Alberta scanned 466 million lines of code in 20 hours: government uses Claude for cybersecurity
The government of the Canadian province of Alberta used Claude Code with approximately 50 parallel AI agents to scan 466 million lines of code in 20 hours — a task that would have taken 6.5 years using traditional methods. The project covered 1,280 applications and 3,400 repositories across 27 ministries, none of which had ever undergone a systematic security review.
This article was generated using artificial intelligence from primary sources.
The government of the Canadian province of Alberta published results on July 6, 2026, of a pioneering project applying AI agents to public-sector cybersecurity. The Ministry of Technology and Innovation used Claude Code (Opus and Sonnet models) with ~50 parallel AI agents to scan and remediate security vulnerabilities across government systems — at a scale that would not have been achievable by traditional methods within any budget cycle.
What was the scope of this project?
As a province, Alberta maintains ~1,280 applications and 3,400 repositories across 27 ministries. A critical detail: none of those applications had ever undergone a systematic security review — not out of negligence, but due to the simple mathematics of cost and available resources. The traditional estimate for a systematic review of that scope was 6.5 years of continuous work.
AI agents scanned 466 million lines of code in just 20 hours.
“Using AI to find and fix vulnerabilities in our systems, we accomplished in hours what would have taken years using traditional approaches,” said Nate Glubish, Alberta’s Minister of Technology and Innovation.
Methodology: parallel agents and dual validation
The project followed a two-phase procedure: an automated rules engine on the first pass, followed by manual engineering review of the results. Agents did not merely detect vulnerabilities — they actively generated and tested patches, wrote missing automated tests, and modernized outdated parts of codebases.
The key constraint the government imposed: all AI work required engineering review and explicit approval before being merged into the production codebase. AI was here an acceleration tool, not a replacement for expert oversight.
The project employed a red-team / blue-team methodology: in one pass, agents attacked systems to find vulnerabilities (red team), while other agents defended and remediated (blue team) — achieving more comprehensive coverage than standard single-pass scanning. Each pass checked ~95 security controls per application.
Modernizing legacy systems
Beyond security patches, the project encompassed the renewal of legacy systems — traditionally the hardest and most expensive part of infrastructure maintenance in the public sector.
Alberta plans to consolidate 185 legacy applications within one ministry into 16 modern, reusable applications — a task that at standard pace would take years. According to project data, one legacy system was modernized in 4–5 days, while its original construction had taken 5 months.
This asymmetry illustrates patterns that are becoming characteristic of AI-assisted development: the marginal cost of system modernization drops dramatically when an agent can understand legacy code, propose refactoring, and generate test coverage simultaneously — without a new engineer spending weeks understanding someone else’s legacy codebase.
Continuous monitoring and broader impact
The security project did not remain a one-off intervention. Alberta has deployed specialized review agents that continuously monitor ~95 security controls per pass through application codebases. This transforms security into a continuous automated process rather than a periodic, expensive audit.
The province has published technical white papers and is organizing an industry day to share the methodology with other governments — suggesting that Alberta is positioning this approach as a replicable model for the broader public sector.
Claude’s practical engagement in government cybersecurity also raises a wider systemic question: if 466 million lines of code no longer represents an insurmountable barrier to security review, the basic logic of managing IT infrastructure in the public sector changes. Audit is no longer a privilege of resources — it becomes a matter of organization and will. A government with access to AI agents no longer has a technical excuse for unreviewed application codebases.
Alberta’s model also offers a concrete answer to the chronic public-sector problem: accumulated technical debt growing faster than teams can address it. The combination of massive parallel scanning, automatic patch generation, and continuous monitoring changes the equation — instead of a binary choice between security and cost, AI offers a third option: systematic coverage at a fraction of the traditional cost, without any compromise on the engineering oversight that remains mandatory for every merge.
Frequently Asked Questions
- What was the scope of the project?
- Alberta maintains approximately 1,280 applications and 3,400 repositories across 27 ministries. AI agents scanned 466 million lines of code in 20 hours, using approximately 50 parallel Claude instances.
- How much faster is the AI approach compared to traditional methods?
- A task that would have taken 6.5 years using traditional methods was completed in 20 hours — an acceleration ratio of approximately 2,800 times.
- Did the AI agents operate autonomously without oversight?
- No. All AI work required engineering review and explicit approval before being merged into the production codebase. AI detected vulnerabilities and generated patches, which engineers then validated.