How AI Replaced 6.5 Years of Security Work in 20 Hours

Alberta's Ministry scanned 466M code lines in 20 hours with Claude AI — exposing gaps traditional tools missed. The government AI security blueprint.

By Rajesh Beri·July 7, 2026·10 min read
Share:
THE DAILY BRIEF
CybersecurityEnterprise AIAI AgentsGovernment AICode Review
How AI Replaced 6.5 Years of Security Work in 20 Hours

Alberta's Ministry scanned 466M code lines in 20 hours with Claude AI — exposing gaps traditional tools missed. The government AI security blueprint.

By Rajesh Beri·July 7, 2026·10 min read

Here is a number that will reframe how you think about AI in your organization: 6.5 years of security work, completed in 20 hours.

That is not a typo or a marketing claim. It is what Alberta's Ministry of Technology and Innovation documented when it deployed 50 parallel AI agents to scan 466 million lines of government code — covering every application and repository the Ministry owns. The scan finished in roughly 20 hours. A traditional security review of the same scope, done manually, would have taken an estimated 6.5 years.

This is the case study that every CIO, CISO, and technology leader in government or regulated enterprise should be reading right now.


The Scale of the Problem Alberta Was Solving

Alberta's Ministry of Technology and Innovation is responsible for the systems of all 27 provincial ministries — everything from wildfire response to social services to tax administration. That scope translates to approximately 1,280 applications and 3,400 code repositories. Most of these systems have never undergone a systematic security review.

The accumulated technical debt — insecure code, unpatched vulnerabilities, outdated software, incomplete documentation — runs into what the Ministry describes as billions of dollars. The systems hold some of the most sensitive data a government manages: tax records, government procurement data, social services case files.

This is not a problem unique to Alberta. It is the situation inside most provincial and state governments, and inside many large regulated enterprises. The code is old. The security posture is unverified. The resources to fix it the traditional way simply do not exist.

Alberta decided to try a different approach.


The Architecture: 50 Agents Working in Parallel

In 2025, Alberta's Ministry stood up an internal team with a mandate to make its systems more secure and easier to maintain. The team used Claude Code — Anthropic's agentic coding environment — running on both Claude Opus and Sonnet models.

The scanning architecture was a two-stage pipeline designed to combine precision with coverage:

Stage 1 — Rules Engine Scan: Each repository was first processed by a rules engine that flagged known vulnerability patterns. This stage is fast and deterministic, optimized for identifying the large category of issues that match documented signatures.

Stage 2 — Claude Code Review: Claude then reviewed every flag the rules engine raised, citing the exact file and line number for each finding so that human engineers could verify the results. Critically, Claude also identified vulnerabilities the rules engine missed entirely — issues that do not match known patterns and that traditional automated tools cannot detect.

Roughly 50 agents worked autonomously and in parallel across the scan. The combination of agents running simultaneously against different repositories is what compressed 6.5 years of sequential human work into a single 20-hour run.

The scan covered every repository Alberta owns. Not a sample. Not a prioritized subset. Every one.


What the Scan Found — and What Traditional Tools Missed

The result of the scan was a comprehensive map of vulnerabilities across Alberta's entire digital estate. Some of what Claude found would have been detected by conventional tools. Much of it would not have been.

This is the part that matters for technical leaders evaluating AI security tooling. Traditional automated scanners are strong on pattern-matching — they excel at finding known CVEs, deprecated dependencies, and common misconfigurations. They are weak on context. They cannot read a function, understand what it is supposed to do, and identify that the logic produces a security gap under specific conditions.

Claude Code operates differently. Because it reads and reasons about code, it can identify vulnerabilities that emerge from logic, not just patterns. Issues embedded in 25-year-old hand-coded systems. Business logic flaws that were never a CVE. Integration points where two systems interact in a way that creates exposure neither system would show in isolation.

For organizations with large legacy code bases, this distinction is the entire value proposition.


From Scan to Fix: The Remediation Loop

Finding vulnerabilities is one problem. Fixing them at scale is another. Alberta did not stop at detection.

