On February 20, 2026, Anthropic announced Claude Code Security — a tool that scans software codebases for vulnerabilities and suggests patches — and Wall Street obliged with the kind of panic selling usually reserved for banking crises and geopolitical shocks. CrowdStrike fell 8%. Cloudflare lost 8.1%. Okta dropped 9.2%. SailPoint shed 9.4%. JFrog plunged nearly 25%. The crypto influencer Crypto Rover announced breathlessly that “millions of jobs and companies just got replaced.” Gizmodo dubbed the broader investor behavior the “SaaSpocalypse.” Dennis Dick, Head Trader at Triple D Trading, told Bloomberg that “this kind of market is scary for investors because prices relentlessly go down as soon as there’s even a hint of disruption.”

He was describing investors who sold first and read the product announcement second — because anyone who read it carefully would have noticed that this tool addresses roughly half of how attackers get in. Not most of it. Not nearly all of it. Half.

This is the same playbook we dissected last week when the doomsayers insisted AI would end democracy. The critics are wrong for the same underlying reason: they are confusing a powerful tool with a complete solution. And this time, the error is written right there in the threat landscape data the security industry publishes every single year.

The Two Doors Attackers Walk Through

Every serious security framework — MITRE ATT&CK, the Verizon Data Breach Investigations Report, the CIS Controls — acknowledges that adversaries have two primary means of infiltration. The first is exploiting a vulnerability in code: A buffer overflow, an injection flaw, broken access control buried in application logic. The second is abusing a legitimate identity: stealing credentials, exploiting over-provisioned access, manipulating a human into handing over the keys, or simply logging in with a password harvested from a breach database.

Claude Code Security addresses the first problem. It reads code the way a human security researcher would, traces data flows, maps component interactions, and flags vulnerabilities that static analysis tools miss. In internal testing, Anthropic found over 500 previously unknown vulnerabilities across production open-source codebases — bugs that had survived years of expert review. That is genuinely impressive, and it represents real defensive value.

But it says precisely nothing about the second door.

The Verizon DBIR has told us for years that stolen credentials are involved in most breaches. Phishing remains the most prolific initial access technique in ransomware campaigns. Business email compromise — which requires zero code vulnerabilities and works entirely by manipulating humans or abusing legitimate authentication — costs organizations billions annually. The 2023 MGM Resorts breach began not with an exploited CVE but with a ten-minute phone call to the IT help desk. Scattered Spider social-engineered their way past every layer of technical control because the vulnerability they exploited was human, not programmatic. No AI code scanner in the world would have prevented that.

The Identity Problem is Structural

What makes the identity-based attack surface so durable is that it is not primarily a matter of patching specific bugs. It reflects deep architectural weaknesses baked into decades of enterprise design decisions. Overprivileged accounts are endemic. Service accounts accumulate permissions across their operational lifetimes and are rarely audited. Federated identity architectures create trust relationships that, when abused, allow lateral movement across organizational boundaries. MFA implementations remain vulnerable to adversary-in-the-middle phishing kits that intercept session tokens in real time.

These are not bugs in the traditional sense. They are architectural patterns and organizational habits, and fixing them requires sustained investment in identity governance and zero-trust architecture — not a one-time scan.

Which brings us to the sharpest irony of last Friday’s selloff: SailPoint and Okta — two of the hardest-hit stocks — are identity and access management companies. The tool that supposedly made them obsolete doesn’t touch their core problem domain at all. Barclays analysts called the selloff “illogical,” noting that Claude Code Security “does not directly compete with any of the established businesses they cover.” Jefferies analyst Joseph Gallo went further, arguing the sector will ultimately be a net beneficiary of AI. They are both right.

AI Cannot Patch Human Gullibility

The other half of the identity attack surface is simpler and more humbling: people are susceptible to manipulation, and no amount of AI changes that.

Phishing succeeds because a well-crafted email creates enough urgency that a human clicks a link. Vishing succeeds because humans are wired to respond to authority and social pressure. The same cognitive shortcuts that make us effective social creatures make us exploitable. AI can generate more convincing phishing lures — which is genuinely alarming — but it cannot make employees less trusting of an email that appears to come from their CEO, or less susceptible to the slow-burn manipulation of a pretexting campaign.

The companies helping organizations manage this attack surface — whether established players like Okta, CyberArk, and SailPoint, or innovative startups like Aembit, Badge, Strata, and Teleport — are not competing with Claude Code Security. They are solving a different problem entirely.

What AI Actually Changes

To be clear: Anthropic’s announcement is not irrelevant. AI-powered code scanning will genuinely change the economics of vulnerability discovery, and some of the JFrog selloff reflects real competitive pressure on rule-based static analysis tools — not pure panic. The window between vulnerability introduction and exploitation is going to shorten. That creates urgency for better development security practices and ongoing demand for the security ecosystem, not the end of it.

But even a world with dramatically fewer code vulnerabilities is still a world where employees click phishing links, attackers manipulate help desks, credentials get reused, and service accounts get overprivileged. The identity security companies building tools to address those problems are not competing with a code scanner. They are working on the other half of the puzzle.

The doomsayers of cybersecurity share the same telling habit as the ones who predicted AI would end democracy: they describe one part of a complex system with great precision, then wave their hands at everything else. The sky above code vulnerabilities may be getting more manageable. The sky above identity, authentication, and human behavior is exactly as complicated as it was last Thursday.

Barclays called the selloff illogical. The more accurate word is incomplete — a market pricing in a disruption it only partially understood, in a threat landscape it didn’t think through all the way to the other door.

That door is still wide open.