Anson/Projects
1
0
Fork 0
mirror of https://gitlab.com/Anson-Projects/projects.git synced 2026-06-03 21:00:27 +00:00
Code Releases Activity
Files
a310dbeb844e0c1101094bec84b5a13ce2282b0a
Projects/_freeze/posts/2026-01-17-genai-tooling-alignment/trade-study/execute-results/html.json
T
Anson 4ef8a13d37 checkpoint
2026-01-19 03:14:13 -05:00

12 lines
36 KiB
JSON
Raw Blame History

{
"hash": "483fe91c028e07535cb91678d6669eb9",
"result": {
"engine": "jupyter",
"markdown": "---\ntitle: \"GenAI Tools Trade Study\"\nsubtitle: \"Supporting Documentation for Tooling Alignment RFC\"\ndate: 2026-01-17\nauthor:\n - name: Anson Biggs\n affiliation: Shield AI\nabstract: |\n Comprehensive comparison of AI coding tools and platforms to support the case for tool/model alignment. Covers feature comparisons, pricing, security certifications, and enterprise capabilities.\ncategories:\n - RFC\n - GenAI\n - Tooling\nformat:\n html:\n code-fold: true\n toc: true\n docx:\n toc: true\n number-sections: true\nexecute:\n echo: false\n warning: false\n---\n\n## Executive Summary: Who Led Innovation\n\n```{mermaid}\ntimeline\n title AI Coding Innovation Timeline\n\n 2021 : Code Completion - Copilot (Microsoft)\n\n 2022 : Chat Interface - ChatGPT (OpenAI)\n\n 2023 : Chat - Claude Web (Anthropic)\n : Chat - Copilot Chat (Microsoft)\n : Code Completion - Cursor\n\n 2024 : Computer Use - Claude 3.5 (Anthropic)\n : MCP Protocol - Anthropic\n : Code Completion - Windsurf\n\n 2025 : Computer Use - Operator (OpenAI)\n : Agentic CLI - Claude Code (Anthropic)\n : MCP - OpenAI adopts\n : Agentic CLI - Codex (OpenAI)\n : MCP - Google adopts\n : Enterprise Plugins - Claude Code (Anthropic)\n : MCP - VS Code adopts\n```\n\n**Anthropic first mover** — Led on Computer Use, MCP, Agentic CLI, Enterprise Plugins\n\n---\n\n## Market Adoption Has Reached Critical Mass\n\nThe AI coding tools market has crossed the enterprise adoption threshold. Organizations that delay adoption now face competitive disadvantage.\n\n### Adoption Statistics\n\n| Metric | Value | Source |\n|--------|-------|--------|\n| Developers using/planning to use AI tools | **76-85%** | Stack Overflow 2024, JetBrains 2025 |\n| Fortune 100 companies using Copilot | **90%** | GitHub/Microsoft |\n| Enterprise adoption projected by 2028 | **90%** | Gartner |\n| Market size (2025) | **$7.37B** | Industry analysts |\n| Market size projected (2030) | **$24-30B** | Industry analysts |\n| YoY enterprise AI dev tool spending increase | **3.2x** | $11.5B → $37B (2024→2025) |\n\n### Tool Revenue and Growth\n\n| Tool | Users | ARR | Growth |\n|------|-------|-----|--------|\n| GitHub Copilot | 20M users, 77K+ orgs | ~$800M+ | 42% market share |\n| Cursor | 1M+ daily users, 50K+ teams | **$1B+** | Fastest-growing SaaS ever ($1M→$1B in <2 years) |\n| Claude Code | 300K+ business customers | **$1B** (run-rate in 6 months) | 80% from enterprise |\n| Windsurf/Codeium | 800K+ developers | $82M | Declining (acquired) |\n\n### Productivity Impact (Controlled Studies)\n\n| Metric | Improvement | Source |\n|--------|-------------|--------|\n| Task completion speed | **55% faster** | GitHub study (95 developers) |\n| Pull requests per developer | **+8.69%** | Accenture (450+ developers) |\n| Merge rate improvement | **+15%** | Accenture |\n| Successful builds | **+84%** | Accenture |\n| PR turnaround time | **4x faster** (9.6 → 2.4 days) | Enterprise deployments |\n| Code review time | **-67%** | Enterprise deployments |\n| Code generated by AI (active users) | **46%** | GitHub |\n\n### Realistic Productivity Expectations\n\nVendor claims of 50%+ productivity gains rarely materialize in production. The most rigorous studies show:\n\n| Study | Sample | Finding | Context |\n|-------|--------|---------|---------|\n| GitHub/Microsoft RCT 2023 | 95 developers | **55.8% faster** | Simple isolated tasks |\n| MIT/Microsoft Field 2024 | **4,867 developers** | **26% more PRs/week** | Production environment |\n| METR RCT 2025 | 16 senior developers | **19% slower** | Complex established codebases |\n| Uplevel 2024 | 800 developers | No significant gains | **41% more bugs** introduced |\n\n**The realistic number is 26%** from the MIT/Microsoft multi-company field study—substantial but half the vendor headline. The METR study found experienced developers were actually **19% slower** on complex codebases where they had implicit context the model lacked.