Where the scan identified a fixable vulnerability, Claude Code generated the patch, wrote tests to confirm the fix was safe, and built it — all before human review. In cases where a system lacked adequate automated tests, Claude wrote the tests first, then the fix. Engineers reviewed and approved every change before it shipped. The AI handled the generation; humans held the final gate.

This is the operational pattern that separates a useful security tool from a production-ready security system. The humans stay in the loop at the decision point, not buried in the generation work.

For complex legacy systems — the kind where the code is so old or so poorly documented that patching in place is inefficient — Claude took a more aggressive approach. It rebuilt the system in a modern language. One case study from this effort: a subsidy program portal originally hand-coded in Java roughly 25 years ago. It took five months to build the first time. Claude rebuilt it in four to five days, including the migration to a modern, maintainable codebase.

For a CFO or COO evaluating legacy modernization costs, that ratio — five months to four days — is the number to take into your next budget conversation.


Continuous Security, Not One-Time Scanning

The initial scan was a one-time exercise to establish the current security posture. What Alberta built next is more durable: a set of specialized review agents that run throughout the development process, checking every application against roughly 95 security controls on each pass.

The architecture uses two distinct agent types that security practitioners will recognize from traditional red team/blue team methodology:

Red Team Agent: Probes applications from the outside, modeling how an attacker would approach them. Maps how a vulnerability could be exploited, from entry point through potential impact. This is adversarial security testing, automated and running on every application, on every deployment.

Blue Team Agent: Assesses each application's defenses against an international security standard. Produces a remediation plan that points to the exact files that need to be changed. This is the defensive posture assessment, generating specific guidance rather than general findings.

Additional agents check code quality and the clarity of public-facing content. The entire suite runs on top of Anthropic's Claude Agent SDK, which provides the infrastructure for managing multiple concurrent agents with robust orchestration.

The result is that Alberta now has continuous security review embedded in its development process. Not periodic audits. Not annual penetration tests. Security agents running on every deployment, every time.


The Business Case: From 185 Legacy Applications to 16

Security scanning was Phase 1. Alberta has already defined Phase 2.

One ministry alone has 185 legacy applications currently running in production. These systems are expensive to maintain, difficult to update, and collectively represent the kind of sprawl that consumes a disproportionate share of IT budget without delivering proportionate value. The Government of Alberta plans to use Claude Code to analyze these systems — understand what each one does, how they interact, and what can be consolidated — and then consolidate them into 16 reusable applications built on modern languages and conventions.

The math on this is straightforward. Fewer applications means fewer attack surfaces. Modern languages mean faster developer iteration and lower maintenance cost. Consolidation means the same functionality with a fraction of the operational overhead.

This is not a technology project. It is a cost reduction and risk reduction strategy, expressed as a technology initiative. The distinction matters when you are presenting it to a board.


What This Means for Enterprise Leaders

The Alberta case study is directly applicable to any organization with a large legacy code base and unresolved security technical debt — which describes most regulated enterprises, financial institutions, healthcare systems, and manufacturing organizations operating at scale.

A few things stand out for leaders evaluating similar approaches:

The parallel agent model is the unlock. The 6.5 years to 20 hours compression did not come from a faster scanner. It came from running 50 agents simultaneously across 3,400 repositories. Sequential scanning, even AI-powered, would not produce this result. The architecture matters.

The two-stage pipeline (rules + reasoning) outperforms either alone. Rules engines are fast and cheap for known patterns. Reasoning models find what rules engines miss. Combining them in a pipeline gives you both coverage and depth at a cost that neither provides alone.

Humans stay at the approval gate, not the generation step. Alberta's engineers did not review every line the AI wrote. They approved or rejected AI-generated patches. This is the right division of labor: humans focus on judgment, AI handles generation. Organizations that try to have humans write and review every line of a fix will not capture the efficiency gain.

