For years, cybersecurity has been dominated by attackers. However, artificial intelligence is poised to shift this balance.
In a Tuesday blog post, Mozilla revealed that an early version of Claude Mythos AI from Anthropic identified 271 vulnerabilities in the Firefox browser through internal testing, which were subsequently patched. This achievement underscores how advanced AI systems can efficiently analyze extensive codebases and pinpoint weaknesses that would traditionally require significant human effort to uncover.
“The capabilities of these tools are now accessible to more defenders, leading many teams to experience a sense of vertigo similar to what we felt when the findings first emerged,” Mozilla stated. “For a hardened target, just one such vulnerability could trigger a red alert in 2025, and discovering so many raises questions about our ability to keep pace.”
Previously, another Anthropic model had identified 22 security-sensitive bugs in an older Firefox version. Despite these successes, Mozilla acknowledged that completely eliminating software exploits is an “unrealistic goal” for the cybersecurity industry.
“Until now, the industry has largely achieved a stalemate,” the company noted. “Vendors of critical internet-exposed software like Firefox take security extremely seriously, with dedicated teams focused on user safety every day.”
Mozilla explained that this AI system can scrutinize source code and spot vulnerabilities in ways previously reliant on limited human expertise. Yet, Mozilla was reassured to find no bugs undetectable by “an elite human researcher.”
“Some predict future AI models will reveal entirely new types of vulnerabilities beyond current understanding,” they added. “However, software like Firefox is designed modularly for humans to comprehend its correctness. It’s complex but not arbitrarily so.”
These results suggest AI tools could enable developers to identify numerous vulnerabilities before attackers exploit them, though the technology also poses significant risks if misused.
Launched in March, Mythos represents Anthropic’s most advanced model for reasoning, coding, and cybersecurity tasks, described internally as a new tier beyond its earlier Opus series. Testing showed it could identify thousands of previously unknown vulnerabilities across major operating systems and web browsers.
Anthropic grants access to Mythos through Project Glasswing, allowing select tech companies like Amazon, Apple, and Microsoft to use the model for scanning software weaknesses. This initiative is part of a broader effort to leverage AI in identifying and patching vulnerabilities preemptively.
However, this technology could also facilitate new cyberattack forms. Security experts warn that AI systems capable of large-scale code analysis might automate the discovery of exploitable vulnerabilities across widely used software.
Following Mythos’s launch, testing by the U.K.’s AI Security Institute found it could autonomously execute complex cyber operations, including a multi-stage corporate network attack simulation without human input. Such capabilities have attracted attention from governments and intelligence agencies.
Despite calls from President Donald Trump’s administration to cease using Anthropic’s technology over concerns about its military and surveillance applications, the National Security Agency has reportedly been running Claude Mythos Preview on classified networks, highlighting U.S. security agencies’ interest in its vulnerability identification abilities.
The model also revealed limitations in current AI evaluation systems; earlier this month, Anthropic admitted that several cybersecurity benchmarks no longer adequately measure the capabilities of its latest models.
Mozilla believes these results indicate a potential shift in cybersecurity dynamics, where defenders might begin to overcome attackers’ long-standing advantage. “We are extremely proud of how our team rose to meet this challenge,” Mozilla wrote. “Others will do the same. Our journey isn’t over, but we’ve turned a corner and can envision a future where defenders decisively win.”
Mozilla did not immediately respond to Decrypt’s request for comment.