Anthropic's security team cut false alerts from 33% to 7% using Claude

Jackie Bow, a technical lead on Anthropic's Detection Platform Engineering team, has written up CLUE (Claude Looks Up Evidence), an internal security tool her team built, and the numbers she shares are unusually concrete. CLUE replaces a stack of separate security tools with one interface you query in plain language.

The results are the reason to read it. After CLUE took over alert triage, false positives fell from about 33% to 7%. In one month it ran more than 12,000 automated queries and 27,000 tool calls, work the team estimates would have taken roughly 1,870 hours by hand, close to 234 person-days. A typical investigation now finishes in three to four minutes. The proof of concept took a day; the full build took a week.

The design idea underneath is simple. Instead of judging each alert on its own, Claude reads the context around it: Slack threads, internal docs, code repositories, the data warehouse. That lets it separate a real incident from maintenance that was already announced. The Investigate component lets analysts question security logs in plain language instead of SQL, while Claude runs an agentic loop with parallel sub-agents. The full architecture is on Anthropic's blog.

Why it matters

If you run a security team, the takeaway is not "AI triages alerts" but the specific lever behind the numbers. Giving the model read access to your internal context, not just the alert text, is what moved false positives from 33% to 7%. That is a build choice you can copy.