The red team/blue team agent pattern is replicable. Alberta published technical white papers documenting its architecture at thevelocitywhitepapers.com. The approach is designed to be adopted by other governments and large organizations. This is not a custom build that requires years of proprietary tooling — it is a documented pattern built on commercially available infrastructure.

The ROI is measurable and large. A 25-year-old portal rebuilt in four to five days. A 185-application legacy portfolio on track for consolidation to 16. A 6.5-year security backlog addressed in 20 hours. These are not soft efficiency gains. They are hard numbers that connect directly to budget lines.


The Workforce and Training Dimension

Technical debt is not only a systems problem. It is a skills problem. Many of the legacy systems Alberta is modernizing predate the developers now responsible for maintaining them. The institutional knowledge about what the code does and why is incomplete or nonexistent.

Alberta addressed this through its AI Academy, which has trained thousands of government workers and more than 10,000 members of the public in AI fundamentals — from effective prompting through enterprise application delivery. The goal is to extend the Ministry's approach beyond a single specialized team to every ministry that needs it.

For enterprise leaders, this is the organizational scaling question: how do you move from a center of excellence running AI security to a capability embedded across the organization? Alberta's answer is training at scale, combined with reusable agent tooling that does not require deep AI expertise to operate.


The Broader Implication: Government Is Setting the Blueprint

Alberta's decision to publish its technical white papers and host an industry day in Edmonton in July is significant. It means the approach is being treated as public infrastructure, not competitive advantage. Other governments are being invited to replicate it.

For enterprise technology leaders, this matters because government deployments typically face the most demanding requirements for security, auditability, and governance. If an architecture can pass those requirements at scale, it is almost certainly suitable for regulated enterprise deployment.

The blueprint exists. The white papers are public. The architecture is documented. The remaining question is whether your organization is going to build this capability now or spend the next several years discovering it was possible.


The Bottom Line

Alberta's Ministry of Technology and Innovation scanned 466 million lines of code, across 1,280 applications and 3,400 repositories, using 50 parallel AI agents running on Claude Opus and Sonnet models. The scan took 20 hours. The equivalent manual effort was estimated at 6.5 years.

It found vulnerabilities that traditional automated tools missed. It generated fixes with tests. It rebuilt a 25-year-old Java portal in four to five days. It embedded continuous red team/blue team security review into the development process, checking every application against 95 security controls on every deployment.

And it published the blueprint so other governments and organizations can do the same.

The question is not whether AI can handle enterprise-scale security work at this level. Alberta answered that. The question is how long your organization is going to wait before using it.


Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

How AI Replaced 6.5 Years of Security Work in 20 Hours

Photo by Tima Miroshnichenko on Pexels

Here is a number that will reframe how you think about AI in your organization: 6.5 years of security work, completed in 20 hours.

That is not a typo or a marketing claim. It is what Alberta's Ministry of Technology and Innovation documented when it deployed 50 parallel AI agents to scan 466 million lines of government code — covering every application and repository the Ministry owns. The scan finished in roughly 20 hours. A traditional security review of the same scope, done manually, would have taken an estimated 6.5 years.

This is the case study that every CIO, CISO, and technology leader in government or regulated enterprise should be reading right now.


The Scale of the Problem Alberta Was Solving

Alberta's Ministry of Technology and Innovation is responsible for the systems of all 27 provincial ministries — everything from wildfire response to social services to tax administration. That scope translates to approximately 1,280 applications and 3,400 code repositories. Most of these systems have never undergone a systematic security review.

The accumulated technical debt — insecure code, unpatched vulnerabilities, outdated software, incomplete documentation — runs into what the Ministry describes as billions of dollars. The systems hold some of the most sensitive data a government manages: tax records, government procurement data, social services case files.

This is not a problem unique to Alberta. It is the situation inside most provincial and state governments, and inside many large regulated enterprises. The code is old. The security posture is unverified. The resources to fix it the traditional way simply do not exist.

Alberta decided to try a different approach.


The Architecture: 50 Agents Working in Parallel

In 2025, Alberta's Ministry stood up an internal team with a mandate to make its systems more secure and easier to maintain. The team used Claude Code — Anthropic's agentic coding environment — running on both Claude Opus and Sonnet models.

