Skip to main content

Alberta Scanned 466 Million Lines of Code in 20 Hours. The Architecture Is the Story.

Table of Contents

Alberta — a Canadian province, not a tech company — ran Claude Code across 466 million lines of government code. It took 20 hours. Their own estimate for doing the same security review the old way: six and a half years.

Those numbers made the rounds, and they should. But they’re not what made me stop and think. Plenty of teams have pointed an AI at a codebase and gotten a big number back. What Alberta built is different, and the difference is the part worth copying.

They didn’t point AI at the code. They built a system around it.
#

Anthropic’s write-up describes what Alberta’s Ministry of Technology and Innovation has been running since 2025, across the systems behind all 27 ministries — 1,280 applications, 3,400 repositories, roughly 95 security controls checked per application.

The pipeline looks like this:

  1. A rules engine flags known vulnerability patterns first. Deterministic checks do what deterministic checks are good at.
  2. Claude Code reviews every flag and cites the exact file and line. Not “you may have an injection risk somewhere” — a reference a developer can open and verify.
  3. A red-team agent attacks the code the way an outside attacker would, mapping real exploitation paths instead of listing theoretical ones.
  4. A blue-team agent assesses the defenses against international standards and drafts the remediation plan.
  5. A human engineer reviews and approves before any fix ships. Every time.

Fifty agents ran in parallel. And at the end of the chain, before anything touches production, a person signs.

This is the formula I keep coming back to, and the one I think defines the next few years of engineering: AI executes. A person is accountable.

It’s the same shape I described in Agentic Overwatch: agents doing the volume work, humans running the room. Notice what the engineer’s job became in Alberta’s pipeline — not typing the fixes, but judging the evidence the agents produced. That shift, from doing the work to reviewing the evidence of the work, is the actual transformation. The scan speed is just what makes it visible.

A 25-year-old Java system, rebuilt in four days
#

One example from the announcement stuck with me. A Java system written about 25 years ago — five months of original build time — was rebuilt in four to five days. When Claude finds a vulnerability, it can generate the fix, write the missing tests, or rebuild the aging component in a modern language. All of it lands in front of an engineer before it lands anywhere else.

Alberta’s minister put it plainly: they accomplished “in hours what would have taken a traditional approach years to complete.” And they’re not treating it as a one-off — the plan is to consolidate 185 legacy applications into 16 modern ones.

That’s not a demo. That’s a government operating in a world where code is cheap to produce — and putting its accountability structure where the leverage is.

How much of your “too scary to touch” pile is actually just untried tools?
#

Every engineering org I know has that pile. The 25-year-old system nobody fully understands. The migration that’s been “next quarter” for six years. We treat it as geologically fixed — too complex, too risky, too expensive to touch.

Alberta’s numbers force an honest question: how much of that pile is genuinely complex, and how much of it is simply we never tried it with the right tools and the right review structure?

Fair caveat: this is one case study, published by the vendor, and the 6.5-year estimate is exactly that — an estimate. The headline numbers need replication before I’d bet a roadmap on them. But the architecture doesn’t need to wait for replication. Rules engine for the known, agents for the volume, adversarial agents checking each other, a human owning the outcome — that pattern is right today, at any scale, whoever writes the code.

The speed is negotiable. The accountability structure isn’t.


Is this a genuine shift or an outlier that needs more proof? I’d take the argument either way — find me on X, Telegram, or LinkedIn.

Related

The Claude Code Leak Isn't Dramatic. That's the Point.
Anthropic’s Claude Code accidentally shipped internal source code in a release. Not a breach. A packaging mistake. A missed step. That’s exactly the kind of failure AI makes more likely, because the dopamine is in generating the feature, not in validating the artifact that ships.
I Don't Put All My Eggs in One Basket. Anthropic Is Making That Hard.
Anthropic shipped 120+ features in 90 days, then blocked OpenClaw from using Claude subscriptions. The same company building the best developer tools in AI is also building walls around them. I’ve always spread my bets across providers—but when one company moves this fast, even diversification has a cost.
Stop Reviewing Code. Start Reviewing Evidence.
Agent-heavy teams ship twice the PRs at more than twice the size, and reviews wait almost five times longer for pickup. The review model built for hand-typed code has collapsed, and the fix is not humans reading more diffs. It’s the evidence gate: machine-verified proof for every change, with human judgment reserved for intent and architecture.