Alberta uses Claude to find and fix vulnerabilities | Keryc
The government of Alberta put Claude to work reviewing its software and closing security gaps at scale. The result? It scanned hundreds of millions of lines of code in hours and helped repair systems that hadn’t seen a systematic review in decades.
What Alberta did with Claude
Since 2025 the Ministry of Technology and Innovation of Alberta has used Claude Code with the Opus and Sonnet models to audit and heal its systems. The internal team scanned 466 million lines of code in about 20 hours, finding issues traditional tools hadn’t spotted. Can you imagine the time that saves? Alberta estimates the same work would have taken roughly 6.5 years with conventional methods.
The platform ran roughly 50 agents in parallel to inspect 1,280 applications and 3,400 repositories the government maintains. The review wasn’t superficial: Claude Code used a two-stage routine. First, a rules engine looked for known patterns; then the model reviewed the findings and pointed to the exact file and line so developers could verify each case.
How they fixed what they found
They didn’t stop at pointing out problems. In many cases Claude Code generated patches, wrote automated tests, and built the fixes. When an app had no tests, the AI wrote them first to validate that the patch was safe. If the code was too old or too tangled, it was rebuilt in a more modern, maintainable language.
A concrete example: a manually built Java grants portal from about 25 years ago—whose original development took five months—was rebuilt in four or five days using the new approach. Always with human review: before deploying any change, engineers at the Ministry reviewed and approved the patches.
Continuous review and specialized agents
Alberta didn’t do a one-off scan. They deployed specialized agents that run inside the development process. A red-team–style agent simulates external attacks to map how a vulnerability could be exploited. A blue-team–style agent evaluates defenses against an international standard and generates a remediation plan pointing to specific files.
There are also agents that check code quality and the clarity of the text citizens see. On each pass, applications are verified against around 95 security controls. These agents were built on the Claude Agent SDK and form a continuous analysis chain for every application.
Training and openness
Alberta didn’t keep this secret. They created the Alberta AI Academy to train public servants and citizens in responsible AI use. Thousands of workers and more than 10,000 members of the public have gone through the platform to learn everything from prompting to delivering enterprise apps.
They also published a collection of technical white papers documenting their experience as a guide for other governments. In July they’ll host an industry day in Edmonton to share what they learned, and they plan to scale this approach across the provincial administration.
Lessons for other governments
The problem Alberta faced isn’t unique: many administrations carry technical debt, legacy software, and incomplete documentation. Alberta’s bet shows that combining AI with human oversight can accelerate massive modernizations, cut costs, and improve security. Sounds promising, right?
Concretely, the government plans to use Claude Code to analyze 185 legacy applications and consolidate them into 16 reusable apps—aiming for less complexity and lower maintenance costs.
Using AI for this raises valid questions about governance, transparency, and responsibility. Alberta shows one path: automate what you can, keep human control, and open the knowledge so others can learn.
Protecting sensitive information is a public responsibility. If a tool can do in hours what used to take years, it’s worth studying how to apply it carefully and responsibly.