\n\n**Where AI tools work best:**\n\n- Junior developers (25-30% gains well-documented)\n- Greenfield projects and boilerplate code\n- Documentation and technical writing (50% time savings)\n- Test generation and debugging\n\n**Where AI tools struggle:**\n\n- Complex, established codebases\n- Senior engineers with deep domain knowledge\n- Safety-critical code requiring certification\n\n### Important Caveats\n\n- **11 weeks** for users to fully realize productivity gains (initial dip during learning)\n- AI-generated code has **41% higher churn rate** than human-written code (GitClear 2024)\n- **45% of AI-generated code** fails security tests (Veracode 2025)\n- AI-assisted developers produce **10x more security issues** (Apiiro 2025)\n- **95% of enterprise AI pilots fail** to deliver measurable ROI (MIT Media Lab 2025)\n- Organizations with **80-100% developer adoption** see 110%+ productivity gains; partial adoption (<50%) shows minimal impact\n\n### Defense Prime Deployments\n\n| Defense Prime | Platform/Tool | Scale | Key Metric |\n|---------------|---------------|-------|------------|\n| Lockheed Martin | AI Factory, Genesis, Jiminy | **70,000+ users** | 1B+ tokens/week |\n| Boeing | GenAI Platform, Code Assistant | **170,000 deployed** | Up to 2 hrs/day saved |\n| Northrop Grumman | NVIDIA RTX PRO Servers | **100,000 employees** | Enterprise-wide |\n| General Dynamics | Aurora AI, ChatGDIT | 10,000+ in AI training | 10% more tasks |\n\n**Note:** No major defense prime has publicly disclosed GitHub Copilot Enterprise deployment—likely due to security and IP concerns with cloud-based tools. All emphasize on-premise, secure deployment architectures.\n\n### Tech-Forward Aerospace\n\nBlue Origin provides the most aggressive adoption metrics:\n\n- **95% of software engineers** use GenAI tools\n- **2,700+ AI agents** deployed\n- **70% company-wide adoption**\n- **3.5 million AI interactions monthly**\n- Claims **90% reduction in hardware development time**\n\n### Business Case: Cost vs. Productivity Gain\n\n**Claude Enterprise Pricing:**\n\n| Tier | Price | Notes |\n|------|-------|-------|\n| Team Standard | $25/seat/month | 5 seat minimum |\n| Team Premium | $150/seat/month | Includes Claude Code |\n| Enterprise | ~$60/seat/month | 70+ seats, annual contract |\n\nEstimated minimum enterprise contract: **$50,000/year**. Batch processing offers 50% API cost savings; prompt caching reduces costs up to 90% on repeated prompts.\n\n**Simple ROI Math:**\n\nFor an engineer costing $200K/year fully loaded:\n\n| Scenario | Annual Tool Cost | Productivity Gain | Value Created | ROI |\n|----------|------------------|-------------------|---------------|-----|\n| Conservative (20%) | $720/engineer | +$40,000 output | $39,280 | **55x** |\n| Realistic (26%) | $720/engineer | +$52,000 output | $51,280 | **71x** |\n| Optimistic (30%) | $720/engineer | +$60,000 output | $59,280 | **82x** |\n\nEven at conservative estimates, **every $1 spent returns $55+ in productivity**.\n\n**Enterprise ROI Case Studies:**\n\n| Organization | Industry | Result |\n|--------------|----------|--------|\n| Novo Nordisk | Pharma | 90% time reduction (10 weeks → 10 min); 50 writers → 3; Claude cost < 1 writer's salary |\n| Bridgewater | Finance | 50-70% time reduction on complex reports |\n| Pfizer | Pharma | 16,000 hours/year saved |\n| TELUS (57K employees) | Telecom | 30% code delivery velocity improvement |\n| Palo Alto Networks | Cybersecurity | 44% faster vulnerability response |\n| Altana | Supply chain/defense | 2-10x development velocity |\n\n**Novo Nordisk's deployment is instructive:** Their clinical study report writing went from 10+ weeks to 10 minutes. The team shrank from 50 writers to 3, with annual Claude spend less than one writer's salary—achieving potential savings of **$15 million/day** from faster drug-to-market timelines.\n\n### Key Insight\n\n**This is no longer experimental.** 90% of Fortune 100 have deployed. The question isn't whether to adopt AI coding tools—it's which ones and how to standardize. Even with conservative 20% productivity estimates, the ROI is overwhelming—the real risk is *not* adopting.