3 min read

Capital One Open-Sources VulnHunter for Code Security

Capital One has open-sourced VulnHunter, an agentic code-security tool that traces exploit paths and proposes evidence-backed fixes.

Image: Hacker News

Capital One is releasing VulnHunter, an open-source, agentic AI code-security tool designed to analyze source code from an attacker’s perspective. The company announced the release on July 16, 2026, arguing that advanced AI models are making it faster and cheaper for attackers to discover and exploit software vulnerabilities.

Traditional protections such as network segmentation, identity controls, and monitoring remain necessary, Capital One said, but they are no longer sufficient by themselves. VulnHunter is intended to help defenders find and fix exploitable defects before adversaries can use advanced models against them.

How VulnHunter analyzes code

Unlike a passive vulnerability scanner, VulnHunter uses an agentic reasoning workflow to identify potentially exploitable defects, map attack paths, and propose targeted code remediations. Its design centers on three capabilities:

  • A falsification engine: After identifying a finding, the tool tries to disprove its own conclusion by searching for unsupported assumptions, logical gaps, and conditions that would prevent an attack. Findings that do not survive this process are discarded.
  • Attacker-first forward analysis: Rather than starting with a potentially dangerous “sink” and reasoning backward, VulnHunter begins at attacker-accessible entry points such as APIs, network messages, or file uploads. It then follows application logic, data transformations, and internal security checkpoints to assess whether an attack can actually succeed.
  • Evidence-backed remediation modeling: For findings that survive the falsification process, VulnHunter gathers evidence across the codebase, explains the defect and the attacker’s potential capabilities, and generates focused code changes for engineering review.

Capital One said it built VulnHunter around the developer experience. The company’s stated aim is to reduce the burden of triaging false alarms and focus developers on immediate, evidence-backed repairs rather than rigid security processes that do not fit their daily workflows.

Capital One’s internal validation and open-source release

Before releasing the tool, Capital One ran VulnHunter on its own code. The company said it identified and remediated vulnerabilities across thousands of repositories spanning tens of business areas, producing verified, actionable findings faster than previous workflows that required significant manual triage.

Recommended reading

Carders Hunt for “Clean” Residential Proxies

Capital One is open-sourcing the project under the Apache License 2.0, citing the interconnected nature of modern software supply chains. The company said a vulnerability in a widely used open-source component can affect thousands of enterprises, and that defensive tools should be distributed, tested, and improved broadly.

The release lets the security and developer communities inspect VulnHunter’s workflow, challenge its assumptions, and contribute improvements.

Requirements and repository

VulnHunter is available now at github.com/capitalone/vulnhunter. Running it requires access to Claude Opus 4.8 and a working Claude Code environment. The repository includes a Quickstart guide, architecture documentation, annotated example workflows, known limitations, and an active development roadmap.

The project’s initial implementation is a Claude Code skill, and its model optimization targets Claude Opus 4.8. Capital One said the framework and skills may also be used across other coding harnesses and foundation models. Contributions, including bug reports, reasoning-workflow changes, and expanded model support, are covered in CONTRIBUTING.md.

Open-source tree diagram against a light green background

1 / 2

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

/ Keep reading