Earn More with Claude Security Reviews | How to Raise Your Freelance Rates
Many freelance and side-project engineers feel that security is "outside their specialty," making it hard to justify higher rates. With the Project Glasswing expansion announced on June 2, 2026, AI-driven vulnerability discovery has become very much a reality. This article lays out three approaches for folding security audits into your estimates — and turning them into higher rates — using only the general features of Claude and Claude Code, with no invite-only model required.
On June 2, 2026, Anthropic announced an expansion of Project Glasswing for critical infrastructure. In addition to the initial roughly 50 organizations, approximately 150 new organizations spanning 15+ countries and covering electricity, water, healthcare, telecommunications, and hardware now participate. Using the dedicated Claude Mythos Preview model, participants have reportedly detected a cumulative total of over 10,000 high- and critical-severity vulnerabilities (based on Anthropic's announcement). The era of AI mass-discovering vulnerabilities is becoming reality.
However, Mythos Preview and the enterprise-only Claude Security are restricted to invited and contracted parties, and are not accessible to the general engineer. Instead, general features of Claude and Claude Code (code review and /security-review) let you run a security audit on your own code starting today. Even without the dedicated model, there is a perfectly functional entry point for defensive and remediation work in practice.
There are three paths to monetization: adding a "security audit" line item to your freelance estimates, charging for review work itself, and bundling legacy code refactoring with vulnerability remediation. That said, false positives and missed findings will inevitably occur, so the final judgment must rest with a human — keeping that principle intact is the condition for earning sustainably without losing trust.
目次 (18)
- Why "AI × Security" Is Profitable Right Now — The Tectonic Shift Glasswing Signals
- From ~50 to ~150 New Organizations — "Over 10,000" Is an Announced Figure
- Why This Is Tailwind for Freelance Engineers
- Mythos Is Invite-Only — Claude Features Any Engineer Can Use Today
- Mythos Preview and Claude Security Are Out of Reach — Let's Be Honest About That
- General Features Offer "Code Review" and "Security Review"
- Running One Security Review on Your Own Repository
- 5 Steps to Run a Review
- Execution Example and Prompt Template
- Commonly Overlooked Checkpoints
- Three Approaches to Turn It into Income — Folding It into Your Estimates
- Approach 1: Add a "Security Audit Option" Line to Your Freelance Estimate
- Approach 2: Charge for Review Work Itself
- Approach 3: Bundle Legacy Refactoring with Vulnerability Remediation
- Pitfalls and Limits — Two Lines You Should Not Cross
- False Positives and Missed Findings Are Inevitable — Humans Bear Final Responsibility
- Mythos-Level Findings Cannot Be Replicated with General Features — Numbers Are Announced Figures
- Sources
Why "AI × Security" Is Profitable Right Now — The Tectonic Shift Glasswing Signals
On June 2, 2026, Anthropic announced an expansion of its cybersecurity initiative for critical infrastructure, "Project Glasswing" (source: https://www.anthropic.com/news/expanding-project-glasswing). This is a follow-up to the initiative launched on April 7, 2026 (source: https://www.anthropic.com/glasswing). The key takeaway is that defensive AI use has moved from "experiment" to "producing real results in the field." When the productivity of vulnerability discovery improves by an order of magnitude, the market value of engineers who can incorporate it into their projects rises in tandem. This is not just a conversation for specialized security teams — it is a shift that directly affects freelance and side-project estimates, and that is the right way to read it.
From ~50 to ~150 New Organizations — "Over 10,000" Is an Announced Figure
According to the official announcement, while roughly 50 organizations initially had access to Claude Mythos Preview, approximately 150 new organizations have now joined. The new participants are spread across more than 15 countries and cover electricity, water, healthcare, telecommunications, and hardware sectors that were previously underserved. The participating organizations have reportedly used Mythos Preview to discover a cumulative total of over 10,000 high- and critical-severity security flaws. However, this "10,000+" figure is based solely on Anthropic's announcement and has not been independently verified. In articles and conversations alike, it is safe practice to qualify it as "according to the company's announcement."
Why This Is Tailwind for Freelance Engineers
News that major players are using AI to mass-discover vulnerabilities will reliably amplify anxiety on the client side. As the question "Is our code safe?" becomes more common, demand for engineers who can answer it grows. Recently, interest in security and vulnerability topics has been rising across video platforms and communities as well — the tailwind is palpable beyond the numbers. The key is to convert that interest not into "a business that amplifies fear," but into "steadily handling defensive and remediation work." Fearmongering is a one-time play, but audits become ongoing engagements.
