Claude Code Security Is a Breakthrough and a Reminder of Why OT and Rail Are Different
Anthropic’s recent announcement of Claude Code Security marks a real inflection point in application security. For the first time, we are seeing a commercial AI system that goes beyond pattern matching and static rules, and instead reasons about code the way a skilled security researcher does by following data flows, understanding logic, and uncovering non obvious vulnerabilities.
This is not an incremental improvement. It is a shift in the security model.
Why AI works so well for code
Source code is a closed, deterministic domain.
The logic is explicit. Dependencies are declared. Execution paths can be reasoned about. Given sufficient context, an AI model can reconstruct intent and analyze behavior with high confidence.
That is why Claude can scan large codebases, surface deep architectural weaknesses, and even suggest meaningful fixes. The problem space is bounded, observable, and repeatable.
Why the same approach breaks in rail and OT environments
Operational Technology and railway systems are fundamentally different.
They are cyber-physical systems, not software products. Logic is distributed across PLCs, interlockings, field devices, networks, operational procedures, and human decision-making. Much of the logic is implicit, undocumented, or encoded in physical constraints and safety rules developed over decades.
Two identical alerts in two different OT networks can have completely different consequences.
An AI model trained to analyze text and code cannot infer this context on its own.
On-prem is not a preference, it is a requirement
In critical infrastructure, security platforms must run on-prem.
This is driven by safety certification, deterministic behavior, latency requirements, data sovereignty, and the simple reality that raw operational telemetry cannot be continuously exported to external AI services.
Any solution that depends on cloud based reasoning immediately limits where it can be deployed and what it can be trusted to do.
Detection is not the hard problem anymore
AI has made one thing clear. Finding vulnerabilities is becoming much more affordable.
The hard problem is understanding impact.
In rail and OT, the real question is not “Is this vulnerable?”
It is “What happens to operations if this fails?”
Will it delay trains?
Will it cascade across control zones?
Will it violate safety envelopes or service level commitments?
The real moat is operational and business context
At Cervello, our technology was built around this reality from day one.
We model operational processes, system dependencies, and functional behavior to translate cyber events into operational impact. Not alerts. Consequences. Not noise. Priorities.
AI can surface findings.
Only deep domain modeling can determine what actually threatens continuity.
In OT and railway environments, understanding the system matters more than analyzing the data.