
50 Parallel Agents, 466 Million Lines, 20 Hours: How Alberta Scaled Security Review With Claude Code
Chris Harper
2 min read
Jul 14, 2026 · 20:04 UTC
TL;DR: Alberta's Ministry of Technology scanned 466 million lines of government code in 20 hours with ~50 Claude agents — a two-stage rules-then-LLM pipeline that would have taken 6.5 years manually.
The architectural detail that makes this replicable: a cheap rules-engine first pass surfaces candidates, then Claude reasons about each one. That separation is the key to scaling LLM-based analysis over millions of files without burning your token budget.
The architecture
Stage 1 — Rules engine sweep. A traditional SAST/rules engine scanned all 1,280 applications and 3,400 repositories, flagging known patterns. Fast, cheap, deterministic.
Stage 2 — LLM review of flagged code. Claude Code agents reviewed each flag: reasoning about exploitability, citing exact file and line number, and generating remediation code where possible. Around 50 agents ran in parallel across repositories.
Each application also received a dedicated red-team agent (simulate external attack paths) and blue-team agent (assess defenses against international security standards) — about 95 security controls per application, per pass.
The results
- 466M lines reviewed in ~20 hours (est. 6.5 years manually)
- Traditional automated scanners missed issues Claude caught
- A 25-year-old Java subsidy portal was rebuilt in 4–5 days
- Built on the Claude Agent SDK
Replicate this pattern
The design generalizes to any large-scale codebase analysis:
- Fast filter first. Use regex, a linter, or a rules engine to shrink the problem space by 90% before any LLM call. Feed only the flagged items to Claude.
- One agent per repository, run in parallel. With the Claude Agent SDK, spin up a subagent per repo with a focused system prompt. Run them concurrently — wall-clock time is the limiting factor, not cost, because each agent sees only its own scope.
- Separate red/blue roles. An agent looking for exploitability and an agent checking defense posture catch different things. Independent perspectives at the same cost.
- Structured output with citations. Instruct each agent: "Output
file.py:line — verdict — one-line explanation." Human reviewers can triage without opening the code.
A working proof-of-concept takes an afternoon: pick a linter to do stage 1, write a short system prompt for stage 2, and run it against one repo with claude --print --max-turns 3.
Sources: Government of Alberta uses Claude to find and fix cybersecurity vulnerabilities — Anthropic · Alberta Claude Code AI Security Review Checklist — LinkLoot · Claude Agent SDK overview