How Anthropic’s Mythos has Rewritten Firefox’s Approach to Cybersecurity
When Anthropic unveiled its new Mythos model in April, it also delivered a stern warning to anyone developing software. The model was so powerful at sniffing out software vulnerabilities that it had discovered thousands of high-severity bugs which needed to be fixed before it could be made public.
This Week Only: Buy one pass, get the second at 50% off
The lab claimed that Mythos was so effective in uncovering vulnerabilities that it had unearthed a wealth of high-severity bugs, including some that had lain dormant in the code for more than a decade.
- That’s a significant improvement from what AI security tools were capable of even six months ago. Until now, AI bug-finding tools have come with severe drawbacks, often inundating security teams with low-quality reports and false positives. But Mozilla’s researchers say the latest generation of tools has turned a corner, particularly now that agent systems can assess their own work and filter out bad results.
- In a post published on Thursday, Mozilla said Mythos had identified 423 bug fixes in April 2026, compared to just 31 exactly a year earlier. The researchers have also published details on 12 of the bugs, ranging from unusual sandbox vulnerabilities to a 15-year-old error in how the browser parses an HTML element.
- “These things are actually just suddenly very good,” Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch. “We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry.”
The fact that the system helped reveal vulnerabilities in Firefox’s “sandbox” system is particularly impressive, given how intricate an attack that exploits it needs to be. To find sandbox vulnerabilities, the model must write a compromised patch for the browser and then attack the most secure part of the software with the new code implemented. Finding and demonstrating the bug is a delicate, multi-step process requiring both creativity and close attention.
This Week Only: Buy one pass, get the second at 50% off
To put this into context, Mozilla’s bug bounty program pays researchers who can find a bug in Firefox’s sandbox up to $20,000 — the highest reward available. Despite the top-dollar bounty, however, Grinstead says Mythos is finding more sandbox issues than human researchers ever did. “We do get them,” he told TechCrunch, “but not at the volume that we are able to find with this technique.”
- The Firefox team still isn’t using AI to fix the bugs; instead, they ask AI to code up patches for each bug. The resulting code usually can’t be deployed directly and serves as a model for a human engineer.
- “For the bugs we’re talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it,” Grinstead says. “We have not found it to be automatable.”
Key Takeaways
- The latest generation of AI security tools has improved significantly, with the ability to filter out bad results and assess their own work.
- Mozilla’s researchers have identified a substantial increase in bug fixes since introducing Mythos, highlighting its effectiveness in identifying high-severity vulnerabilities.
- While Anthropic CEO Dario Amodei is optimistic that AI will favor defenders in the long run, Grinstead remains more cautious about the immediate impact on cybersecurity balance of power.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.