The scanning architecture was a two-stage pipeline designed to combine precision with coverage:

Stage 1 — Rules Engine Scan: Each repository was first processed by a rules engine that flagged known vulnerability patterns. This stage is fast and deterministic, optimized for identifying the large category of issues that match documented signatures.

Stage 2 — Claude Code Review: Claude then reviewed every flag the rules engine raised, citing the exact file and line number for each finding so that human engineers could verify the results. Critically, Claude also identified vulnerabilities the rules engine missed entirely — issues that do not match known patterns and that traditional automated tools cannot detect.

Roughly 50 agents worked autonomously and in parallel across the scan. The combination of agents running simultaneously against different repositories is what compressed 6.5 years of sequential human work into a single 20-hour run.

The scan covered every repository Alberta owns. Not a sample. Not a prioritized subset. Every one.


What the Scan Found — and What Traditional Tools Missed

The result of the scan was a comprehensive map of vulnerabilities across Alberta's entire digital estate. Some of what Claude found would have been detected by conventional tools. Much of it would not have been.

This is the part that matters for technical leaders evaluating AI security tooling. Traditional automated scanners are strong on pattern-matching — they excel at finding known CVEs, deprecated dependencies, and common misconfigurations. They are weak on context. They cannot read a function, understand what it is supposed to do, and identify that the logic produces a security gap under specific conditions.

Claude Code operates differently. Because it reads and reasons about code, it can identify vulnerabilities that emerge from logic, not just patterns. Issues embedded in 25-year-old hand-coded systems. Business logic flaws that were never a CVE. Integration points where two systems interact in a way that creates exposure neither system would show in isolation.

For organizations with large legacy code bases, this distinction is the entire value proposition.


From Scan to Fix: The Remediation Loop

Finding vulnerabilities is one problem. Fixing them at scale is another. Alberta did not stop at detection.

Where the scan identified a fixable vulnerability, Claude Code generated the patch, wrote tests to confirm the fix was safe, and built it — all before human review. In cases where a system lacked adequate automated tests, Claude wrote the tests first, then the fix. Engineers reviewed and approved every change before it shipped. The AI handled the generation; humans held the final gate.

This is the operational pattern that separates a useful security tool from a production-ready security system. The humans stay in the loop at the decision point, not buried in the generation work.

For complex legacy systems — the kind where the code is so old or so poorly documented that patching in place is inefficient — Claude took a more aggressive approach. It rebuilt the system in a modern language. One case study from this effort: a subsidy program portal originally hand-coded in Java roughly 25 years ago. It took five months to build the first time. Claude rebuilt it in four to five days, including the migration to a modern, maintainable codebase.

For a CFO or COO evaluating legacy modernization costs, that ratio — five months to four days — is the number to take into your next budget conversation.


Continuous Security, Not One-Time Scanning

The initial scan was a one-time exercise to establish the current security posture. What Alberta built next is more durable: a set of specialized review agents that run throughout the development process, checking every application against roughly 95 security controls on each pass.

The architecture uses two distinct agent types that security practitioners will recognize from traditional red team/blue team methodology:

Red Team Agent: Probes applications from the outside, modeling how an attacker would approach them. Maps how a vulnerability could be exploited, from entry point through potential impact. This is adversarial security testing, automated and running on every application, on every deployment.

Blue Team Agent: Assesses each application's defenses against an international security standard. Produces a remediation plan that points to the exact files that need to be changed. This is the defensive posture assessment, generating specific guidance rather than general findings.

Additional agents check code quality and the clarity of public-facing content. The entire suite runs on top of Anthropic's Claude Agent SDK, which provides the infrastructure for managing multiple concurrent agents with robust orchestration.

The result is that Alberta now has continuous security review embedded in its development process. Not periodic audits. Not annual penetration tests. Security agents running on every deployment, every time.


The Business Case: From 185 Legacy Applications to 16

Security scanning was Phase 1. Alberta has already defined Phase 2.

