Sonnet Code
← Back to all articles
AI DevelopmentMay 30, 2026·8 min read

Snyk Just Embedded Claude Inside Its Security Platform via MCP. The Review Tax on AI-Generated Code Got Restructured, Not Removed — and the Policy Layer Is What Determines Whether That's a Win.

Sonnet Code Editorial Team

What actually shipped

On May 8, 2026, Snyk announced that Anthropic's Claude models are now embedded inside the Snyk AI Security Platform, exposed to Claude Code and every other MCP-compatible agentic editor via the Model Context Protocol. Concretely, two surfaces shipped.

Claude-powered scanning and auto-fix as MCP tool calls. When an agent in Claude Code (or Cursor, or any MCP-aware editor) writes a change, it can call the Snyk MCP server to scan the diff, get a prioritized list of findings, and ask Claude to produce a developer-ready patch — all in the same agent loop that produced the code. The integration covers source code, dependencies, container images, and AI-generated artifacts. The pitch in Snyk's own announcement is the part to take seriously: as AI dramatically accelerates how fast developers can write code, traditional security simply cannot keep up.

Evo by Snyk for AI asset governance. Evo continuously discovers every AI asset across the organization — models, agents, MCP servers, datasets, third-party tools — and red-teams running agents for prompt injection and data exfiltration. This is the part most teams will sleep on and then have to backfill in a hurry. Discovery is unglamorous, but it's the precondition for everything else: you cannot govern what you don't have an inventory of.

The integration is generally available to joint customers and expands through 2026.

The volume-to-review ratio is the actual problem

The security industry has been making a particular case for the last eighteen months: AI agents generate code faster than reviewers can read it, so the review pipeline is going to break. That case is correct on the symptoms and slightly off on the cause. The cause isn't speed. It's the ratio of generated volume to human attention available to triage it. Snyk's MCP integration changes that ratio in a specific way — and the change is good only if your team understands what it actually did.

The naïve read is: 'security is now in the loop, so AI-generated code is safe.' The accurate read is: the scanning step got cheap; the policy step did not. A finding from an MCP-tool scan needs the same thing it always needed — a decision about what to do with it. Auto-fix it. Queue it. Escalate to a senior engineer. Mark it as accepted risk for this release. Those decisions don't come out of the MCP server. They come out of the policy layer your team designs around the scanner, and that policy layer is the actual security surface now.

The failure mode of MCP-native security is not 'the tool misses something.' It's 'the tool finds something, the model auto-fixes it, the fix is shallow, and the team ships the patched-looking-but-still-broken change with a green CI run.' That outcome is worse than no scanning, because it produces signed-off vulnerabilities — code that was checked, fixed, and merged, with the receipts to prove it. The audit trail looks clean. The vulnerability is still there.

What the new tool surface needs above it

Three pieces of work that didn't exist on most roadmaps in 2025 now need to exist on the 2026 roadmap of any team using AI agents to ship code. None of them are products. All of them are decisions your team has to write down.

A routing policy keyed to severity and architectural surface. Not every finding is the same kind of risk. A missing input-sanitization call inside a leaf utility is an auto-fix candidate. A finding in your auth flow, your billing pipeline, or your data-export endpoint is not — and giving the model auto-fix authority on those surfaces is a deployment incident waiting to happen. The routing rules — auto-fix here, queue there, escalate to a named senior engineer over here — are policy, not configuration. Write them, version-control them, review them at the same cadence you review IAM policy.

Scoped permissions for the MCP tool itself. A Snyk MCP server with write authority is, in the limit, a Snyk MCP server with the ability to land patches into your repo on the model's behalf. That is a useful capability only if its credentials are scoped, its actions are audit-logged, and its writes go through the same review gates your humans do. The IDE that grants every MCP tool blanket write access is a 2026 breach class waiting to be reported. Treat MCP servers like service accounts, because functionally that is what they are.

An exception and acceptance-of-risk process that runs at the speed of agentic shipping. Traditional security exception processes were built for human-paced change requests. Agentic workflows produce findings faster than the legacy process can clear them, and the workaround — silent exceptions baked into agent prompts — defeats the point of having a process at all. Redesign the exception flow as an MCP-callable interface: the model surfaces the finding, the senior reviewer makes the decision in a structured form, the decision is logged and time-bounded. That is engineering work. It will not happen unless your team owns it.

What Evo signals about where governance is going

The quieter but bigger part of the Snyk announcement is Evo's AI asset discovery. The bet underneath it: most enterprises now have an AI shadow stack — agents spun up in product teams, MCP servers running on developer laptops, datasets passed into fine-tunes that nobody centralized, third-party model providers wired into internal tools without procurement review. You cannot govern what you cannot see, and as of mid-2026 most enterprises cannot see most of it.

