466 million lines of code in 20 hours. That is the number that should stop every founder building in cybersecurity, government IT, or enterprise DevSecOps cold. The Government of Alberta's Ministry of Technology and Innovation deployed Anthropic's Claude Code with Claude Opus and Sonnet models to run a systematic security review across all 27 provincial ministries' codebases, covering roughly 1,280 applications and 3,400 code repositories. The result is one of the largest documented AI-powered code security audits ever conducted by a government, and it changes the baseline for what is possible in vulnerability detection at scale.
Nate Glubish, Alberta's Minister of Technology and Innovation, put it plainly: Albertans trust their government with some of the most sensitive information in their lives, including tax records, social services case files, and procurement data. Yet most of the code behind those systems had never undergone a systematic security review. The Ministry's internal team set out to change that in 2025, using Claude not as a chatbot but as an autonomous security analyst operating across a sprawling legacy IT estate.
For founders, this is not just a government case study. It is a blueprint for how AI can transform the economics and speed of security auditing, and it raises a strategic question: if a provincial government can scan nearly half a billion lines of code in less than a day, what is the new expectation for your own security posture?
How the Scan Worked: 50 AI Agents in Parallel
The scale of Alberta's IT infrastructure is staggering for a province of 4.5 million people. Twenty-seven ministries, each with its own legacy systems, codebases spanning decades, and dependencies on software written in languages that are no longer actively maintained. Traditional security auditing at this scale would require a team of dozens of engineers working for months, and even then they would only sample the most critical systems.
Alberta's approach was radically different. The Ministry deployed around 50 Claude Code agents operating autonomously and in parallel, each one tasked with scanning different segments of the codebase. The agents did not just flag potential vulnerabilities. They traversed each repository, built dependency graphs, identified weaknesses in infrastructure configurations, and then cross-referenced findings against the application's actual behavior.
Where Claude Code identified a vulnerability, it could often generate a fix, test it, and build the patch in the same pass. In cases where a system lacked the automated tests needed to confirm that a patch was safe, Claude wrote the tests first. For code that was too outdated to build with modern toolchains, the AI analyzed the logic and produced modernization recommendations alongside the security fixes.
The speed difference is almost absurd. What would have taken a human team months to sample was completed in a single working day with full coverage. The agents worked around the clock, with no fatigue, no context switching costs, and no need for security clearance processing for individual contractors.
The Continuous Security Model: Red Team and Blue Team Agents
Perhaps more important than the initial scan is what Alberta built afterward. The Ministry's cybersecurity team created a set of specialized Claude review agents that run continuously throughout the development process, embedding security into the software development lifecycle rather than treating it as a periodic audit event.
One agent operates as a red team. It probes each application from the outside, mapping how an attacker might exploit the system and tracing potential attack paths through the codebase. A second agent acts as the blue team, analyzing the same application from the defender's perspective, prioritizing vulnerabilities by real-world exploitability, and generating remediation plans. A third agent monitors the CI/CD pipeline, scanning every pull request for new vulnerabilities before code reaches production.
This continuous model is the real innovation. Most organizations, including most startups, treat security as a gate at the end of the development process: a penetration test before launch, an annual audit, or a compliance checklist. Alberta's approach inverts that by making security review a constant, automated presence in the engineering workflow.
For founders, this is the model to copy. A startup with five engineers and a dozen microservices can deploy a similar pattern with the same tools. The barriers are not technical. They are organizational: the decision to prioritize security as a continuous function rather than a quarterly checkbox.
What This Means for Government IT and the Broader Market
Alberta's story is significant beyond its own borders because the problems it solves are universal. Every state, province, and federal agency in the world runs on legacy code that was written before modern security practices existed. The technical debt in government systems is measured in decades. The Alberta playbook provides a template that any government can replicate, and the province is actively sharing it through technical white papers and an industry day in Edmonton this July.
For startups building in the government technology space, this creates both an opportunity and a competitive pressure. The opportunity is that governments now have a proven, cost-effective path to modernizing their security posture, and they will need tools, training, and integration support to execute it at scale. The competitive pressure is that the bar for security is rising. If a provincial government can achieve full-coverage vulnerability scanning across 1,280 applications, enterprise customers will start asking why their vendors cannot do the same.
Alberta is also training its workforce through the Alberta AI Academy, which has already onboarded thousands of government employees and more than 10,000 members of the public. The province plans to expand its AI-powered modernization to tackle 185 legacy applications running in production at a single ministry, using Claude Code to analyze what those systems do and build replacement tools alongside engineers.
The message from Edmonton is clear: this is not a pilot project or an experiment. It is a production deployment that is already changing how the government builds and secures software.
Key Lessons for Founders
Scale of AI auditing changes the security calculus. When you can scan 466 million lines of code in 20 hours with full coverage, the question shifts from which systems do we audit? to why are we not auditing everything, all the time? Founders should evaluate their own security tooling against this benchmark.
AI-generated tests unlock legacy code remediation. Alberta's team found that Claude could write automated tests for systems that had none, enabling safe patching of code that had been untouchable for years. This pattern applies directly to any startup dealing with legacy customer codebases or maintaining its own aging systems.
Continuous red team/blue team agents are the new standard. The most valuable part of Alberta's deployment is not the one-time scan. It is the ongoing agentic security review embedded in the development process. Founders building DevSecOps products should study this pattern closely.
Government procurement of AI is accelerating. Alberta's deployment is not a pilot. It is a production system with real security outcomes. For startups selling into government, this case study signals that the procurement door is open for AI-powered solutions that deliver measurable results.
Alberta proved that AI-native security auditing is not a future capability. It is a present-day operational reality. The question for every founder is whether their own security practices will meet the new baseline or fall behind it.