\n\n| Innovation | First Mover | Date | Followers |\n|------------|-------------|------|-----------|\n| **AI Code Completion** | GitHub Copilot | June 2021 | Cursor (2023), Windsurf (2024) |\n| **Chat Interface** | ChatGPT | Nov 2022 | Claude Web (Mar 2023), Copilot Chat (Jul 2023) |\n| **Agentic Coding (CLI)** | Claude Code | Feb 2025 | Codex (May 2025) |\n| **MCP (Tool Protocol)** | Anthropic | Nov 2024 | OpenAI (Mar 2025), Google (May 2025), VS Code (Jul 2025) |\n| **Extended Thinking** | Claude 3.7 | Feb 2025 | o1 had reasoning (Sep 2024) but Claude was first \"hybrid\" |\n| **Computer Use** | Claude 3.5 | Oct 2024 | OpenAI Operator (Jan 2025) |\n| **Multi-Model IDE** | Cursor | 2024 | Copilot (Oct 2024), Windsurf (2025) |\n| **Background Agents** | Cursor | Jun 2025 | Claude Code has subagents |\n| **Consumer Plugin Marketplace** | ChatGPT | Mar 2023 | Copilot Extensions (May 2024), Claude Integrations (Jun 2025) |\n| **Enterprise Private Plugin Marketplace** | Claude Code | 2025 | **No competitors** - unique capability |\n\n**Key Insight**: Anthropic consistently leads in novel capabilities (MCP, extended thinking, computer use, agentic CLI, enterprise plugin marketplace), while OpenAI/Microsoft lead in distribution and ecosystem breadth.\n\n---\n\n## Tool Release Timeline\n\n```\n2021\n Jun 29 - GitHub Copilot technical preview (OpenAI Codex)\n\n2022\n Mar - Cursor founded (Anysphere)\n Jun 29 - GitHub Copilot GA ($10/mo)\n Nov 30 - ChatGPT web launch\n\n2023\n Feb 1 - ChatGPT Plus ($20/mo)\n Mar 14 - Claude web launch (waitlist)\n Mar 22 - Copilot X announced (GPT-4 upgrade)\n Mar 23 - ChatGPT Plugins alpha\n Jul 11 - Claude 2 public access (claude.ai)\n Aug - ChatGPT Enterprise\n Sep 7 - Claude Pro ($20/mo)\n Oct - Cursor launches publicly with GPT-4\n Nov 6 - Custom GPTs announced\n Dec - Copilot Chat GA\n\n2024\n Jan 10 - GPT Store, ChatGPT Team\n Feb 27 - Copilot Enterprise GA ($39/user)\n Mar 4 - Claude 3 family (vision capabilities)\n May 1 - Claude Team ($30/user)\n May 13 - GPT-4o, ChatGPT Mac app\n May 21 - Copilot Extensions beta\n Jun 20 - Claude 3.5 Sonnet + Artifacts\n Aug - Cursor Series A ($400M valuation)\n Sep 4 - Claude Enterprise\n Sep 12 - OpenAI o1 (reasoning models)\n Oct 22 - Claude Computer Use (first frontier model)\n Oct 29 - Copilot multi-model (Claude, Gemini added)\n Oct 31 - Claude Desktop app\n Nov 13 - Windsurf launches (\"first agentic IDE\")\n Nov 25 - MCP announced by Anthropic\n Dec - Cursor Series B ($2.6B valuation)\n Dec 5 - ChatGPT Pro ($200/mo)\n Dec 18 - Copilot Free tier\n\n2025\n Feb 6 - Copilot Agent Mode preview\n Feb 24 - Claude Code research preview + Claude 3.7 (extended thinking)\n Mar 26 - OpenAI adopts MCP\n Apr 9 - Claude Max ($100-200/mo)\n Apr 16 - Codex CLI open-sourced\n May 16 - OpenAI Codex cloud agent\n May 22 - Claude Code GA + Claude 4\n May 27 - Claude Voice Mode\n Jun 3 - Claude Integrations (MCP on web)\n Jun 4 - Cursor 1.0 (Background Agents)\n Jul 14 - VS Code MCP GA\n Jul 14 - Windsurf acquired (Google + Cognition)\n Oct 20 - Claude Code on web\n Oct 29 - Cursor 2.0 (Composer model)\n Nov - Claude Code $1B ARR\n Dec 2 - Anthropic acquires Bun\n Dec 9 - MCP donated to Linux Foundation\n\n2026\n Jan 12 - Claude Cowork (GUI for non-technical users)\n```\n\n---\n\n## Feature Comparison Matrix\n\n### Core Capabilities\n\n| Feature | Claude Code | Codex | Cursor | Copilot | Windsurf | ChatGPT |\n|---------|-------------|-------|--------|---------|----------|---------|\n| **Code Completion** | Via IDE plugins | Via API | Native | Native | Native | No |\n| **Chat Interface** | CLI + IDE | Web + CLI | Native | Native | Native | Web/App |\n| **Multi-file Editing** | Yes | Yes | Yes | Yes (Edits) | Yes | No |\n| **Agentic Mode** | Yes | Yes | Yes | Yes | Yes (Cascade) | Limited |\n| **Terminal Access** | Native | Sandbox | Yes | Yes | Yes | No |\n| **Background Tasks** | Yes (subagents) | Yes (parallel) | Yes | No | No | No |\n| **Extended Thinking** | Yes (128K tokens) | Yes (reasoning) | Via model | Via model | No | Via o1 |\n| **Computer Use** | No | No | No | No | No | Operator |\n\n### Configuration & Customization\n\n| Feature | Claude Code | Codex | Cursor | Copilot | Windsurf |\n|---------|-------------|-------|--------|---------|----------|\n| **Project Config File** | CLAUDE.md | AGENTS.md | .cursorrules | copilot-instructions.md | memories |\n| **MCP Support** | Full (stdio + HTTP) | stdio only | Tools only | GA (Jul 2025) | Yes |\n| **Plugin System** | Yes (Dec 2025) | Skills (Dec 2025) | Extensions | Extensions (GA Feb 2025) | Limited |\n| **Custom Agents** | Agent SDK | No | No | No | No |\n| **Hooks System** | Yes | No | No | No | Cascade Hooks |\n\n### Model Access\n\n| Tool | Models Available |\n|------|------------------|\n| **Claude Code** | Claude Opus 4.5, Sonnet 4, Haiku |\n| **Codex** | GPT-5.x Codex, codex-mini |\n| **Cursor** | Claude, GPT, Gemini, Composer (own model) |\n| **Copilot** | GPT-4.1, Claude, Gemini (Oct 2024+) |\n| **Windsurf** | SWE-1.x (own), Claude, GPT, DeepSeek |\n| **ChatGPT** | GPT-4o, o1, GPT-5.x |\n\n---\n\n## Pricing Comparison\n\n### Individual Plans\n\n| Tool | Free | Pro/Plus | Power User |\n|------|------|----------|------------|\n| **Claude** | Limited | $20/mo (Pro) | $100-200/mo (Max) |\n| **ChatGPT** | Limited | $20/mo (Plus) | $200/mo (Pro) |\n| **Cursor** | 50 requests | $20/mo | $200/mo (Ultra) |\n| **Copilot** | 2000 completions | $10/mo | $39/mo (Pro+) |\n| **Windsurf** | 25 credits | $15/mo | N/A |\n| **Codex** | Bundled with ChatGPT | Bundled | API pricing |\n\n### Enterprise Plans\n\n| Tool | Price | Min Users | Key Features |\n|------|-------|-----------|--------------|\n| **Claude Enterprise** | Custom (~$60/seat reported) | Unknown | 500K context, SSO, audit logs, SCIM |\n| **ChatGPT Enterprise** | Custom (~$60/seat reported) | 150+ | SSO, admin console, no training on data |\n| **Cursor Enterprise** | Custom | Unknown | SOC 2, SAML SSO, SCIM, privacy mode |\n| **Copilot Enterprise** | $39/user/mo | Unknown | Fine-tuning, knowledge base, IP indemnity |\n| **Windsurf Enterprise** | $60/user/mo | Unknown | Self-hosted option, FedRAMP |\n\n---\n\n## MCP Adoption Timeline\n\nMCP (Model Context Protocol) is Anthropic's open standard for connecting AI to external tools. It's becoming the \"USB-C of AI.\"\n\n| Date | Event |\n|------|-------|\n| **Nov 2024** | Anthropic announces MCP, Claude Desktop ships with support |\n| **Dec 2024** | Windsurf begins MCP integration |\n| **Feb 2025** | Claude Code launches with MCP |\n| **Mar 2025** | **OpenAI adopts MCP** - major validation |\n| **May 2025** | Google announces Gemini MCP support, Cursor adds native MCP |\n| **Jun 2025** | Claude.ai gets MCP via Integrations |\n| **Jul 2025** | VS Code/Copilot MCP becomes GA |\n| **Dec 2025** | MCP donated to Linux Foundation (vendor-neutral governance) |\n\n**Ecosystem Size (End 2025)**:\n\n- 11,400+ MCP servers registered\n- 300+ MCP clients\n- 97M+ monthly SDK downloads\n- 90% of organizations projected to use MCP\n\n**Key Point**: Anthropic created the standard that everyone else adopted. Being on the Anthropic ecosystem means being 6-12 months ahead on MCP tooling.\n\n---\n\n## Enterprise Feature Comparison\n\n| Feature | Claude | ChatGPT | Cursor | Copilot |\n|---------|--------|---------|--------|---------|\n| **SSO (SAML)** | Yes | Yes | Yes | Yes |\n| **SCIM Provisioning** | Yes | Yes | Yes | Yes |\n| **Audit Logs** | 30 days, SIEM export | Yes | Yes | 180 days |\n| **SOC 2 Type II** | Yes | Yes | Yes | Yes |\n| **Data Retention Control** | Yes | Yes | Privacy Mode | Yes |\n| **IP Indemnity** | Unknown | Unknown | Unknown | Yes |\n| **Self-Hosted Option** | No | No | No | No |\n| **FedRAMP** | Via cloud providers | In process | No | Windsurf only |\n\n---\n\n## Secure Environment Support (FedRAMP, CUI, Air-Gapped)\n\nThis section covers deployment options for regulated environments including federal government, defense contractors, and organizations handling CUI (Controlled Unclassified Information).\n\n### FedRAMP Authorization Is No Longer a Bottleneck\n\nThe lag between commercial AI release and FedRAMP authorization has **collapsed from 17 months to under 3 months**. This changes the calculus for tool selection—we no longer need to choose based on \"what's authorized today\" because authorization follows quickly.\n\n::: {#cell-fig-fedramp-lag .cell execution_count=1}\n\n::: {.cell-output .cell-output-display execution_count=2}\n![Time from commercial release to FedRAMP authorization is converging toward zero.](trade-study_files/figure-html/fig-fedramp-lag-output-1.svg){#fig-fedramp-lag}\n:::\n:::\n\n\n| Model | Commercial Release | FedRAMP High | Lag Time |\n|-------|-------------------|--------------|----------|\n| GPT-4 | March 2023 | August 2024 | **17 months** |\n| GPT-4o | May 2024 | August 2024 | **3 months** |\n| Claude 3.5 Sonnet | June 2024 | May 2025 | 11 months |\n| Claude 3.7 Sonnet | February 2025 | July 2025 | **~5 months** |\n| Claude Sonnet 4.5 | September 2025 | November 2025 | **~2 months** (GovCloud) |\n| Gemini 2.0 Flash | December 2024 | Inherited | **~3-4 months** |\n\n**Why authorization is accelerating:**\n\n1. **FedRAMP 20x** (March 2025) — Replaced paper-heavy processes with automation. Average authorization dropped from 12+ months to **~5 weeks**. Cleared 114 authorizations in FY25 (2x FY24).\n\n2. **AI prioritization framework** (August 2025) — FedRAMP Board fast-tracked \"AI-based cloud services\" for **2-month authorization** pathways.\n\n3. **Cloud partner inheritance** — All three frontier providers (Anthropic, OpenAI, Google) leverage existing cloud authorizations rather than pursuing standalone certification.