Mythos Is Invite-Only — Claude Features Any Engineer Can Use Today
Let's set honest expectations here. Mythos Preview, the star of this announcement, is not a model anyone can access. That does not mean there is nothing you can do. If you jump to the conclusion that "no dedicated model = nothing I can do," you will miss the untapped potential of the general features right in front of you. What matters is accurately understanding the scope of what you can act on today and delivering value within it. The general features of Claude and Claude Code alone provide a more than sufficient entry point for embedding audits into client projects or your own products. This section clearly separates "what you cannot access" from "what you can use right now," building the foundation for honest explanations to both clients and yourself.
Mythos Preview and Claude Security Are Out of Reach — Let's Be Honest About That
Claude Mythos Preview is available only to participating organizations that meet the access requirements, and there is currently no announced timeline for general availability. Anthropic has stated that it would like to "safely expand Mythos-level capabilities to the general public" in the future, but that is contingent on safety measures being put in place. Additionally, Claude Security, which scans entire codebases, is an Enterprise-tier feature and is not available on Pro or Free plans. Drawing a clear line between "invite-only" and "for contracted parties" from the start allows for honest explanations to both readers and clients (for a full overview of Glasswing and Mythos, see Project Glasswing and Mythos Preview Explained).
General Features Offer "Code Review" and "Security Review"
On the other hand, Claude Code provides /security-review for vulnerability-focused review of your changes, and /code-review for reviewing diffs (command details are covered in Getting Started with Claude Code /code-review and the official documentation at https://code.claude.com/docs). Even simply pasting code or a diff into Claude chat and asking it to "review from the perspective of authentication, input validation, and key handling" can surface gaps in your review. While it cannot match the comprehensiveness of a dedicated model, it is more than practical enough to raise the quality of a freelance project by one level and justify adding a line item to your estimate.
Running One Security Review on Your Own Repository
Understanding comes faster from doing it once than from reading theory. This section breaks down the process of running a lightweight review on a diff into a flow you can replicate starting today. If you try to review a large repository all at once, the findings become scattered and it is hard to know where to start fixing things. That is precisely why "work in small chunks, repeat" is the foundational approach. Start by practicing on a personal learning repository or a small personal project with limited blast radius. Once you are comfortable with the process, you will be able to calmly reproduce the same flow when you have a client's code in hand on a real project.
5 Steps to Run a Review
- Scope the review to a diff. Focusing on recently changed files or a pull request rather than the whole repository makes the findings more specific and easier to read.
- Run
/security-reviewin Claude Code to apply a vulnerability-focused review to the changes on your current branch. If using Claude chat, paste the target code along with a clear statement of "what you are trying to protect." - Sort the output findings by severity and reproduction conditions. Separate them into: fix immediately, needs investigation, and suspected false positive.
- Focus particularly on authentication credentials and API keys, input validation gaps, and outdated dependency packages. These are classic checkpoints that are effective regardless of AI involvement.
- After making fixes, run the review again to confirm that the findings have been resolved before delivering or merging. Build the habit of re-checking whenever the diff changes.
Execution Example and Prompt Template
① Running /security-review in Claude Code (one terminal command)
claude /security-review
A vulnerability-focused review of the diff on the target branch will run automatically.
② Example request prompt to paste into Claude chat
Please review the following diff from the perspective of authentication, input validation, and key handling, and provide findings with severity and reproduction conditions included.
[Paste your diff or target code here]
Just copy this prompt, paste in your diff, and send. Findings will come back with severity and reproduction conditions attached. Even a junior engineer can take this first step with a simple copy-paste.
Commonly Overlooked Checkpoints
Running through the steps will produce meaningful results, but be aware that AI review can only see "the context you provide." For example, with authentication credentials and keys, verify not just that they are not hardcoded, but also that the configuration loading path is secure. For dependency packages, cross-referencing against known reported vulnerabilities separately improves accuracy. Using AI findings as a starting point while having a human perform a final check is the practical two-stage approach that reduces missed issues.
