Government of Alberta uses Claude to find and fix cybersecurity vulnerabilities across government systems
The Government of Alberta has deployed Claude AI models to systematically scan and remediate cybersecurity vulnerabilities across its government systems since 2025. Using Claude Code with Opus and Sonnet models, a team scanned 466 million lines of code in 20 hours-a task estimated to take 6.5 years with traditional methods-and fixed security gaps while building safer systems. The initiative demonstrates how government agencies can leverage AI at scale to address accumulated technical debt and protect sensitive citizen information.
Key Takeaways
- Alberta's Ministry of Technology and Innovation scanned 466 million lines of code across 1,280 applications and 3,400 repositories in just 20 hours using Claude, compared to an estimated 6.5 years with traditional approaches.
- Claude Code identified security vulnerabilities that traditional automated tools had missed by using a two-stage process: scanning with a rules engine followed by human-verified pinpointing of exact file and line locations.
- The system can generate, test, and deploy fixes autonomously, including writing automated tests where they don't exist and rebuilding outdated code in modern languages-reducing projects from months to days.
- The Ministry maintains systems for all 27 provincial ministries holding highly sensitive data including tax records, government procurement information, and social services case files.
- Around 50 AI agents worked in parallel to conduct the security review, demonstrating the scalability of using AI for large-scale government cybersecurity operations.
- Alberta has published technical white papers documenting its approach so other government agencies can learn from and implement similar security modernization efforts.
Stats & Key Facts
- #466 million lines of code scanned in 20 hours
- #20 hours required for complete scan versus 6.5 years estimated for traditional review
- #1,280 applications maintained across all 27 provincial ministries
- #3,400 code repositories scanned
- #Approximately 50 AI agents working autonomously in parallel
- #Subsidy portal rebuilt in 5 days that originally took 5 months to build 25 years ago
Alberta's Cybersecurity Challenge and Scale
The Government of Alberta faced an enormous task: securing decades of accumulated code across all its provincial services.
- ›The Ministry of Technology and Innovation maintains systems for all 27 provincial ministries, spanning social services, public safety, wildfire response, and other critical government functions.
- ›The portfolio includes roughly 1,280 applications and 3,400 code repositories, most of which had never undergone systematic security review.
- ›Accumulated technical debt runs into the billions of dollars, including insecure code, unaddressed bugs, and outdated software dependencies.
- ›The systems hold highly sensitive information including tax records, government procurement data, and social services case files that Albertans trust the government to protect.
The Claude-Powered Scanning Approach
Alberta deployed a two-stage scanning methodology using Claude Code to identify vulnerabilities with unprecedented speed and accuracy.
- ›Approximately 50 AI agents worked autonomously and in parallel to scan government systems for security vulnerabilities, infrastructure weaknesses, and deployment process gaps.
- ›The scanning process employed a rules engine in the first stage to flag known vulnerability patterns across all repositories.
- ›A second stage involved Claude reviewing flagged issues and pinpointing the exact file and line number for each finding, enabling developers to verify and understand the vulnerabilities.
- ›Claude identified security issues that traditional automated scanning tools had missed, providing a more comprehensive security assessment than existing software.
The complete security review of 466 million lines of code took approximately 20 hours of processing time. The Alberta team estimates that conducting this same review using traditional approaches would require around 6.5 years of work. This dramatic time reduction demonstrates the scalability advantage of using AI agents working in parallel to review massive codebases simultaneously.
Automated Vulnerability Remediation and Patch Generation
Beyond identification, Claude Code generated and tested fixes for vulnerabilities, significantly accelerating the remediation process.
- ›When vulnerabilities were identified, Claude Code could often generate a fix, test it, and prepare it for deployment without human intervention.
- ›In systems lacking automated tests to verify patch safety, Claude automatically wrote the necessary tests before deploying any changes.
- ›For code that was too outdated or complex to patch efficiently, Claude rebuilt the systems in modern, maintainable programming languages rather than attempting to fix legacy code.
- ›Complex systems could be rebuilt in as little as four to five days, with one example being a subsidy program portal originally hand-coded in Java 25 years ago that took five months to build initially.