\n\n**Strategic implication:** Choose tools based on capability and ecosystem fit, not authorization status. By the time you've completed procurement and rollout, any tool you choose will likely be authorized.\n\n### FedRAMP Authorization Status\n\n| Tool | FedRAMP Status | IL Levels | How |\n|------|----------------|-----------|-----|\n| **Windsurf** | **FedRAMP High** (Mar 2025) | IL4, IL5, IL6, ITAR | Via Palantir FedStart on AWS GovCloud. First AI coding assistant with FedRAMP High. |\n| **Azure OpenAI** | **FedRAMP High** | IL4, IL5, **IL6**, **Top Secret** | [GPT-4o authorized for all classification levels](https://devblogs.microsoft.com/azuregov/azure-openai-authorization/) including Top Secret (ICD 503) as of Jan 2025. |\n| **Claude** | **FedRAMP High** | IL2, IL4, IL5 | Via [AWS GovCloud](https://aws.amazon.com/blogs/publicsector/accelerating-government-innovation-amazon-bedrock-models-get-fedramp-high-and-dod-il-4-5-approval-in-aws-govcloud-us/) (Bedrock) and [Google Cloud Vertex AI](https://www.anthropic.com/news/claude-on-google-cloud-fedramp-high). **No IL6 or Top Secret.** |\n| **ChatGPT/Codex** | **In Process** | IL5 (self-hosted) | [ChatGPT Gov](https://openai.com/global-affairs/introducing-chatgpt-gov/) can be self-hosted in Azure GCC for IL5, CJIS, ITAR, FedRAMP High compliance. SaaS pursuing FedRAMP Moderate/High. |\n| **GitHub Copilot** | **Pursuing Moderate** | N/A | [GitHub pursuing FedRAMP Moderate](https://github.com/newsroom/press-releases/github-to-pursue-fedramp-moderate) (Oct 2024). Copilot not separately authorized. |\n| **Cursor** | **None** | N/A | SOC 2 Type II only. No FedRAMP path announced. Cloud-only. |\n| **Tabnine** | **Unknown** | N/A | Not listed on FedRAMP marketplace. Contact vendor for status. |\n\n### GovCloud Model Availability\n\nNot all models are available in government environments. Here's what you actually get:\n\n**Claude (AWS GovCloud / Bedrock)**:\n\n| Model | Regions | Authorization |\n|-------|---------|---------------|\n| Claude Sonnet 4.5 | US-West, US-East (cross-region) | FedRAMP High, IL4/IL5 |\n| Claude 3.7 Sonnet | US-West | FedRAMP High, IL4/IL5 |\n| Claude 3.5 Sonnet v1 | GovCloud (US) | FedRAMP High, IL4/IL5 |\n| Claude 3 Haiku | GovCloud (US) | FedRAMP High, IL4/IL5 |\n\n**Not available in GovCloud**: Claude Opus 4.5 (flagship), Claude Code (agentic tool)\n\n**OpenAI (Azure Government)**:\n\n| Model | Authorization |\n|-------|---------------|\n| GPT-4o | FedRAMP High, IL4, IL5, **IL6**, **Top Secret (ICD 503)** |\n| GPT-4 | FedRAMP High, IL4, IL5, IL6 |\n| GPT-3.5 | FedRAMP High, IL4, IL5 |\n| DALL-E | FedRAMP High, IL4, IL5 |\n\n**Key difference**: OpenAI via Azure has IL6 and Top Secret authorization. Claude maxes out at IL5. For classified work, OpenAI has a significant advantage.\n\n### Deployment Options by Environment\n\n| Environment | Windsurf | Claude | ChatGPT/Codex | Cursor | Copilot | Tabnine |\n|-------------|----------|--------|---------------|--------|---------|---------|\n| **SaaS (Commercial Cloud)** | Yes | Yes | Yes | Yes | Yes | Yes |\n| **GovCloud (AWS/Azure)** | Yes | Yes | Yes (ChatGPT Gov) | No | No | Unknown |\n| **VPC / Private Cloud** | Yes | Via Bedrock | ChatGPT Gov | No | No | Yes |\n| **Self-Hosted On-Prem** | Yes | No | ChatGPT Gov | No | No | Yes |\n| **Air-Gapped (Fully Offline)** | **Yes** | No | No | No | No | **Yes** |\n\n### Air-Gapped Deployment Details\n\nOnly **Windsurf** and **Tabnine** offer true air-gapped deployment:\n\n**Windsurf (Self-Hosted Tier)**:\n\n- Docker Compose or Helm chart deployment\n- Customer-managed GPU-enabled tenant\n- Connects to customer's private LLM endpoint (Bedrock, Azure OpenAI, Vertex AI)\n- Offline install/update via private container registry\n- No outbound traffic except to trusted LLM endpoint\n- [Source: Windsurf Enterprise](https://windsurf.com/enterprise)\n\n**Tabnine (Enterprise)**:\n\n- [Purpose-built for air-gapped deployment](https://www.tabnine.com/blog/the-only-airgapped-ai-software-development-platform/)\n- All inference and context handling within your environment\n- No external API calls, no cloud dependencies, no data egress\n- Deployed in SCIFs and DoDIN enclaves\n- LLM-agnostic: deploy commercial, open-source, or proprietary models\n- [Source: Tabnine Air-Gapped Guide](https://docs.tabnine.com/main/administering-tabnine/private-installation/server-setup-guide/air-gapped-deployment-guide)\n\n**GitHub Copilot** explicitly cannot work in air-gapped environments - the model runs in the cloud only.\n\n**Cursor** is cloud-only on AWS with no self-hosted or air-gapped options.