Since 2025, the Government of Alberta has been running a security review most agencies would consider impossible. Working with Claude Code on Opus and Sonnet models, the province's Ministry of Technology and Innovation pointed around 50 Claude agents at its codebase and scanned 466 million lines of code in roughly 20 hours. By traditional means, the team estimates the same review would have taken about 6.5 years. For Australian agencies sitting on decades of legacy systems, the number worth paying attention to is not 466 million. It is 20 hours.
What Alberta actually did
The scope was the full estate behind all 27 provincial ministries: roughly 1,280 applications across 3,400 code repositories, most of which had never been systematically security-reviewed. The province estimates its accumulated technical debt in the billions of dollars, the kind of figure that usually freezes a modernisation program before it starts.
Rather than a single model reading everything, Alberta used a two-stage routine. A rules engine flags known risk patterns first. Claude then reviews each flag and cites the exact file and line, so a human developer can verify the finding rather than trust it blind. That design caught issues traditional automated scanners missed, and it kept every result traceable back to source.
Scale: about 50 Claude Code agents working in parallel scanned 466 million lines across 3,400 repositories in around 20 hours.
Coverage: systems behind all 27 provincial ministries, roughly 1,280 applications, most never formally security-reviewed.
Remediation: Claude Code generated fixes and, where systems had no test coverage, wrote the missing automated tests first.
Rebuilds: a 25-year-old hand-coded Java subsidy portal was rebuilt in four to five days, against the five months the original build took.
Governance: Ministry engineers reviewed and approved every patch before it shipped, and review agents now run continuously through the development lifecycle.
Alberta also published technical white papers so other governments can follow the method, which is unusually open for public-sector security work.
Why the maths matters for Australian agencies
Australian state and federal agencies sit on the same kind of estate: old code, thin documentation, sensitive citizen data, and a backlog of systems no one wants to touch. A department in Sydney or Melbourne running a twenty-year-old benefits platform faces the problem Alberta did. The barrier has never really been willingness. It has been the cost and calendar time of a manual review, which is where a six-and-a-half-year estimate quietly kills the project.
Claude Code changes that calculation because the review time falls from years to days. When a full-estate scan is a week of work rather than a multi-year program, security review stops being a special project and becomes something an agency can run on a schedule. The same approach applies to regulated enterprises, banks under APRA supervision, insurers, and any organisation holding data covered by the Privacy Act, where an unreviewed legacy system is both a security risk and a compliance exposure.
The governance question sits at the centre
The part of the Alberta story Australian agencies should study most closely is not the speed. It is the human-review gate. No fix shipped without a Ministry engineer approving it. Claude did the scanning, the flagging, and the drafting. People kept the decision.
That design answers the question every public-sector security lead asks first, which is whether an AI tool can be trusted inside a sensitive environment. The honest answer is that you do not trust it to act alone, and you do not have to. Claude cites the file and line for every finding, a developer verifies it, and the audit trail is complete. For agencies working to ASD Essential Eight obligations, this fits well: the model accelerates the work while accountability stays with named people.
Every finding names the exact file and line, so a developer confirms it before anything changes.
Fixes are generated as reviewable changes, not applied silently.
Missing tests are written first, so remediation is verifiable rather than assumed.
Human approval is a required step, not an optional one, which keeps accountability with your team.
What a scoped first engagement looks like
You do not start with 466 million lines. An Australian agency or enterprise sensibly starts with one system: a single legacy application that holds sensitive data and has never been properly reviewed. A scoped first engagement from around $25,000 covers a full Claude Code security review of that system, a prioritised findings report tied to file and line, and a remediation plan your own engineers sign off on.
The value case is clear when you set it against the alternative. A single serious breach of a citizen-data system costs an Australian organisation far more than a scoped review, before you count the reputational damage and the notification obligations under the Privacy Act. Alberta's technical debt did not appear overnight, and it will not clear overnight either. A first engagement proves the method on real systems, with real numbers, and gives you a defensible plan for the rest of the estate.
If you run technology for an Australian agency or a regulated business and you have legacy systems that have never been properly reviewed, this is a good time to scope what a Claude Code security review would find. Automata AI runs security-focused Claude rollouts for Australian organisations. You can book a short conversation with us to talk through where to start.



