How to Use Claude Code Dynamic Workflows for Parallel Audits

How to Use Claude Code Dynamic Workflows for Parallel Audits

Claude Code Dynamic Workflows (Anthropic, research preview May 28, 2026) let Claude write a JavaScript orchestration script that spawns up to 1,000 parallel subagents within a single session. Each subagent has its own context window, and adversarial verification agents refute findings before they reach you. Bun's 750K-line Zig-to-Rust port shipped in 11 days using this approach.

A senior engineer at a fintech company needs to audit authentication logic across 200 microservice repositories. Manual approach: open each repo, read auth middleware files, trace token flows, document findings — 45 minutes per repo, 150 hours total. A team of 3 needs 2 full sprints. Even with a single Claude Code session, the context window fills after 15-20 repos, and output consistency drops 23% after 30 tool calls. The business cost is not just time. A missed race condition in authentication middleware can lead to a data breach costing $4.45 million on average (IBM Cost of a Data Breach Report, 2025).

[ STAT ] Claude Code sessions with more than 30 tool calls show a 23% drop in output consistency. — Anthropic, Introducing Dynamic Workflows in Claude Code, 2026

[TOOL: Claude Code v2.1.154+ with Opus 4.8] The orchestrator. Claude writes a JavaScript script on the fly that holds loops, branching logic, and intermediate state in variables outside the conversation. The runtime fans work across subagents, runs adversarial verification, and returns only the final result. [TOOL: Dynamic Workflows Runtime] The execution engine. Spawns up to 16 concurrent subagents, caps total at 1,000. Intermediate results live in script variables, not the model's context window. This is the architectural shift that makes 1,000-agent tasks possible.

The outcome: a codebase-wide security audit that would take 4 engineers 2-3 weeks completes in under 48 hours. A 500+ file framework migration that would require 3-4 weeks of planning ships in 3-5 days. The adversarial verification catches hallucinated findings that single-pass review misses, and every subagent has a clean context.

For platform engineering teams managing monorepo migrations of 500+ files: you need import paths updated, API calls refactored, and everything verified. One engineer with Dynamic Workflows does what a squad used to do.

For security engineers conducting quarterly audits: spawn 50 subagents to audit 50 modules in parallel, then a second wave to verify each finding. The adversarial check is built in — you do not need to architect it yourself.

For technical leads at agencies onboarding new client codebases: a 3-day manual audit becomes a 2-hour automated report. Understand architecture, dependencies, and security posture before your first standup.

1. Intent Detection. Include the word workflow in your prompt or turn on ultracode effort. Claude detects the scope and decides a multi-agent framework is needed. Input: natural language. Output: generated JavaScript orchestration script.
2. Task Decomposition. Opus 4.8 plans subagent allocation. How many agents, what each audits, how findings are structured. Input: orchestration script. Output: phase breakdown.
3. Parallel Fan-Out. Runtime spawns up to 16 concurrent subagents. Each gets its own context with assigned files and audit criteria. Input: file paths + rules. Output: per-agent findings as structured JSON.
4. Adversarial Verification. A second wave of subagents receives the first wave's findings and tries to refute each claim. This catches hallucinated bugs that single-shot Claude invents. Input: first-wave findings. Output: verified findings with refutation notes.
5. Convergence Loop. Runtime checks if findings stabilized. Disagreements trigger a re-audit with clarified criteria. Input: conflicting findings. Output: resolved single-version findings.
6. Human Review. Claude presents a consolidated report — not a turn-by-turn transcript. You review, ask clarifying questions, or approve. No changes without approval.
7. Save as Command. The generated script saves to .claude/workflows/ as a slash command for repeatable execution.

10 minutes to try it. That is the honest setup time for a first run.

Claude Code v2.1.154+ → Requires Max, Team, or Enterprise plan. Dynamic Workflows are research preview. Set /model to Opus 4.8 with xhigh effort. Use /effort ultracode for automatic workflow planning.

Gotcha: Dynamic Workflows consume significantly more tokens than standard sessions. A 200-subagent audit can burn 500K-1M tokens. Start with a 5-10 file test to calibrate cost before running a repo-wide job. On Enterprise plans, workflows are disabled by default — an admin must enable them. The runtime caps at 1,000 total agents and 16 concurrent. It will not auto-scale beyond your local machine or API rate limits.