One ministry alone has 185 legacy applications currently running in production. These systems are expensive to maintain, difficult to update, and collectively represent the kind of sprawl that consumes a disproportionate share of IT budget without delivering proportionate value. The Government of Alberta plans to use Claude Code to analyze these systems — understand what each one does, how they interact, and what can be consolidated — and then consolidate them into 16 reusable applications built on modern languages and conventions.

The math on this is straightforward. Fewer applications means fewer attack surfaces. Modern languages mean faster developer iteration and lower maintenance cost. Consolidation means the same functionality with a fraction of the operational overhead.

This is not a technology project. It is a cost reduction and risk reduction strategy, expressed as a technology initiative. The distinction matters when you are presenting it to a board.


What This Means for Enterprise Leaders

The Alberta case study is directly applicable to any organization with a large legacy code base and unresolved security technical debt — which describes most regulated enterprises, financial institutions, healthcare systems, and manufacturing organizations operating at scale.

A few things stand out for leaders evaluating similar approaches:

The parallel agent model is the unlock. The 6.5 years to 20 hours compression did not come from a faster scanner. It came from running 50 agents simultaneously across 3,400 repositories. Sequential scanning, even AI-powered, would not produce this result. The architecture matters.

The two-stage pipeline (rules + reasoning) outperforms either alone. Rules engines are fast and cheap for known patterns. Reasoning models find what rules engines miss. Combining them in a pipeline gives you both coverage and depth at a cost that neither provides alone.

Humans stay at the approval gate, not the generation step. Alberta's engineers did not review every line the AI wrote. They approved or rejected AI-generated patches. This is the right division of labor: humans focus on judgment, AI handles generation. Organizations that try to have humans write and review every line of a fix will not capture the efficiency gain.

The red team/blue team agent pattern is replicable. Alberta published technical white papers documenting its architecture at thevelocitywhitepapers.com. The approach is designed to be adopted by other governments and large organizations. This is not a custom build that requires years of proprietary tooling — it is a documented pattern built on commercially available infrastructure.

The ROI is measurable and large. A 25-year-old portal rebuilt in four to five days. A 185-application legacy portfolio on track for consolidation to 16. A 6.5-year security backlog addressed in 20 hours. These are not soft efficiency gains. They are hard numbers that connect directly to budget lines.


The Workforce and Training Dimension

Technical debt is not only a systems problem. It is a skills problem. Many of the legacy systems Alberta is modernizing predate the developers now responsible for maintaining them. The institutional knowledge about what the code does and why is incomplete or nonexistent.

Alberta addressed this through its AI Academy, which has trained thousands of government workers and more than 10,000 members of the public in AI fundamentals — from effective prompting through enterprise application delivery. The goal is to extend the Ministry's approach beyond a single specialized team to every ministry that needs it.

For enterprise leaders, this is the organizational scaling question: how do you move from a center of excellence running AI security to a capability embedded across the organization? Alberta's answer is training at scale, combined with reusable agent tooling that does not require deep AI expertise to operate.


The Broader Implication: Government Is Setting the Blueprint

Alberta's decision to publish its technical white papers and host an industry day in Edmonton in July is significant. It means the approach is being treated as public infrastructure, not competitive advantage. Other governments are being invited to replicate it.

For enterprise technology leaders, this matters because government deployments typically face the most demanding requirements for security, auditability, and governance. If an architecture can pass those requirements at scale, it is almost certainly suitable for regulated enterprise deployment.

The blueprint exists. The white papers are public. The architecture is documented. The remaining question is whether your organization is going to build this capability now or spend the next several years discovering it was possible.


The Bottom Line

Alberta's Ministry of Technology and Innovation scanned 466 million lines of code, across 1,280 applications and 3,400 repositories, using 50 parallel AI agents running on Claude Opus and Sonnet models. The scan took 20 hours. The equivalent manual effort was estimated at 6.5 years.

