Capital One, the McLean, Virginia-based bank and financial services company, has released VulnHunter as an open-source project on GitHub under an Apache 2.0 license. The tool uses agentic AI to scan source code for exploitable vulnerabilities, trace prospective attack paths through application logic, and generate targeted code fixes for engineering review. Capital One built and validated the tool internally before making it public.
VulnHunter requires access to Anthropic's Claude Opus 4.8 model and a working Claude Code environment to run. The repository includes a quickstart guide, architecture documentation and annotated example workflows. Capital One said the underlying framework has potential for use across other coding environments and foundation models, though the current implementation is built for Claude Code.
The tool's architecture differs from conventional vulnerability scanners in two structural ways. Standard scanners work by identifying dangerous-looking code patterns and reasoning backward toward a hypothetical attacker, an approach Capital One said generates high volumes of false positives that erode developer trust in security tooling. VulnHunter reverses that sequence. It starts at the points where an external attacker would enter a system, such as API endpoints, network message handlers and file upload interfaces, then traces forward through application logic, data transformations and internal security checkpoints to determine whether an attacker can actually reach a dangerous code path.
Before any finding reaches a developer, a second mechanism runs. Capital One calls it a falsification engine: a structured reasoning workflow that searches for unsupported assumptions, logical gaps in the exploit path and environmental conditions that would prevent an attack from succeeding in practice. Findings the engine cannot rule out proceed to the developer, accompanied by a full map of the surviving exploit path, an explanation of what access or capability an attacker would gain, and a proposed code change ready for engineering review. Findings the engine does rule out are discarded before anyone sees them.
Capital One said it ran VulnHunter across thousands of repositories spanning tens of business areas before the public release, identifying and remediating vulnerabilities with speed and efficiency that exceeded what its teams previously achieved through manual triage.
Chris Nims, Capital One's CISO, described the decision to release VulnHunter publicly rather than keep it proprietary: "We felt an imperative to open-source VulnHunter because modern software supply chains are very connected, and the scale of the AI threat is larger than any single organization. Securing software and our digital environments is a shared foundation that benefits developers, enterprises, and the people who depend on the systems we all build. The defensive tools to address this reality need to be just as widely distributed, tested, and improved as the codebases they protect."
The release rationale connects to a technical threat the bank has been tracking: advanced AI models have reduced the time and skill required to discover and exploit software vulnerabilities, narrowing the window available to defenders before sophisticated attack capabilities become accessible to a broader range of adversaries.
VulnHunter is available at github.com/capitalone/vulnhunter. The repository's CONTRIBUTING.md outlines the process for submitting bug reports, proposed changes to the reasoning workflow and pull requests for expanded model support.