▸ Code audit time per repo 2-3 days (4-person team) → 12-48 hours (single engineer) ▸ Migration speed (500+ files) 3-4 weeks → 3-5 days (Source: Anthropic, Jarred Sumner case, 2026) ▸ Bug detection rate 60-70% single-pass → 85-92% with adversarial verification ▸ Token cost vs saved engineer hours $50-200 per audit → $4,000-8,000 in engineer time saved ▸ Time to first ROI first codebase-wide task, typically within the first week

1. Token cost runaway: a 1,000-agent workflow can cost $100+ per run. Set a session token budget before starting large jobs.

2. Loss of granular visibility: you see the synthesized report, not every tool call. Critical subagent errors may not surface.

3. Research preview instability: Dynamic Workflows are labeled research preview as of May 2026. Behavior and pricing may change. Do not build production-critical workflows that depend on exact current behavior.

4. (2 min) Update Claude Code: claude --update. Verify you are on v2.1.154+.

5. (3 min) Set the model: /model opus-4-8 and /effort xhigh to enable the required reasoning depth.

6. (3 min) Enable ultracode: /effort ultracode. This tells Claude to plan a workflow for every substantive task automatically.

7. (2 min) Run your first workflow: in a repo, type audit the auth middleware folder for race conditions as a workflow. Claude will write the script and spawn subagents within seconds.

Q: How do I trigger a Dynamic Workflow in Claude Code? A: Include the word workflow anywhere in your prompt, or set /effort ultracode. Claude Code v2.1.154+ with Opus 4.8 detects the scope and builds a JavaScript orchestration script. Available on Max, Team, and Enterprise plans. Enterprise requires admin enablement.

Q: What is the subagent limit for Dynamic Workflows? A: The runtime caps at 1,000 total agents per execution and 16 concurrent subagents. This ceiling is tuned to stay within the resources of an average local machine. The 16 concurrent limit means a 200-file audit completes roughly 16x faster than serial execution.

Q: How do Dynamic Workflows differ from regular Claude Code subagents? A: In standard mode, Claude holds the plan in its context window and intermediate results accumulate turn by turn. In Dynamic Workflows, a generated JavaScript script holds all loops, branching logic, and intermediate variables. Claude only receives the final answer. This enables scale up to 1,000 agents.

Q: How much do Dynamic Workflows cost to run? A: A 200-subagent audit typically costs $50-200 in API fees, depending on context length and number of fix loops. This compares favorably to the $4,000-8,000 in engineer salary for the same work. But a 1,000-agent run without a token budget can surprise you. Anthropic recommends starting small.

Q: Can I save a Dynamic Workflow for reuse? A: Yes. The generated JavaScript script can be saved to .claude/workflows/ or ~/.claude/workflows/ as a custom slash command. Run /your-workflow-name on any branch, any project, with the same orchestration logic. This is useful for recurring tasks like nightly audits or weekly migration progress reports.

The practical impact of Dynamic Workflows is best understood through the Bun port example. Jarred Sumner needed to port Bun's JavaScript runtime from Zig to Rust — roughly 750,000 lines of code across thousands of files. Doing this with a single Claude Code session would be impossible since the context window would overflow after a few hundred files. Doing it with a team of engineers would take months. Dynamic Workflows completed the port in 11 days while keeping 99.8% of the existing test suite green. The key was the adversarial verification phase: after one wave of subagents ported a module, a second wave reviewed the port for correctness, edge cases, and regressions. This caught the kind of subtle bugs that single-pass AI review routinely misses. For teams doing codebase-wide migrations, this pattern is directly replicable. The same architecture applies to framework migrations, API deprecation updates, and cross-service refactors.

The six orchestration patterns that Dynamic Workflows can compose are what make it a capable general-purpose tool rather than a niche feature. Claude can generate scripts using fan-out (one-to-many parallel work), map-reduce (parallel work with aggregated results), adversarial pairs (two agents with opposing goals), chain-of-thought decomposition (sequential phases where each depends on the previous), hierarchical breakdown (supervisor delegates to sub-supervisors), and iterative refinement (cycles of generate-critique-improve). These patterns are composed dynamically based on the task. A security audit might use fan-out for file scanning, then adversarial pairs for verification. A migration might use map-reduce for file-by-file transformation, then iterative refinement for fixing test failures. The ability to compose these patterns without manually designing the orchestration logic is what distinguishes Dynamic Workflows from custom multi-agent systems that require days of setup.