The first thing I did when I signed up for Claude was have it analyze my website for security holes. But it only recommended superficial changes, like the lifecycle of my JWTs. After reading this, I’m wondering if a prompt asking it to attack the website would be better than asking it where it should be beefed up. But I no longer pay for Claude, and I suspect it won’t give me instructions on how to attack something. How would one get past this?

Try framing your prompts as security assessments rather than attacks - ask the model to identify "potential vulnerabilities" or "security considerations" while providing specific technical details about your architecture.