\n\n### CUI (Controlled Unclassified Information) Support\n\nCUI handling requires NIST SP 800-171 compliance, typically achieved through:\n\n- FedRAMP High authorization\n- DoD IL4+ certification\n- CMMC 2.0 compliance\n\n| Tool | CUI Support | Notes |\n|------|-------------|-------|\n| **Windsurf** | **Yes** | Explicitly maps to [NIST SP 800-171 and CMMC 2.0](https://windsurf.com/security). FedRAMP High + IL5 + ITAR compliant. |\n| **Claude** | **Yes** | Via AWS GovCloud (IL4/IL5) or Google Cloud Vertex AI (FedRAMP High). |\n| **ChatGPT Gov** | **Yes** | Self-hosted in Azure GCC supports IL5, CJIS, ITAR. |\n| **Azure OpenAI** | **Yes** | FedRAMP High in Azure Government. |\n| **Cursor** | **No** | SOC 2 only. Not suitable for CUI workloads. |\n| **Copilot** | **Limited** | GitHub pursuing FedRAMP Moderate. Copilot itself not authorized for CUI. |\n| **Tabnine** | **Likely** | Air-gapped deployment in customer environment. No FedRAMP listing but deployed in defense environments. |\n\n### FedRAMP Scope Guidance (Aug 2025)\n\n[FedRAMP updated guidance](https://www.fedramp.gov/scope/) on AI coding assistants:\n\n- **Out of Scope**: AI assistants used on entirely public code repositories (info already public)\n- **In Scope**: AI assistants used on private repositories with controlled access and protected information\n\nThis means: if your org uses AI coding tools on proprietary/internal code, FedRAMP authorization matters.\n\n### Security Certification Summary\n\n| Tool | SOC 2 | FedRAMP | HIPAA | ITAR | Self-Hosted | Air-Gapped |\n|------|-------|---------|-------|------|-------------|------------|\n| **Windsurf** | Type II | **High** | BAA | **Yes** | **Yes** | **Yes** |\n| **Claude** | Type II | **High** (via cloud) | Unknown | Via GovCloud | No | No |\n| **ChatGPT/Codex** | Type II | In Process | Enterprise | ChatGPT Gov | ChatGPT Gov | No |\n| **Cursor** | Type II | No | No | No | No | No |\n| **Copilot** | Type II | Pursuing | No | No | No | No |\n| **Tabnine** | Type II | Unknown | Unknown | Unknown | **Yes** | **Yes** |\n\n### Key Takeaways for Secure Environments\n\n1. **Defense/IC work requiring air-gapped**: Windsurf or Tabnine are your only options\n2. **Federal civilian (FedRAMP High)**: Windsurf, Claude (via GovCloud), or ChatGPT Gov\n3. **CUI handling**: Windsurf, Claude via GovCloud, or ChatGPT Gov self-hosted\n4. **Commercial regulated (SOC 2 sufficient)**: Any tool works\n5. **Cursor is unsuitable** for any government or CUI workload - no FedRAMP, no self-hosted, cloud-only\n\n**For Shield AI's defense work**: This may be a limiting factor. Claude Code itself doesn't have air-gapped deployment, but Claude models are available via AWS GovCloud at IL4/IL5. Windsurf is the only AI IDE with FedRAMP High + air-gapped capability.\n\n---\n\n## Enterprise Private Plugin Marketplace (Claude Code Exclusive)\n\nThis is a **major enterprise differentiator** with no equivalent from competitors.\n\n### What Claude Code Offers\n\nClaude Code allows enterprises to [host their own private plugin marketplace](https://code.claude.com/docs/en/plugin-marketplaces):\n\n| Capability | Description |\n|------------|-------------|\n| **Self-hosted** | Just a `marketplace.json` on your own GitHub/GitLab/internal git |\n| **Private repos** | Auth token support for enterprise git hosts |\n| **Bundles everything** | Commands + agents + MCP servers + hooks in one installable package |\n| **Team distribution** | Auto-prompt install when team members trust a project folder |\n| **Air-gap compatible** | No external marketplace dependency |\n| **Version controlled** | Everything lives in git with full history |\n\n### How It Works\n\n1. Create a `marketplace.json` listing your plugins\n2. Host on any git server (GitHub, GitLab, internal)\n3. Team members add via `/plugin marketplace add <url>`\n4. Plugins auto-update when marketplace updates\n5. Private repos work with `GITHUB_TOKEN` or `GITLAB_TOKEN`\n\n### What Plugins Can Bundle\n\nA single Claude Code plugin can include:\n\n- **Slash commands** - Custom `/commands` for your workflows\n- **Agents** - Domain-specific agents for your codebase\n- **MCP servers** - Connections to internal APIs/databases\n- **Hooks** - Automated triggers (pre-commit, post-test, etc.)