271 Firefox flaws closed thanks to Mythos AI: Breakthrough for IT security?

In the latest Firefox update, 271 vulnerabilities were closed, which the browser's development team found using Anthropic's new AI model, Claude Mythos Preview. Mozilla has now announced this, stating that for a hardened product like its browser, each of these vulnerabilities would have justified a red alert. Nevertheless, working with the AI model – which only a few companies working in IT security officially have access to – has been a hopeful one, the team assures. In the eternal battle between attackers and defenders in the IT field, the latter finally have the opportunity to win thanks to the breakthrough in AI development – “decisively”.

From “completely incapable” to “every bit as capable” as the best humans

Anthropic introduced Mythos two weeks ago and stated that the model is so dangerous that it is only made available to companies working in IT security. The AI model has already identified thousands of high-risk zero-day vulnerabilities. At the same time, the AI technology is significantly more likely to develop a working exploit for such vulnerabilities, sometimes even using several in conjunction. Therefore, only companies that can use the tool to improve IT security have been granted access. To what extent this is honest concern, clever PR, or even a limitation based on Anthropic's resources not being sufficient for a release, is currently being hotly debated.

Mozilla's Firefox team is now among the first to share experiences with Mythos publicly. They have been working with Anthropic since February 2026; searches with the Opus 4.6 model had already uncovered 22 security-relevant bugs in Firefox 148. In the blog post announcing the release of Firefox version 150, the group now writes that they have long recognized in silence that the number of exploitable security vulnerabilities could never be reduced to zero. However, they have tried to make zero-day exploits so expensive that only actors with unlimited resources have access to them and do not use them against “normal” users. They reached this conclusion because attackers have an asymmetric advantage. The attack surface, for example in a browser, is not infinite but large enough to make defense with existing tools very difficult.

Until now, only a few people have been able to find security vulnerabilities through time-consuming source code analysis. Computers have been “completely incapable” of this until a few months ago, and at Firefox, they have years of experience analyzing the work of these experts. Anthropic's Mythos Preview is now “every bit as capable” as these very few people: “So far, we haven't found any category or complexity of vulnerability that humans can uncover that this model can't uncover,” the team writes. While this sounds alarming, they also found that Mythos has not found any vulnerabilities that a top researcher couldn't have found.

“We are entering a new world”

Therefore, they do not share predictions that AI models will find entirely new forms of vulnerabilities in the future that exceed our current understanding: “The defects are finite, and we are entering a world where we can finally find them all.” While Firefox confirms Mythos's claimed capabilities with this, it is an initial indication of the possible consequences for IT security. At Mozilla, they actually assume that all vulnerabilities and all attack vectors can be found with the help of AI. This would be a huge gain for IT security. However, whether this will prove true remains to be seen. The update for Firefox is installed automatically, but it can also be initiated by clicking on “About Firefox” in the “Help” menu.

(mho)