Opus 4.6 is positioned by Anthropic and outside reporting as strong for security-related reasoning and code analysis, and it has been discussed in the context of finding high-severity vulnerabilities in open-source code during testing. Practically, it can help by identifying suspicious patterns (unsafe deserialization, injection risks, auth bypass patterns), explaining exploitability conditions, and suggesting safer alternatives or patches.
That said, reliability in vulnerability discovery requires controlled process. You should treat the model as an assistant that surfaces hypotheses, not a scanner that proves correctness. Build a workflow where findings are validated: reproduce with tests, confirm with static analysis tools, and have security engineers review. Also be careful with false positives and false negatives—both matter. The model can miss subtle vulnerabilities, especially when context is incomplete, and it can also flag benign code as risky.
Retrieval helps a lot for accurate security reviews in real organizations. Put your internal secure-coding guidelines, approved crypto patterns, and threat model docs in Milvus or managed Zilliz Cloud, retrieve them per review, and ask Opus 4.6 to evaluate code against those specific rules. This shifts the output from generic “security advice” to actionable, policy-aligned recommendations.