\n\n### Competitor Comparison\n\n| Tool | Private Enterprise Marketplace |\n|------|-------------------------------|\n| **Claude Code** | **Yes** - Self-hosted, git-based, bundles commands/agents/MCP/hooks |\n| **Copilot Extensions** | Partial - but **deprecated Nov 2025**. GitHub recommends MCP instead. No enterprise allowlist/blocklist. |\n| **Cursor** | **No** - Uses OpenVSX for VS Code extensions. No AI-specific plugin system. Microsoft actively blocking marketplace access. |\n| **Codex** | **No** - GitHub-based Skills catalog only, no enterprise hosting infrastructure |\n| **Windsurf** | **No** - No plugin marketplace system |\n\n### Why This Matters for Enterprise\n\n1. **Internal tooling** - Build plugins for proprietary APIs, databases, deployment systems\n2. **Governance** - Curate exactly which plugins your org uses\n3. **Security** - Keep everything behind your firewall\n4. **Consistency** - Every engineer gets the same tooling automatically\n5. **IP protection** - No proprietary code leaves your infrastructure\n6. **Onboarding** - New engineers get full tooling by trusting the project folder\n\n### Example Use Cases\n\n- Plugin that connects to your internal deployment system\n- Agent trained on your architecture patterns\n- MCP server for your proprietary database\n- Hooks that enforce your code review process\n- Commands that integrate with internal ticketing\n\n**Bottom line**: No other tool lets enterprises build, host, and distribute their own AI coding plugins. This is a unique capability that enables true organizational standardization.\n\n---\n\n## Benchmark Performance\n\n### SWE-bench Verified (Jan 2026)\n\n```{python}\n#| label: fig-swebench-full\n#| fig-cap: \"SWE-bench Score vs Cost (Jan 2026). Shape and color indicate GovCloud authorization level.\"\n\nimport matplotlib.pyplot as plt\nimport matplotlib.patches as mpatches\n\n# Data\nmodels = [\n {\"model\": \"Claude 4.5 Opus\", \"score\": 74.4, \"cost\": 0.72, \"govcloud\": \"Not Available\"},\n {\"model\": \"Gemini 3 Pro\", \"score\": 74.2, \"cost\": 0.46, \"govcloud\": \"Not Available\"},\n {\"model\": \"GPT-5.2\", \"score\": 71.8, \"cost\": 0.52, \"govcloud\": \"IL6 / Top Secret\"},\n {\"model\": \"Claude 4.5 Sonnet\", \"score\": 70.6, \"cost\": 0.56, \"govcloud\": \"FedRAMP High (IL4/5)\"},\n {\"model\": \"GPT-4o\", \"score\": 21.62, \"cost\": 1.53, \"govcloud\": \"IL6 / Top Secret\"}\n]\n\n# Color and marker mapping\ncolor_map = {\n \"IL6 / Top Secret\": \"#059669\",\n \"FedRAMP High (IL4/5)\": \"#D97706\",\n \"Not Available\": \"#9CA3AF\"\n}\nmarker_map = {\n \"IL6 / Top Secret\": \"^\",\n \"FedRAMP High (IL4/5)\": \"o\",\n \"Not Available\": \"X\"\n}\n\nfig, ax = plt.subplots(figsize=(10, 7))\n\nfor m in models:\n ax.scatter(m[\"cost\"], m[\"score\"],\n c=color_map[m[\"govcloud\"]],\n marker=marker_map[m[\"govcloud\"]],\n s=200, zorder=3)\n ax.annotate(m[\"model\"], (m[\"cost\"], m[\"score\"]),\n textcoords=\"offset points\", xytext=(0, 12),\n ha='center', fontsize=10)\n\nax.set_xlabel(\"Cost per Instance ($)\", fontsize=12)\nax.set_ylabel(\"SWE-bench Verified Score (%)\", fontsize=12)\nax.set_xlim(0, 1.8)\nax.set_ylim(0, 85)\nax.grid(True, alpha=0.3)\nax.set_title(\"SWE-bench Score vs Cost (Jan 2026)\", fontsize=14)\n\n# Legend\nlegend_elements = [\n mpatches.Patch(color=\"#059669\", label=\"IL6 / Top Secret\"),\n mpatches.Patch(color=\"#D97706\", label=\"FedRAMP High (IL4/5)\"),\n mpatches.Patch(color=\"#9CA3AF\", label=\"Not Available\")\n]\nax.legend(handles=legend_elements, title=\"GovCloud Status\", loc=\"lower right\")\n\nplt.tight_layout()\nplt.show()\n```\n\n| Model | Score | Cost/Instance | GovCloud |\n|-------|-------|---------------|----------|\n| Claude 4.5 Opus | **74.4%** | $0.72 | Not Available |\n| Gemini 3 Pro Preview | 74.2% | $0.46 | Not Available |\n| GPT-5.2 (high reasoning) | 71.8% | $0.52 | IL6/TS |\n| Claude 4.5 Sonnet* | 70.6% | $0.56 | IL4/5 |\n| GPT-4o | 21.6% | $1.53 | IL6/TS |\n\n\\* Claude 4.5 Sonnet is the latest Anthropic model available in AWS GovCloud (FedRAMP High, IL4/IL5)\n\nOpenAI models available through IL6 and Top Secret via Azure Government\n\n**Key insight**: Claude 4.5 Sonnet (the best GovCloud option) scores within 4 points of the flagship Opus model. For FedRAMP High workloads, you're not giving up much performance.