Vibe coding as security architect
Rediscovering the ability to create
From architect to builder: redefining security tooling with Claude Code
For most of my twenty-year career as a security architect, my primary tools have been frameworks, whiteboards, and the occasional complex spreadsheet. Like many in our field, my hands-on coding days, tinkering with C# and Java, are nearly two decades in the rear view mirror. I’ve long accepted my role as the designer of the house, not the one swinging the hammer.
However, the emergence of Claude Code, and other frontier models with a development harness, has fundamentally shifted that dynamic. It has allowed me to step into a Product Owner mindset where my two decades of domain expertise aren’t just used to critique a design, but to actively build the automated and productivity enabling tooling that my team needs.
The rise of the vibe-coding architect
In modern, agile environments, security is often seen as obstructionist. We want to be Architecture in Agile, but the manual nature of risk assessments often creates a bottleneck.
By using AI as a development partner, I was able to translate high-level security patterns directly into functional software. I didn’t need to remember the syntax of a modern API call; I needed to know why that API needed a specific security header. I focused on the what and the why, the core of security strategy, while Claude handled the how.
Building the ISRA-Agent
The result was a bespoke security tooling suite that previously took days of manual labour each week or was not as effective:
Chain of Thought (CoT) Analysis: The tool doesn’t just give a pass/fail. It walks through the logical steps of a risk assessment, mimicking the internal dialogue of a senior architect.
External Threat Intelligence: By integrating live threat feeds, the tool evaluates risks against the current geopolitical and technical landscape, rather than just static baselines.
Strategic Distillation: It takes raw technical findings and distils them into reusable security patterns and strategic recommendations that stakeholders actually understand.
API Security Injection: It goes beyond assessment by suggesting and into drafting security features to be embedded directly into API definitions.
Is This the Future of the Role?
We often ask: Is there value in traditional threat modelling? When we empower architects to build their own automated tooling, we move from being a gatekeeper to being a force-multiplier.
This process has been incredibly empowering. It has proven that a deep understanding of security architecture, paired with generative AI, allows us to build a smarter way to secure our organisations, one where the architect’s vision is immediately translated into code