Human Oversight and Quality Assurance
Despite the automation, human review remained central to Alberta's security implementation process.
- ›Every patch and code change generated by Claude was reviewed and approved by the Ministry's human engineers before being deployed to production systems.
- ›This partnership approach ensured that AI capabilities enhanced rather than replaced human judgment in security-critical decisions.
- ›Engineers could verify flagged vulnerabilities with specific file and line references, allowing them to understand context and make informed approval decisions.
- ›The process maintained accountability and professional oversight while leveraging AI speed and consistency.
Implementation Timeline and Scope
Alberta's initiative, launched in 2025, represents a systematic and ongoing effort to modernize government cybersecurity infrastructure.
- ›The Ministry of Technology and Innovation established an internal team specifically mandated to make systems more secure and easier to maintain over time.
- ›The initiative addressed all repositories owned by Alberta, providing comprehensive coverage across government systems rather than selective targeting.
- ›The 20-hour scanning operation covered the complete portfolio of 1,280 applications and 3,400 repositories across 27 provincial ministries.
- ›The effort successfully demonstrated that large-scale government cybersecurity modernization could be completed in days or weeks rather than years or decades.
Knowledge Sharing and Government Best Practices
Alberta is actively sharing its experience with other government agencies facing similar cybersecurity challenges.
- ›The Government of Alberta published a collection of technical white papers documenting its methodology and results.
- ›These resources are designed to help other government agencies understand how to implement similar AI-powered security reviews at scale.
- ›Minister Nate Glubish emphasized that responsible government in the AI era involves using technology to accomplish critical security work that would otherwise require years to complete.
- ›The initiative demonstrates a model that balances rapid technological deployment with responsible oversight and citizen trust protection.
Alberta's approach addresses a critical challenge facing all governments: legacy systems that are often old, insecure, and incompletely documented. These systems are essential for delivering government services and benefits, yet they accumulate technical debt that makes them increasingly difficult to secure and maintain. By documenting their experience with Claude, Alberta is providing a roadmap for other public sector organizations to modernize their infrastructure while protecting the sensitive information citizens entrust to government systems.
Impact on Government Cybersecurity and Service Delivery
The Alberta initiative demonstrates significant implications for how governments can approach technology modernization and security in the future.
- ›The dramatic reduction in time required for security review-from 6.5 years to 20 hours-frees government resources to address other critical priorities.
- ›Rebuilding outdated systems in modern languages improves not only security but also maintainability, developer productivity, and long-term operational efficiency.
- ›Comprehensive vulnerability identification reduces risk to the sensitive data systems hold, directly protecting citizen privacy and government operational integrity.
- ›The scalable AI agent approach proves viable for large government portfolios, suggesting potential application across municipal, provincial, and federal systems.
Frequently Asked Questions
How long did it take Alberta to scan 466 million lines of code, and how does that compare to traditional methods?
The scan took approximately 20 hours using Claude Code with about 50 AI agents working in parallel. Alberta estimates that the same review would require around 6.5 years using traditional security scanning approaches, making the AI-powered method roughly 2,800 times faster.
Did humans review the fixes before they were deployed?
Yes, absolutely. Every patch and code change generated by Claude was reviewed and approved by the Ministry's human engineers before deployment to production systems, ensuring accountability and verification of all security changes.
What types of vulnerabilities did Claude find that traditional tools missed?
The article does not specify the types of vulnerabilities that Claude identified beyond traditional tools, but notes that Claude's two-stage process-combining rules-based pattern recognition with detailed code analysis-successfully identified security issues that automated scanning tools had missed.
How much faster can systems be rebuilt using Claude compared to manual development?
One specific example cited was a subsidy program portal originally written in Java that took five months to build initially; Claude rebuilt it in as little as four to five days, a reduction from months to days by leveraging modern languages and automated approaches.
Is Alberta sharing its methodology with other governments?
Yes, Alberta published a collection of technical white papers documenting its approach and experience so that other government agencies can learn from and implement similar AI-powered security reviews and system modernization efforts.
Alberta's initiative demonstrates that AI can significantly accelerate government cybersecurity modernization while maintaining human oversight and responsibility.
Continue Learning
Comments
Sign in to join the conversation