The procurement question your security team is going to be asked in Q3 2026 is what AI assets do we have running in production, and which of them touch customer data? The teams that have an answer will move quickly. The teams that don't will spend a quarter building the inventory before any other governance work starts. Evo is the first credible product in that category, but the work of running the inventory and acting on what it finds is yours.

Where Sonnet Code fits

An MCP-native security tool inside the agent loop is the easy half of the story. The hard half is the policy, permission, and exception design above it that decides whether the new tool surface is a security win or a faster way to merge vulnerabilities with a paper trail. AI development at Sonnet Code is that engineering: integrating Snyk's MCP server (or any equivalent) into your agent workflows with the scoped permissions, audit trails, and routing rules that make auto-fix safe, and standing up the AI asset inventory before procurement starts asking. AI training is the human-judgment half: senior security engineers who design the failure-mode rubrics for AI-generated code in your codebase, run adversarial review on the cases your auto-fix policy is most likely to mishandle, and stand up the senior-reviewer queue at the speed agentic shipping demands.

The review tax on AI-generated code didn't disappear. It moved one layer up. The teams that win the next phase of secure agentic development are the ones that build that layer deliberately, instead of discovering they needed it the week after their first signed-off vulnerability ships.

Keep reading.

Subquadratic Emerged From Stealth With $29M, a 12M-Token Context Window, and 300× Cost-Reduction Claims on RULER 128K. The Quadratic-Attention Tax Era of LLM Economics May Be Ending — and Architectural Lock-In Is Suddenly a Real Category of Risk Again.
AI Development10 min read

Subquadratic Emerged From Stealth With $29M, a 12M-Token Context Window, and 300× Cost-Reduction Claims on RULER 128K. The Quadratic-Attention Tax Era of LLM Economics May Be Ending — and Architectural Lock-In Is Suddenly a Real Category of Risk Again.

On May 5, 2026 a stealth lab called Subquadratic emerged with $29M in seed funding (Javier Villamizar of the former SoftBank Vision Fund, Justin Mateen of JAM, and early backers of Anthropic, OpenAI, Stripe, and Brex) and a frontier model — SubQ — built on what they describe as a truly subquadratic sparse-attention architecture rather than the dense quadratic-attention Transformer that has defined the cost curve of every frontier LLM for the last seven years. The published claims: 95% accuracy on RULER 128K at $8 per evaluation versus Claude Opus at 94% and roughly $2,600 (a 300× cost reduction), 52× faster than FlashAttention at 1M tokens, ~1,000× less compute at 12M tokens, and a 12M-token context window shipped in production with a CLI coding agent (SubQ Code) and a search product on top. None of the headline numbers are independently reproduced yet — the weights are closed, the training details are private, and the eval surface is narrow. The structural read isn't 'one new model.' It's that if the architectural premise pans out on any meaningful workload, the entire cost calculation behind 'what's worth attempting at scale?' changes, and a category of risk most teams stopped worrying about in 2024 — architectural lock-in — is suddenly real again. Here's what to watch for over the next 90 days, what changes for your roadmap if the claims hold, and what to do about a stack you've been building on the assumption that quadratic attention is a permanent fact.

Sonnet Code Editorial Team · June 1, 2026
Google Shipped Gemini Spark at I/O 2026 — a 24/7 Personal AI Agent That Lives on a Cloud VM, Has Its Own Email Address, and Executes Tasks Inside Third-Party Apps via MCP. The Always-On Agent Just Became a Product Category — and Every SaaS Surface You Own Is Now an Agent Surface.
AI Development9 min read

Google Shipped Gemini Spark at I/O 2026 — a 24/7 Personal AI Agent That Lives on a Cloud VM, Has Its Own Email Address, and Executes Tasks Inside Third-Party Apps via MCP. The Always-On Agent Just Became a Product Category — and Every SaaS Surface You Own Is Now an Agent Surface.

At Google I/O 2026 on May 19, Google announced Gemini Spark — a personal AI agent that runs continuously on dedicated Google Cloud virtual machines, gets its own dedicated email address inside Workspace, drafts and replies on behalf of the user, monitors inboxes against playbook rules, and executes multi-step tasks inside third-party apps via the Model Context Protocol. Unlike the request-response Gemini chatbot, Spark persists when the user closes the tab and runs on schedules, conditions, and standing instructions — a 7 AM briefing assembled from Gmail and Calendar context, a continuous monitor on customer-inquiry inboxes, an unattended follow-up sequence for sales touches. Beta access opened the week after I/O on the newly reduced $100/mo AI Ultra tier, with deeper MCP integrations rolling through the coming months. The structural read isn't 'Google shipped an agent.' It's that the always-on personal agent — an agent with its own network identity, that acts asynchronously, and that consumes integration surface from every SaaS product it touches — just became a real consumer product category. Here's what changes about the MCP surface every B2B SaaS team needs to expose, and why the 'who is the user?' question on your audit logs is about to mean something different than it has.

Sonnet Code Editorial Team · June 1, 2026