Integrating Claude Security with Tenable One: Operationalizing AI for Exposure Management

Introduction

The velocity of vulnerability discovery has reached an inflection point. Frontier AI models, specifically Claude Security, are now capable of performing deep-logic code analysis that identifies complex business logic flaws and subtle injection vectors far faster than manual review or traditional static analysis (SAST). While this technological leap accelerates detection, it creates a critical operational bottleneck: Noise.

For CISOs and SOC managers, the risk is not just missing a vulnerability; it is the inability to triage and remediate thousands of AI-generated findings before the next scan runs. If security programs cannot bridge the gap between AI-driven discovery and remediation, the exposure management process collapses under its own weight. This guide details how to integrate Claude Security’s deep-logic analysis into the Tenable One Exposure Management Platform, normalizing raw AI findings into actionable intelligence.

Technical Analysis

The Integration Challenge

Claude Security operates by analyzing codebases for logic errors, potential security sinks, and architectural weaknesses. However, its output is often unstructured or semi-structured text, lacking the contextual asset data required for prioritization. Tenable One, by contrast, excels at calculating the Vulnerability Priority Rating (VPR) by understanding the asset's role, exposure, and threat landscape.

The integration goal is to ingest Claude Security findings into Tenable One as "Custom Vulnerabilities" or via API injection. This allows the platform to:

1. Normalize: Map AI findings to specific assets (IPs, FQDNs, Container IDs).
2. Prioritize: Apply Tenable’s VPR to AI findings. An AI-flagged flaw in an isolated dev server is automatically de-prioritized against a minor flaw in an exposed production database.
3. Consolidate: Provide a single pane of glass for remediation teams, eliminating the need to check a separate AI interface.

Affected Platforms & Components

• Tenable One Exposure Management Platform: Central aggregation and prioritization engine.
• Claude Security (AI Analysis Layer): Source of deep-logic vulnerability data.
• Integration Middleware: Scripting layer (Python/Bash) using Tenable API v2 to transport findings.

Exposure Status

This configuration addresses a Defensive Gap. Without integration, organizations face "Alert Fatigue" from AI tools, leading to ignored critical vulnerabilities. The integration mitigates the risk of undiscovered exploits by ensuring all findings—human and AI-generated—are subject to the same rigorous prioritization logic.

Executive Takeaways

1. Automate the Ingestion Pipeline: Do not rely on manual CSV uploads for AI findings. Build a scripted pipeline that queries Claude Security results and pushes them directly to Tenable One via API immediately post-scan.
2. Enforce VPR Authority: Configure the integration to accept the AI severity score only as an initial input, but enforce Tenable VPR as the final decision metric for remediation ticketing.
3. Deduplication is Critical: Ensure the integration logic checks for existing CVE matches. If Claude identifies a finding that matches a known CVE already detected by Tenable.sc, merge the data rather than creating a duplicate ticket.
4. Close the Remediation Loop: Ensure that when a developer marks a Claude-found ticket as "Fixed" in the ticketing system (Jira/ServiceNow), it reflects back in Tenable One to update the exposure score in real-time.

Detection & Validation

Verification Script (Bash)

While this is a platform integration, verifying that the data is flowing correctly into Tenable One is essential. This script uses curl to query the Tenable API for recently imported "Custom" or AI-related vulnerabilities to ensure the ingestion pipeline is active.

#!/bin/bash
# Verify Claude Security findings are appearing in Tenable One

API_KEY="YOUR_ACCESS_KEY"
SECRET_KEY="YOUR_SECRET_KEY"
TENABLE_URL="https://cloud.tenable.com/api/v2/vulnerabilities"

# Search for findings with specific plugin name pattern or description pattern
# This assumes your integration tags findings with 'Claude' or similar
SEARCH_FILTER='filter.search=Claude%20AI'

echo "Checking Tenable One for Claude Security ingestion..."

# Execute API Call
response=$(curl -s -u "$API_KEY:$SECRET_KEY" -X GET "$TENABLE_URL?$SEARCH_FILTER")

# Check if count is greater than 0
count=$(echo $response | grep -o '"count":[0-9]*' | cut -d':' -f2)

if [ "$count" -gt 0 ]; then
  echo "[SUCCESS] Ingestion verified. Found $count findings from Claude Security."
  echo "Recent Sample:"
  echo $response | grep -o '"plugin_name":"[^"]*"' | head -n 3
else
  echo "[WARNING] No findings detected. Check integration middleware."
fi

Remediation Script (Python)

The following Python script serves as a template for the integration logic. It simulates pulling a finding from an AI source and pushing it to Tenable One as a custom vulnerability.

import requests
import 
import uuid

# Configuration
TENABLE_ACCESS_KEY = 'YOUR_ACCESS_KEY'
TENABLE_SECRET_KEY = 'YOUR_SECRET_KEY'
TENABLE_URL = 'https://cloud.tenable.com/api/v2/vulnerabilities/import'

# Simulated output from Claude Security analysis
claude_finding = {
    'asset': 'web-prod-01.example.com',
    'port': 443,
    'protocol': 'tcp',
    'severity_name': 'Critical',
    'description': 'Deep-logic analysis detected a potential race condition in auth mechanism.',
    'scan_id': str(uuid.uuid4())
}

def map_severity_to_cvss(sev_name):
    mapping = {'Critical': 10, 'High': 8.5, 'Medium': 5.0, 'Low': 2.0}
    return mapping.get(sev_name, 0.0)

# Construct Tenable Import Payload
tenable_payload = {
    "assets": [{
        "hostname": claude_finding['asset']
    }],
    "vulnerabilities": [{
        # Use a generic high number for custom AI findings to avoid conflict
        "plugin_id": 99999, 
        "port": claude_finding['port'],
        "protocol": claude_finding['protocol'],
        "severity": map_severity_to_cvss(claude_finding['severity_name']),
        "plugin_name": "Claude AI: Logic Flaw Detected",
        "plugin_output": claude_finding['description'],
        "scan_id": claude_finding['scan_id']
    }]
}

# Send to Tenable One
auth = (TENABLE_ACCESS_KEY, TENABLE_SECRET_KEY)
headers = {'Content-Type': 'application/'}

try:
    response = requests.post(TENABLE_URL, =tenable_payload, auth=auth, headers=headers)
    if response.status_code == 200:
        print("[+] Successfully imported Claude Security finding into Tenable One.")
    else:
        print(f"[-] Error importing: {response.text}")
except Exception as e:
    print(f"[-] Integration failed: {str(e)}")

Remediation Steps

1. Establish the Middleware: Deploy the integration script (Python or Bash) on a secure jump host or within your CI/CD pipeline infrastructure. Ensure it has network access to both the Claude Security data source (or export location) and the Tenable One API.
2. Define Custom Plugin IDs: Designate a specific range of Plugin IDs (e.g., 99000-99999) exclusively for AI-generated findings. This prevents collisions with official Nessus/Tenable plugins and allows for easy filtering.
3. Configure Tenable One Views:
   • Navigate to the Workbench.
   • Create a new filter for Plugin ID in range 99000-99999.
   • Save this as "AI-Generated Exposure". Use this view to track the volume and impact of your AI discovery tools over time.
4. Ticketing Integration: Ensure your Tenable One ticketing configuration (ServiceNow/Jira) includes these custom AI findings. They must be assigned to the appropriate engineering teams based on the asset tag, just like any other vulnerability.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub