The Mozilla Foundation tested Claude Mythos, an Anthropic AI model that has stirred debate in the cybersecurity community.
Before granting access to Mythos, Mozilla scanned Firefox using Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148. For instance, Mythos identified 271 vulnerabilities in Firefox 150.
Firefox CTO Bobby Holley said other teams are beginning to experience the same “vertigo” that Mozilla felt when the findings first came into focus.
“For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.”
Holley believes that teams that push through this phase and focus on the task will begin to see progress.
“Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively,” he wrote.
He added that bringing exploits to zero was an unrealistic goal.
“Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an asset discourages casual use.”
Before Mythos, identifying complex vulnerabilities relied on manual code analysis by expert researchers, a process limited by time and scarce human expertise.
“Computers were completely incapable of doing this a few months ago, and now they excel at it.”
Based on Mozilla’s findings, models like Mythos Preview have proven to be as capable as the world’s best security researchers, with no category or level of vulnerability identified by humans that the model could not also detect.
“Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher.”
Holley concluded that “we are entering a world where we can finally find them all.”
Earlier this month, Anthropic introduced Claude Mythos Preview to the public, stating that the LLM is particularly skilled at uncovering previously overlooked and difficult-to-detect bugs and vulnerabilities in operating systems, software, web applications, and cryptography libraries.
The company does not plan to release the model publicly, warning that such a system could be misused to identify zero-day vulnerabilities and create exploits targeting both newly discovered flaws and existing issues that remain unpatched.
Instead, it launched Project Glasswing, a selective program that gives major technology, cybersecurity, and financial organizations early access to the model.
We didn’t have to wait long for reports of attempts to access the model without authorization. According to Bloomberg, a handful of users in a private online forum gained access to Mythos on the same day that Anthropic announced plans to release the model to a limited number of companies for testing.