\n\n### Speed vs Quality Tradeoff\n\n| Tool | Tokens/sec | Notes |\n|------|------------|-------|\n| Windsurf SWE-1.5 | 950 | 13x faster than Sonnet |\n| Codex | ~73K tokens/task | 3x more efficient than Claude |\n| Claude Code | ~235K tokens/task | More thorough, higher quality |\n\n---\n\n## Key Differentiators by Tool\n\n### Claude Code\n\n- **First mover** in agentic CLI coding (Feb 2025)\n- **Created MCP** - 6-12 months ahead on ecosystem\n- **Highest SWE-bench score** (80.9%)\n- **Agent SDK** for building custom agents\n- **Hooks system** for autonomous workflows\n- **$1B ARR** in ~6 months - fastest growing\n\n### Codex (OpenAI)\n\n- **Cloud sandbox** - isolated execution environment\n- **Open source CLI** (Apache 2.0)\n- **Parallel task execution**\n- **Bundled with ChatGPT** - no separate subscription\n- **AGENTS.md** standard (now Linux Foundation)\n\n### Cursor\n\n- **AI-first IDE** - purpose-built interface\n- **Multi-model** - Claude, GPT, Gemini, own Composer model\n- **Background Agents** - work while you do other things\n- **BugBot** - automated code review\n- **$29B valuation** - massive investment in tooling\n\n### GitHub Copilot\n\n- **Distribution** - 20M+ users, 90% of Fortune 100\n- **IP Indemnity** - legal protection\n- **IDE breadth** - VS Code, JetBrains, Neovim, Xcode\n- **Enterprise maturity** - longest track record\n- **Multi-model** (Oct 2024) - but late to the party\n\n### Windsurf\n\n- **Cascade** - automatic context indexing\n- **SWE-1.x** - own model family, very fast\n- **Lower price** - $15/mo vs $20/mo\n- **Acquired** - Google hired leadership, Cognition bought product\n- **FedRAMP** - only tool with this certification\n\n### ChatGPT\n\n- **Broadest capabilities** - not coding-specific\n- **Operator** - computer use agent\n- **Deep Research** - autonomous research\n- **Largest user base** - brand recognition\n- **Voice mode** - multimodal interaction\n\n---\n\n## The Case for Anthropic Alignment\n\n### 1. Innovation Leadership\n\nAnthropic consistently ships novel capabilities 6-12 months before competitors:\n\n- MCP (Nov 2024) → OpenAI adopted Mar 2025\n- Computer Use (Oct 2024) → OpenAI Operator Jan 2025\n- Extended Thinking (Feb 2025) → Hybrid model first\n- Agentic CLI (Feb 2025) → Codex May 2025\n\n### 2. MCP Ecosystem Advantage\n\nBy aligning on Claude, you get:\n\n- Native MCP support from day one\n- Access to 11,400+ MCP servers\n- First-party integrations (Slack, GitHub, databases)\n- Remote MCP with OAuth\n- Plugin system for custom tools\n\n### 3. Configuration Portability\n\nCLAUDE.md files work across:\n\n- Claude Code (CLI)\n- Claude Desktop\n- Claude.ai (web)\n- IDE plugins (VS Code, JetBrains)\n\n### 4. Agent SDK\n\nOnly Anthropic offers a first-party SDK for building custom agents. This enables:\n\n- Custom workflows\n- Domain-specific agents\n- Integration with internal tools\n- Programmatic control\n\n### 5. Benchmark Leadership\n\nClaude consistently leads on:\n\n- SWE-bench (80.9% - highest score)\n- Complex reasoning tasks\n- Novel problem solving\n- Long-context understanding\n\n### 6. Enterprise Readiness\n\n- SOC 2 Type II\n- SAML SSO + SCIM\n- Audit logs with SIEM export\n- Zero data retention options\n- Managed settings for org-wide policy\n\n### 7. Enterprise Private Plugin Marketplace (Unique)\n\n**No competitor offers this.** Claude Code lets enterprises:\n\n- Host private plugin marketplaces on internal git\n- Bundle commands, agents, MCP servers, and hooks together\n- Distribute tooling automatically when engineers trust a project\n- Keep all proprietary tooling behind the firewall\n- Version control everything with full audit history\n\nThis enables true organizational standardization - every engineer gets the same AI tooling, configured the same way, updated automatically.\n\n---\n\n## Risks of Multi-Tool Strategy\n\n1. **No shared configuration** - CLAUDE.md ≠ AGENTS.md ≠ .cursorrules\n2. **No shared training** - each tool requires separate onboarding\n3. **No shared automation** - hooks/plugins don't transfer\n4. **Prompt incompatibility** - 27-76% performance drop when transferring prompts\n5. **Vendor lock-in fragmentation** - locked into multiple ecosystems instead of one\n6. **Support complexity** - multiple vendors to manage\n\n---\n\n## Recommendation\n\nStandardize on the **Anthropic ecosystem**:\n\n- **Claude Enterprise** for chat/general use\n- **Claude Code** for engineering\n- **MCP servers** for tool integration\n- **Agent SDK** for custom automation\n\nThis provides:\n\n- Single vendor relationship\n- Unified configuration (CLAUDE.md)\n- Shared MCP ecosystem\n- Consistent prompt optimization\n- Consolidated training and support\n\n---\n\n## Sources\n\n- [Anthropic News](https://www.anthropic.com/news)\n- [OpenAI Blog](https://openai.com/blog)\n- [GitHub Blog](https://github.blog)\n- [Cursor Changelog](https://cursor.com/changelog)\n- [Windsurf Changelog](https://windsurf.com/changelog)\n- [MCP Documentation](https://modelcontextprotocol.io)\n- [TechCrunch](https://techcrunch.com)\n- [arXiv Papers](https://arxiv.org) - Prompt sensitivity research\n\n",
"supporting": [
"trade-study_files"
],
"filters": [],
"includes": {}
}
}
View Git Blame Copy Permalink