- Mozilla used Anthropic’s Mythos AI to find hundreds of Firefox vulnerabilities, matching top human researchers in capability
- The experiment suggests AI can now reason through code to uncover complex bugs at scale
- This shift could reduce the advantage attackers have traditionally had in discovering valuable zero-day vulnerabilities
Mozilla thinks AI could change how bugs are found for good — so it turned a version of the Claude model loose on its own browser code. The company's security team has spent the past few months collaborating with Anthropic and testing an early version of the Claude Mythos Preview model against its browser code.
In just one round of testing, the AI model helped find 22 security-sensitive bugs, all fixed ahead of Firefox’s latest release, along with 90 other bugs.
“Mythos Preview is every bit as capable” as the world’s best security researchers, Mozilla concluded.
Bug bottleneck
Software security has always depended on a small number of people who can read complex code and see where it might fail. These researchers do not rely on brute force. They rely on reasoning, tracing how different parts of a system interact and identifying the places where those interactions break down.
Automated tools like fuzzers can probe systems at scale, but they tend to be uneven. They explore some paths thoroughly and miss others entirely. That's where human experts come in. But Mythos could reproduce the work that humans did, matching their abilities in many ways.
“Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise," Mozilla explained in its post. “Computers were completely incapable of doing this a few months ago, and now they excel at it.”
For Mozilla’s team, the immediate reaction was less celebration than recalibration. Finding one serious vulnerability used to trigger a focused response. Finding hundreds at once required something else entirely.
Essentially, the AI made it so that discovering the bugs doesn't take long. Fixing it is the challenge.
Cybersecurity defense evolution
The cybersecurity industry usually assumes that circumstances favor attackers, as a system can have many potential weaknesses, and an attacker only needs one. Defenders, by contrast, need to protect everything.
So companies try to make it costly to exploit vulnerabilities rather than fruitlessly trying to get rid of all of them. Highly valuable flaws, known as zero-days, have been treated as rare assets. But AI models like Mythos could change that equation.
“This can feel terrifying in the immediate term, but it’s ultimately great news for defenders,” the company wrote. "A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap."
Mozilla frames this as the beginning of a more balanced contest. That said, the flaws uncovered by Mythos are not new; they were just found much faster. The uncomfortable flip side of this, which Mozilla chooses to ignore, is that attackers have access to the same AI tools, and it's become a race of AI for defense vs AI for offense.
If Mythos can keep up this pace, researchers will have to work faster to deal with it. Mozilla's team had to adjust quickly, focusing on fixing the biggest flaws while keeping the browser code stable.
“We’ve turned the corner and can glimpse a future much better than just keeping up,” Mozilla wrote. "The defects are finite, and we are entering a world where we can finally find them all."
