteen seconds of vercel.json to put the net back together. Afterwards, you delete for good And a broader discipline: any tool that houses your business logic outside your database makes you pay three debts — distributed, without monitoring, unreadable. Zapier and Make are useful for prototyping. They become dangerous as soon as serious activity depends on them. How many no-code automations are running on your system right now, and when was the last time someone reread them all? I read the comments. Companion code: rembrandt-samples/lead-pipeline/ — runLeadPipeline with Promise.allSettled, automation_logs schema, hub-and-spoke diagram, MIT, ready to copy.



Source link