When Anthropic introduced its Mythos AI model in April, the company issued a stark warning to the software industry: the model had become so adept at finding vulnerabilities that thousands of critical bugs needed patching before the system could be publicly released. Now, Mozilla’s Firefox security team is offering a detailed look at how Mythos has transformed their vulnerability discovery process, uncovering flaws that had remained hidden for more than a decade.
Mythos Finds Bugs Human Researchers Missed
In a blog post published Thursday, Mozilla revealed that Mythos had identified a significant number of high-severity vulnerabilities in Firefox, including some that had been dormant in the codebase for over 15 years. The findings mark a dramatic leap forward from earlier AI-powered security tools, which often overwhelmed teams with false positives and low-quality reports.
Also read: Google brings agentic AI and vibe-coded widgets to Android with Gemini Intelligence
Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch that the improvement has been startling. “These things are actually just suddenly very good,” he said. “We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry.”
The results speak for themselves. In April 2026, Firefox shipped 423 bug fixes, compared to just 31 in the same month a year earlier. The team also published details on 12 specific bugs, ranging from sandbox vulnerabilities to a 15-year-old parsing error in how the browser handles an HTML element.
Also read: Google unveils Googlebooks, vibe-coded widgets, and Gemini upgrades at Android Show
Agentic Systems Filter Out Noise
Until recently, AI-driven bug detection suffered from a critical flaw: models lacked the ability to assess their own work, flooding security teams with unreliable reports. Mozilla’s researchers say the latest generation of agentic systems has turned a corner. These models can now evaluate their own findings, filter out false positives, and focus on genuinely exploitable vulnerabilities.
“It is difficult to overstate how much this dynamic changed for us over a few short months,” the researchers wrote. “First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models.”
Sandbox Vulnerabilities: The Hardest Target
Among the most impressive discoveries were flaws in Firefox’s sandbox, the browser’s most secure layer. To find sandbox vulnerabilities, Mythos must write a compromised patch for the browser, then attack the most protected part of the software with the new code implemented. This multi-step process requires both creativity and precision.
Mozilla’s bug bounty program offers up to $20,000 for sandbox vulnerabilities, the highest reward available. Yet Grinstead says Mythos is finding more sandbox issues than human researchers ever did. “We do get them,” he said, “but not at the volume that we are able to find with this technique.”
AI Finds Bugs, Humans Still Fix Them
Despite the advances in detection, Mozilla is not yet using AI to write patches. The team does ask the model to generate fixes for each bug, but the resulting code usually cannot be deployed directly and instead serves as a reference for human engineers.
“For the bugs we’re talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it,” Grinstead said. “We have not found it to be automatable.”
The Broader Security Sector
It remains unclear how AI’s emerging capabilities will shift the balance between attackers and defenders. One month after Mythos was previewed, most of the bugs it discovered likely have not been patched, making it difficult to assess the full scope of its impact. Anthropic has followed responsible disclosure norms, but it is likely that malicious actors are using similar techniques behind the scenes.
Speaking at a recent event, Anthropic CEO Dario Amodei expressed optimism that the tools would ultimately favor defenders. “If we handle this right, we could be in a better position than we started, because we fixed all these bugs. There are only so many bugs to find,” he said. “I think there’s a better world on the other side of this.”
Grinstead offered a more measured view. “It’s useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet.”
Conclusion
Mozilla’s experience with Mythos demonstrates that AI-powered vulnerability detection has reached a new level of effectiveness. The model’s ability to find sandbox flaws and decade-old bugs that human researchers missed marks a significant milestone for software security. While questions remain about how these tools will affect the broader cybersecurity field, the immediate impact for Firefox has been a dramatic increase in the number of bugs identified and fixed. The industry now faces the challenge of ensuring that defensive capabilities keep pace with the threats that similar AI systems could enable.
FAQs
Q1: What is Anthropic’s Mythos model?
Mythos is an AI model developed by Anthropic that is highly proficient at identifying software vulnerabilities. It was previewed in April 2026 and has since been used by Mozilla to find critical bugs in Firefox.
Q2: How many bugs did Mythos find in Firefox?
Mozilla reported that in April 2026, Firefox shipped 423 bug fixes, compared to 31 in the same month a year earlier. The team has published details on 12 specific bugs, including sandbox vulnerabilities and a 15-year-old parsing error.
Q3: Is Mozilla using AI to fix the bugs it finds?
No. While the AI can generate suggested patches, Mozilla engineers manually write and review all fixes. The AI-generated code serves as a reference, but has not been found to be reliable enough for direct deployment.
Be the first to comment