It found vulnerabilities that traditional automated tools missed. It generated fixes with tests. It rebuilt a 25-year-old Java portal in four to five days. It embedded continuous red team/blue team security review into the development process, checking every application against 95 security controls on every deployment.

And it published the blueprint so other governments and organizations can do the same.

The question is not whether AI can handle enterprise-scale security work at this level. Alberta answered that. The question is how long your organization is going to wait before using it.


Continue Reading

Share:
THE DAILY BRIEF
CybersecurityEnterprise AIAI AgentsGovernment AICode Review
How AI Replaced 6.5 Years of Security Work in 20 Hours

Alberta's Ministry scanned 466M code lines in 20 hours with Claude AI — exposing gaps traditional tools missed. The government AI security blueprint.

By Rajesh Beri·July 7, 2026·10 min read

Here is a number that will reframe how you think about AI in your organization: 6.5 years of security work, completed in 20 hours.

That is not a typo or a marketing claim. It is what Alberta's Ministry of Technology and Innovation documented when it deployed 50 parallel AI agents to scan 466 million lines of government code — covering every application and repository the Ministry owns. The scan finished in roughly 20 hours. A traditional security review of the same scope, done manually, would have taken an estimated 6.5 years.

This is the case study that every CIO, CISO, and technology leader in government or regulated enterprise should be reading right now.


The Scale of the Problem Alberta Was Solving

Alberta's Ministry of Technology and Innovation is responsible for the systems of all 27 provincial ministries — everything from wildfire response to social services to tax administration. That scope translates to approximately 1,280 applications and 3,400 code repositories. Most of these systems have never undergone a systematic security review.

The accumulated technical debt — insecure code, unpatched vulnerabilities, outdated software, incomplete documentation — runs into what the Ministry describes as billions of dollars. The systems hold some of the most sensitive data a government manages: tax records, government procurement data, social services case files.

This is not a problem unique to Alberta. It is the situation inside most provincial and state governments, and inside many large regulated enterprises. The code is old. The security posture is unverified. The resources to fix it the traditional way simply do not exist.

Alberta decided to try a different approach.


The Architecture: 50 Agents Working in Parallel

In 2025, Alberta's Ministry stood up an internal team with a mandate to make its systems more secure and easier to maintain. The team used Claude Code — Anthropic's agentic coding environment — running on both Claude Opus and Sonnet models.

The scanning architecture was a two-stage pipeline designed to combine precision with coverage:

Stage 1 — Rules Engine Scan: Each repository was first processed by a rules engine that flagged known vulnerability patterns. This stage is fast and deterministic, optimized for identifying the large category of issues that match documented signatures.

Stage 2 — Claude Code Review: Claude then reviewed every flag the rules engine raised, citing the exact file and line number for each finding so that human engineers could verify the results. Critically, Claude also identified vulnerabilities the rules engine missed entirely — issues that do not match known patterns and that traditional automated tools cannot detect.

Roughly 50 agents worked autonomously and in parallel across the scan. The combination of agents running simultaneously against different repositories is what compressed 6.5 years of sequential human work into a single 20-hour run.

The scan covered every repository Alberta owns. Not a sample. Not a prioritized subset. Every one.


What the Scan Found — and What Traditional Tools Missed

The result of the scan was a comprehensive map of vulnerabilities across Alberta's entire digital estate. Some of what Claude found would have been detected by conventional tools. Much of it would not have been.

This is the part that matters for technical leaders evaluating AI security tooling. Traditional automated scanners are strong on pattern-matching — they excel at finding known CVEs, deprecated dependencies, and common misconfigurations. They are weak on context. They cannot read a function, understand what it is supposed to do, and identify that the logic produces a security gap under specific conditions.

Claude Code operates differently. Because it reads and reasons about code, it can identify vulnerabilities that emerge from logic, not just patterns. Issues embedded in 25-year-old hand-coded systems. Business logic flaws that were never a CVE. Integration points where two systems interact in a way that creates exposure neither system would show in isolation.

For organizations with large legacy code bases, this distinction is the entire value proposition.


