Anthropic Security Researcher Nicolas Carlini, whose papers have been cited 67,200 times on Google Scholar, is one of the most cited individuals in this field.

He recently publicly stated: Claude is a more outstanding security researcher than he is.
He directed Claude to Ghost (a release platform with 50,000 GitHub stars that has never had a high-risk vulnerability in its history) for 90 minutes, and Claude found an SQL injection vulnerability that allows anyone to directly obtain the administrator key and fully take over the backend without any permissions.
He then directed Claude to the Linux kernel. Claude discovered a buffer overflow vulnerability—a flaw that has been hidden there since 2003 and has existed for 23 years. Carlini said that such a level of vulnerability is extremely difficult to detect even with manual auditing by experienced security experts.
In smart contract testing, Claude identified approximately $3.7 million in exploitable vulnerabilities in a simulated environment.
Carlini said he himself cannot match Claude’s level of performance on these tasks.
The most uncomfortable part of this story isn’t that AI found the vulnerabilities, but that: Carlini was still at work.