Government of Alberta uses Claude to find and fix cybersecurity vulnerabilities across government systems
The Government of Alberta used 50 Claude Code agents to scan 466 million lines of code in 20 hours, finding and fixing security vulnerabilities and compressing years of audit work into a single day.
- 50 AI agents worked in parallel to scan 466M lines of code across 3,400 repos in 20 hours, far exceeding human speed.
- A two-stage scan combined a rules engine for initial flagging and Claude for deep review, pinpointing exact files and lines for verification.
- With billions in technical debt, government systems found a scalable audit solution through AI.
- Alberta released technical white papers, offering a reusable blueprint for other governments and enterprises.
The Trigger: When Technical Debt Meets AI
While the world argues about whether AI-generated code is safe to deploy, the Government of Alberta, Canada, took a more pragmatic step: using Claude to audit 466 million lines of legacy code and uncover hidden security vulnerabilities. This wasn’t a publicity stunt—it was a necessity. The province’s Ministry of Technology and Innovation oversees 1,280 applications and 3,400 code repositories across 27 departments, most of which had never undergone a systematic security review. Sensitive data—tax records, procurement data, social services files—flowed through aging systems with billions in technical debt. Traditional manual audits would have taken years. In 2025, an internal team decided to let AI tackle this mountain.
Breakdown: How 50 AI Agents Parallel-Scanned the Codebase
The team didn’t just toss code at a chatbot. They engineered a sophisticated Agent workflow. Around 50 Claude Code agents (powered by Opus and Sonnet models) were spun up to scan repositories in parallel. The process had two stages: first, a rules engine rapidly flagged known vulnerability patterns (hardcoded secrets, SQL injection points, etc.); second, Claude reviewed those flags, confirming whether they were actual threats, and returned the exact file path, line number, and a fix suggestion. This 'rule filter + AI verifier' combo balanced speed and accuracy while making it easy for developers to verify findings. The full scan of 466 million lines took just 20 hours—a task that would have required hundreds of human auditors working for nearly two years.
Notably, the team didn’t stop at finding bugs. They used Claude to help remediate issues and build new security tools, extending AI’s role from auditor to engineer in a closed loop.
Trends: AI as Infrastructure for Digital Governance
This case study highlights three major shifts:
- From 'Writing New Code' to 'Reading Old Code'. AI’s value is no longer just generation; it’s comprehension. Legacy modernization has always been a nightmare, but AI provides scalable code understanding, acting as an archaeologist that uncovers forgotten flaws and design flaws.
- Agent Swarms Become an Engineering Pattern. The 50 parallel agents signal a move from single-bot AI to distributed collaboration, akin to the shift from monoliths to microservices. Agent orchestration could soon be as fundamental as Kubernetes is today.
- Public Sector Begins Embedding AI in Core Processes. Government IT directly impacts citizens, yet has lagged behind due to caution. Alberta’s success may trigger a wave of public-sector adoption for accelerating compliance and tackling technical debt.
Practical Takeaways: How to Replicate This
For any organization drowning in technical debt, Alberta offers a blueprint. Three keys stand out: first, a two-stage review to reduce AI hallucination risk using a deterministic rules engine; second, a parallel agent architecture that scales scanning linearly; and third, keeping humans in the loop—AI suggests, developers decide. Alberta also published technical white papers (linked in the original article) detailing their architecture. However, privacy compliance must be managed: code with sensitive configurations requires air-gapped scanning environments.
Counterintuitive Insight: AI as a Security 'Excavation Crew'
Many fear AI-written code introduces vulnerabilities. Alberta’s story flips this on its head: AI became the vulnerability hunter. It writes nothing new; it reads existing code with superhuman thoroughness, spotting defects humans missed for years. It’s like using AI to 'excavate' your own technical heritage, flagging buried risks. Another surprising element is the sheer time compression—years of work crammed into a day isn’t incremental improvement; it’s a paradigm shift.
Conclusion
Alberta’s experiment is a milestone. It proves that with proper engineering frameworks, AI can solve massive, real-world problems—not just chat and generate. For organizations buckling under technical debt, this might be a new survival strategy: let AI first comprehend your 'legacy mess,' then help you refactor it step by step.
Analysis by BitByAI · Read original