Jul 18, 2026
AI

Capital One open-sources AI tool for finding exploitable code flaws

VulnHunter scans code from attacker entry points and proposes fixes, but Capital One did not disclose accuracy metrics or production adoption plans.

Colin Brandt

By Colin Brandt · Enterprise Reporter

· 4 min read

Capital One on Thursday released VulnHunter, an open-source AI security tool designed to find exploitable software vulnerabilities and suggest code fixes before applications reach production. The release matters because a major regulated bank is putting an internally built security system on GitHub under an Apache 2.0 license, in a category where false positives and vague AI claims are common.

The company describes VulnHunter as an “agentic” tool that reviews source code, traces possible attack paths and produces remediation proposals for engineers to evaluate. Capital One said the system currently runs on Anthropic’s Claude Opus 4.8 model inside Claude Code, while adding that the framework could work with other foundation models and coding environments. It did not disclose precision, recall, benchmark results, cost per scan or external customer usage.

How the tool is supposed to work

VulnHunter’s main distinction, according to Capital One, is that it starts where an attacker would start: API endpoints, network message handlers, file uploads and other external interfaces. From there, it follows application logic forward to test whether a dangerous path can be reached through the defenses already present in the code.

That approach differs from many static analysis tools, which commonly begin with suspicious code patterns and then determine whether an attacker might reach them. Capital One argues that its method should reduce the volume of findings that developers have to triage.

The second piece is what Capital One calls a falsification engine. After VulnHunter identifies a possible flaw, the system tries to disprove the finding by checking for missing assumptions, broken logic in the exploit chain or conditions that would stop the attack. Findings that survive that process are passed to a human reviewer with an explanation of the path and a proposed fix.

Capital One said it tested VulnHunter internally across thousands of repositories and tens of business areas. The company claimed the tool found and helped remediate vulnerabilities faster and more efficiently than previous manual triage, but it did not provide baseline numbers or independent validation.

A release shaped by Capital One’s breach history

The bank’s security posture is still read in the context of its 2019 breach. Capital One disclosed that an outside individual, later identified as former Amazon Web Services employee Paige Thompson, accessed personal information tied to about 100 million people in the United States and 6 million in Canada. Exposed data included names, addresses, self-reported income, about 140,000 Social Security numbers, about 80,000 linked bank account numbers and roughly 1 million Canadian Social Insurance Numbers.

The company said at the time that the incident occurred on March 22 and 23, 2019, and was found after an outside researcher reported a configuration vulnerability through its responsible disclosure program on July 17. The FBI arrested Thompson, and the government said it believed the data had been recovered with no evidence of fraud.

In 2020, the Office of the Comptroller of the Currency fined Capital One $80 million. The regulator said the bank had failed to identify and manage risks tied to its cloud migration, including network security controls and data loss prevention. The OCC also required Capital One to submit new cybersecurity plans for review.

Open-source strategy, not charity

Capital One has presented open source as part of its technology strategy for years. The company says its Open Source Program Office manages usage, contributions and community work across the enterprise, and that it has released more than 25 open-source projects while contributing to about 135 external projects. In 2022, Capital One joined the Open Source Security Foundation as a premier member.

VulnHunter fits that strategy by pushing security review closer to the code and inviting outside developers to inspect and extend the system. For the broader market, the open question is whether the tool can perform well outside Capital One’s own repositories and whether security teams trust AI-generated exploit reasoning and patches enough to put them into daily workflows.

The release also signals where enterprise security tooling is heading. Banks, fintechs and cloud-heavy companies are under pressure to find flaws earlier in development as AI systems make vulnerability discovery cheaper for attackers and defenders. Capital One has put one version of its answer in public; the evidence for how well it works will have to come from adoption, issue reports and independent testing.

This story draws on original reporting from VentureBeat.

More from AI

All AI →