From Scan to Fix: The Remediation Loop

Finding vulnerabilities is one problem. Fixing them at scale is another. Alberta did not stop at detection.

Where the scan identified a fixable vulnerability, Claude Code generated the patch, wrote tests to confirm the fix was safe, and built it — all before human review. In cases where a system lacked adequate automated tests, Claude wrote the tests first, then the fix. Engineers reviewed and approved every change before it shipped. The AI handled the generation; humans held the final gate.

This is the operational pattern that separates a useful security tool from a production-ready security system. The humans stay in the loop at the decision point, not buried in the generation work.

For complex legacy systems — the kind where the code is so old or so poorly documented that patching in place is inefficient — Claude took a more aggressive approach. It rebuilt the system in a modern language. One case study from this effort: a subsidy program portal originally hand-coded in Java roughly 25 years ago. It took five months to build the first time. Claude rebuilt it in four to five days, including the migration to a modern, maintainable codebase.

For a CFO or COO evaluating legacy modernization costs, that ratio — five months to four days — is the number to take into your next budget conversation.


Continuous Security, Not One-Time Scanning

The initial scan was a one-time exercise to establish the current security posture. What Alberta built next is more durable: a set of specialized review agents that run throughout the development process, checking every application against roughly 95 security controls on each pass.

The architecture uses two distinct agent types that security practitioners will recognize from traditional red team/blue team methodology:

Red Team Agent: Probes applications from the outside, modeling how an attacker would approach them. Maps how a vulnerability could be exploited, from entry point through potential impact. This is adversarial security testing, automated and running on every application, on every deployment.

Blue Team Agent: Assesses each application's defenses against an international security standard. Produces a remediation plan that points to the exact files that need to be changed. This is the defensive posture assessment, generating specific guidance rather than general findings.

Additional agents check code quality and the clarity of public-facing content. The entire suite runs on top of Anthropic's Claude Agent SDK, which provides the infrastructure for managing multiple concurrent agents with robust orchestration.

The result is that Alberta now has continuous security review embedded in its development process. Not periodic audits. Not annual penetration tests. Security agents running on every deployment, every time.


The Business Case: From 185 Legacy Applications to 16

Security scanning was Phase 1. Alberta has already defined Phase 2.

One ministry alone has 185 legacy applications currently running in production. These systems are expensive to maintain, difficult to update, and collectively represent the kind of sprawl that consumes a disproportionate share of IT budget without delivering proportionate value. The Government of Alberta plans to use Claude Code to analyze these systems — understand what each one does, how they interact, and what can be consolidated — and then consolidate them into 16 reusable applications built on modern languages and conventions.

The math on this is straightforward. Fewer applications means fewer attack surfaces. Modern languages mean faster developer iteration and lower maintenance cost. Consolidation means the same functionality with a fraction of the operational overhead.

This is not a technology project. It is a cost reduction and risk reduction strategy, expressed as a technology initiative. The distinction matters when you are presenting it to a board.


What This Means for Enterprise Leaders

The Alberta case study is directly applicable to any organization with a large legacy code base and unresolved security technical debt — which describes most regulated enterprises, financial institutions, healthcare systems, and manufacturing organizations operating at scale.

A few things stand out for leaders evaluating similar approaches:

The parallel agent model is the unlock. The 6.5 years to 20 hours compression did not come from a faster scanner. It came from running 50 agents simultaneously across 3,400 repositories. Sequential scanning, even AI-powered, would not produce this result. The architecture matters.

The two-stage pipeline (rules + reasoning) outperforms either alone. Rules engines are fast and cheap for known patterns. Reasoning models find what rules engines miss. Combining them in a pipeline gives you both coverage and depth at a cost that neither provides alone.

Humans stay at the approval gate, not the generation step. Alberta's engineers did not review every line the AI wrote. They approved or rejected AI-generated patches. This is the right division of labor: humans focus on judgment, AI handles generation. Organizations that try to have humans write and review every line of a fix will not capture the efficiency gain.