Three Approaches to Turn It into Income — Folding It into Your Estimates
Once you can run reviews reliably, the next step is connecting them to revenue. The key is not to oversell it as "something special," but to incorporate it naturally as a line item in your estimate. Clients tend to brace themselves at the word "security," but if it is presented calmly as something they can choose, they will more likely receive it as reassurance. Conversely, if you absorb the review work as a free service, you add hours without reflecting them in your rate. Here are three approaches that actually work for freelance and side work, complete with guidance on how to write them into an estimate. Trying just one that fits your project type can change the upper limit of what you can charge.
Approach 1: Add a "Security Audit Option" Line to Your Freelance Estimate
The easiest to introduce is adding an audit option to an existing estimate. For example, in addition to "complete basic implementation," add a separate line for "Security Review (vulnerability-focused check of key screens and APIs, plus remediation recommendations): flat fee." Because the client can choose whether or not to include it, psychological resistance is low. If they choose it, your rate goes up. If they do not, the fact that you proposed it still builds trust.
The following serves as a rough pricing guide for the estimate (adjust based on your experience level and project complexity).
| Item | Small-scale (≤5 screens, ≤5 APIs) | Mid-scale (10–20 screens, includes authentication) |
|---|---|---|
| Security Review (vulnerability check + remediation recommendations) | ¥30,000–¥50,000 | ¥80,000–¥150,000 |
| Scope | Key forms, API input validation, key handling | Auth flow, permission design, dependencies included |
| Deliverables | Findings list (with severity + reproduction conditions) + remediation proposal document | Same + one post-fix re-check |
Set pricing conservatively based on hours worked and raise it as you build a track record.
Approach 2: Charge for Review Work Itself
For clients who already have a running product, you can make the review service itself your offering. This is a one-time or recurring service where you "run a vulnerability-focused review on the pre-release diff and return a report with findings and remediation recommendations." By using AI, you lower the hours per engagement while maintaining the rate you present as "delivery of specialized skills." The key to keeping this approach profitable is not passing all the time savings directly to the client as a price reduction. Having a polished report format makes it easier to develop into ongoing contracts.
Approach 3: Bundle Legacy Refactoring with Vulnerability Remediation
The approach with the greatest rate potential is bundling legacy code refactoring with vulnerability remediation. On legacy code projects, propose identifying and remediating vulnerabilities in parallel with adding new features. The pitch of "since we're already touching this code, let's also shore up the security" resonates with clients and makes it easier to pass a larger estimate than for refactoring alone. Combining this with the legacy refactoring approach from Claude Code for Legacy Refactoring adds even more persuasive power to your proposal.
Pitfalls and Limits — Two Lines You Should Not Cross
Finally, let's confirm the limits you need to respect precisely because you are turning this into income. Leaving these vague will cost you trust in exchange for short-term revenue, and both repeat business and referrals will dry up. AI security review is a powerful entry point, but it is not an all-purpose guarantee. Telling a client "it's safe because we ran it through AI" leaves you with no room to maneuver when problems emerge later. In fact, sharing the limitations upfront communicates professional integrity and leads to longer-term relationships. The following two points are things you must establish in your own mind before taking on a project.
False Positives and Missed Findings Are Inevitable — Humans Bear Final Responsibility
AI review cannot avoid flagging non-existent problems (false positives) or missing real vulnerabilities. Do not hand the output directly to clients. Have a human verify the reproduction conditions, and make sure you can explain the severity in your own words before delivering. "The AI said it was fine" only obscures accountability — the principle that the person who takes on the work bears the final judgment does not change.
Mythos-Level Findings Cannot Be Replicated with General Features — Numbers Are Announced Figures
The "over 10,000" figure from the introduction came from a combination of invite-only dedicated models and the organizational infrastructure of participating entities — and it is still based solely on the company's own announcement. Do not promise clients that the same level of comprehensiveness will come from the general /security-review feature. What you can do is "quickly sweep for the major points and channel them into remediation." Drawing the line clearly from the start — that deep infrastructure audits require dedicated teams and tools — is what prevents accidents caused by overconfidence.
Sources
- Anthropic News "Expanding Project Glasswing" (2026-06-02) — https://www.anthropic.com/news/expanding-project-glasswing
- Anthropic "Project Glasswing" (2026-04-07) — https://www.anthropic.com/glasswing
- Claude Code Official Documentation — https://code.claude.com/docs
- Related article "Project Glasswing and Mythos Preview — The Full Picture" — /project-glasswing-mythos-preview
- Related article "Getting Started with Claude Code /code-review" — /claude-code-code-review-command-guide
