Anthropic’s AI model identified hundreds of flaws in Mozilla’s browser during internal testing
Mozilla announced in a post published Tuesday that a preliminary version of Claude Mythos, the AI model developed by Anthropic, identified 271 vulnerabilities in the Firefox browser during internal testing sessions. The flaws were patched this week.
Mozilla had previously tested another Anthropic model, which had identified 22 critical security bugs in an earlier version of Firefox. Despite these successes, the company acknowledged that the cybersecurity industry has long considered the complete elimination of software exploits an “unrealistic” goal. “Until now, the industry has essentially been fighting security to a draw,” Mozilla wrote. “Vendors of critical internet-facing software like Firefox take security very seriously and have teams of people who wake up every morning thinking about how to keep users safe.”
Mozilla noted that the new AI system can analyze source code and identify vulnerabilities in ways that previously depended on scarce human expertise. The company did, however, highlight one reassuring finding: none of the bugs discovered were undetectable by “an elite human researcher.” “Some commentators predict that future AI models will uncover entirely new classes of vulnerabilities that challenge our current understanding, but we don’t see it that way,” Mozilla stated. “Software like Firefox is designed in a modular fashion to allow humans to reason about its correctness.”
Launched in March, Claude Mythos is Anthropic’s most advanced model for reasoning, coding, and cybersecurity tasks, positioned as part of a new tier beyond the previous Opus series. Anthropic has restricted access to the system through a limited program called Project Glasswing, which allows a selection of technology companies — including Amazon, Apple, and Microsoft — to use the model to scan software for vulnerabilities. Tests conducted prior to the model’s release had already demonstrated its ability to identify thousands of previously unknown vulnerabilities across major operating systems and browsers.
The same technology, however, could enable new forms of cyberattack. As already highlighted by tests conducted by the UK’s AI Security Institute, Claude Mythos is capable of autonomously executing complex cyber operations, including simulating a multi-stage attack on a corporate network without human assistance. According to sources close to the matter, the National Security Agency is already running Claude Mythos Preview on classified networks, despite ongoing tensions with the Trump administration over the use of Anthropic’s technology in warfare and surveillance contexts.