The red team/blue team agent pattern is replicable. Alberta published technical white papers documenting its architecture at thevelocitywhitepapers.com. The approach is designed to be adopted by other governments and large organizations. This is not a custom build that requires years of proprietary tooling — it is a documented pattern built on commercially available infrastructure.

The ROI is measurable and large. A 25-year-old portal rebuilt in four to five days. A 185-application legacy portfolio on track for consolidation to 16. A 6.5-year security backlog addressed in 20 hours. These are not soft efficiency gains. They are hard numbers that connect directly to budget lines.


The Workforce and Training Dimension

Technical debt is not only a systems problem. It is a skills problem. Many of the legacy systems Alberta is modernizing predate the developers now responsible for maintaining them. The institutional knowledge about what the code does and why is incomplete or nonexistent.

Alberta addressed this through its AI Academy, which has trained thousands of government workers and more than 10,000 members of the public in AI fundamentals — from effective prompting through enterprise application delivery. The goal is to extend the Ministry's approach beyond a single specialized team to every ministry that needs it.

For enterprise leaders, this is the organizational scaling question: how do you move from a center of excellence running AI security to a capability embedded across the organization? Alberta's answer is training at scale, combined with reusable agent tooling that does not require deep AI expertise to operate.


The Broader Implication: Government Is Setting the Blueprint

Alberta's decision to publish its technical white papers and host an industry day in Edmonton in July is significant. It means the approach is being treated as public infrastructure, not competitive advantage. Other governments are being invited to replicate it.

For enterprise technology leaders, this matters because government deployments typically face the most demanding requirements for security, auditability, and governance. If an architecture can pass those requirements at scale, it is almost certainly suitable for regulated enterprise deployment.

The blueprint exists. The white papers are public. The architecture is documented. The remaining question is whether your organization is going to build this capability now or spend the next several years discovering it was possible.


The Bottom Line

Alberta's Ministry of Technology and Innovation scanned 466 million lines of code, across 1,280 applications and 3,400 repositories, using 50 parallel AI agents running on Claude Opus and Sonnet models. The scan took 20 hours. The equivalent manual effort was estimated at 6.5 years.

It found vulnerabilities that traditional automated tools missed. It generated fixes with tests. It rebuilt a 25-year-old Java portal in four to five days. It embedded continuous red team/blue team security review into the development process, checking every application against 95 security controls on every deployment.

And it published the blueprint so other governments and organizations can do the same.

The question is not whether AI can handle enterprise-scale security work at this level. Alberta answered that. The question is how long your organization is going to wait before using it.


Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

Frequently Asked Questions

How did Alberta scan 466 million lines of code in 20 hours?

Alberta's Ministry of Technology and Innovation ran roughly 50 Claude Code agents autonomously and in parallel across its 3,400 repositories, using a two-stage pipeline: a fast rules engine flagged known vulnerability patterns, then Claude reviewed each flag (citing exact file and line) and surfaced logic-based flaws the rules engine missed. Running the agents simultaneously rather than sequentially compressed an estimated 6.5 years of manual review into a single 20-hour run.

What did the Alberta scan find that traditional security tools miss?

Conventional scanners are strong on pattern-matching — known CVEs, deprecated dependencies, common misconfigurations — but weak on context. Because Claude Code reads and reasons about code, it identified vulnerabilities that emerge from logic rather than signatures: business-logic flaws that were never a CVE, issues buried in 25-year-old hand-coded systems, and exposures created where two systems interact that neither would show in isolation.

Can enterprises replicate Alberta's AI security architecture?

Yes. Alberta published technical white papers at thevelocitywhitepapers.com and is hosting an industry day in Edmonton in July, treating the approach as public infrastructure rather than competitive advantage. The pattern — a rules-plus-reasoning pipeline, red team/blue team review agents on Anthropic's Claude Agent SDK, and humans at the approval gate — is built on commercially available tooling, so any organization with a large legacy codebase can adopt it.

Newsletter

Stay Ahead of the Curve

Weekly enterprise AI insights for technology leaders. No spam, no vendor pitches—unsubscribe anytime.

Subscribe