My first real exposure to a cyberattack was in January 2003, though it took us a while to realise what we were dealing with. My team and I were called in to help a high-profile bank under siege from within. The culprit turned out to be SQL Slammer, exploiting an unpatched buffer overflow in Microsoft SQL Server 2000. Just 376 bytes. One UDP packet. And it choked the Internet globally within minutes.
Total destruction from a single unpatched line of code!
That day taught me something I have never forgotten. Code vulnerabilities are a force multiplier for chaos. I wrote about it in 2018, in an article on Cyber Resilience and Maturity. The problem has not gone away. The tools to fight it have just finally caught up.
More than two decades in cybersecurity teaches you to expect the unexpected. It also teaches you to recognise the inevitable when it arrives. So when Anthropic announced Claude Security, I was not surprised. I was quietly relieved. But those same two decades have also taught me that solving code is not solving the problem. Not even close. SQL Slammer problem was never just the code. The configuration left systems exposed.
Anthropic Claude Security focusing on Code. It is impressive, necessary, but not enough. Besides Claude Security, the industry needs three more pillars to complete the picture. Call them Config, Compliance, and Culture. They do not need to come from Anthropic or carry the Claude name. But they need to be built, work together, and be taken as seriously as code security has finally begun to be.
Together, these four pillars address what I would call the Cyber Quadrilemma. And a Quadrilemma is resolved only when all four pillars stand.
Code Security: The First Pillar. Already here.
Claude Security is impressive. Genuinely.
When Anthropic released Claude Code, many of us quietly expected a security companion to follow. It was the natural next step. Claude Code helps developers write code. Claude Security helps find what went wrong in it. Together, they build the first pillar: Code Security.
Claude Security, now in public beta for Enterprise customers, analyses codebases as a human security researcher would, traces data flows, identifies complex vulnerabilities that rule-based tools routinely miss, and suggests patches, all without days of back-and-forth between security and engineering teams.
In theory, if every organisation adopted it, we could eliminate zero-day vulnerabilities hiding in code. That would be extraordinary. And it is genuinely within reach.
But solving every zero-day in code, remarkable as that would be, does not solve the problem. Because code is only one quarter of the story.
Welcome to the Cyber Quadrilemma: Code Security. Config. Compliance. Culture.
Config: The Second Pillar
Configuration is where organisations bleed quietly. Misconfigured cloud buckets. Over-permissioned service accounts. Default credentials left untouched. Open ports that nobody remembered to close. Some of the most catastrophic breaches in recent memory had nothing to do with a flaw in the code. The code was fine. The configuration was wide open.
The industry needs a Config pillar. A tool that reasons about your infrastructure the way Claude Security reasons about your codebase. Continuous. Contextual. Unforgiving of the subtle misconfigurations that automated checklist tools overlook.
Compliance: The Third Pillar
Regulations do not care whether your vulnerability lies in code or configuration. GDPR, ISO 27001, SOC 2, HIPAA, NIS2 and many others hold organisations accountable for outcomes, not intentions.
The industry needs a Compliance pillar that is not a retrospective audit tool but an active enforcement layer. One that embeds regulatory requirements directly into code and configuration from the start, ensuring that what gets built is compliant by design rather than scrambled into shape before an audit.
Policy as code. Compliance is a continuous state, not a seasonal exercise. Without this pillar, even the best Code and Config tools are incomplete. You can fix the vulnerability. You still have to prove it to a regulator.
Culture: The Fourth Pillar
Even if we solve the code and the config and enforce compliance, we still have people.
The engineer who copies and pastes an environment variable into the wrong repository. The person who approves the pull request late on a Friday evening. The one who knows the policy overrides it anyway, just this once, because the deadline is tomorrow.
No tool fixes that. Only Culture does.
The industry needs a Culture pillar. Not a scanning tool, but a continuous broadcast platform. One that runs education and awareness programmes across the organisation, reinforces good conduct, builds security discipline into daily habits, and makes the right behaviour the default behaviour.
Security culture is not a one-off training session. It is a cadence. A signal. A standard that people rise to because they understand why it matters. Knowing what to do is not enough. People need to be held to it. That is what Culture builds.
The Cyber Quadrilemma Resolved
- First Pillar: Code Security
- Second Pillar: Config security
- Third Pillar: Compliance enforcement
- Fourth Pillar: Culture and education
The Cyber Quadrilemma demands that all four stand together continuously. It does not matter which vendor builds each pillar. What matters is that all four get built.
There is a world of difference between doing things right and doing the right thing.
You can follow every process, pass every audit, and still leave a pillar unbuilt.
The goal is not a world with zero vulnerabilities. That world does not exist. The goal is a world where every person in the organisation, technical or not, understands that their choices either strengthen the pillars or weaken them. Where security is not a gate at the end of the process but a habit woven into its start.
Claude Security is exactly the kind of start that makes the rest feel possible. The market is ready. Security teams will champion it. And the industry has never had better tools, or fewer excuses, to get this right.
Three pillars still to build. A lot of work still to do.
About the author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. With 30 years of navigating the intersection of technology, risk, and regulations, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.