• 2 min read
Capital One open-sources VulnHunter for code security
Capital One has released VulnHunter, an open-source code security tool that uses agentic reasoning to find exploitable flaws and suggest fixes.

Image: Hacker News
Capital One has open-sourced VulnHunter, a code security tool built to analyze source code from an attacker’s perspective, identify potentially exploitable defects, and propose targeted remediations.
The company says the tool was built in response to a faster-moving threat environment, where advanced models are lowering the cost and skill required to find and exploit software vulnerabilities. Rather than acting as a traditional passive scanner, VulnHunter uses an agentic reasoning workflow to trace likely attack paths through code and test whether a flaw is actually exploitable.
Capital One says a major design goal was reducing friction for developers. Instead of overwhelming teams with broad alerts, the tool is meant to shift effort away from false-positive triage and toward evidence-backed code repair.
How VulnHunter works
Capital One highlights three core capabilities:
- A falsification engine that tries to disprove each finding by searching for broken assumptions, logical gaps, or conditions that would block an attack
- Attacker-first forward analysis that starts from reachable entry points such as APIs, network messages, or file uploads and reasons forward through the application
- Evidence-backed remediation modeling that maps the surviving exploit path and generates focused code changes for review
According to the company, only findings that survive that internal challenge are shown to developers.

Recommended reading
TP-Link Kasa camera exposed home GPS for years
Availability and requirements
Before the public release, Capital One says it used VulnHunter internally across thousands of repositories spanning tens of business areas, where it identified and helped remediate vulnerabilities.
The project is available now on GitHub at github.com/capitalone/vulnhunter under the Apache License 2.0. To run it, users need access to Claude Opus 4.8 and a working Claude Code environment. The repository includes a Quickstart guide, architecture docs, annotated example workflows, documented limitations, and an active development roadmap.
Capital One says Claude Opus 4.8 was used for model optimization and Claude Code skill was used for the initial implementation, though it adds that the framework could potentially be adapted to other coding harnesses and foundation models.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Hacker News


