How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity

Source: TechCrunch

Anthropic’s Mythos Model

When Anthropic unveiled its new Mythos model in April, it also delivered a stern warning to anyone developing software. The model was so powerful at sniffing out software vulnerabilities, the lab claimed, that it had discovered thousands of high‑severity bugs that would need to be fixed before it could be made public.

Mozilla’s Firefox security team has provided a closer look at what that process looks in practice, and what Mythos’ capabilities mean for software security at large.

Mozilla’s Findings

In a post published on Thursday, Mozilla said Mythos has unearthed a wealth of high‑severity bugs, including some that had lain dormant in the code for more than a decade.
Read the full post.

That’s a significant improvement from what AI security tools were capable of even six months ago. Until now, AI bug‑finding tools often inundated security teams with low‑quality reports and false positives, as noted by TechCrunch. Mozilla’s researchers say the latest generation of tools has turned a corner, particularly now that agentic systems can assess their own work and filter out bad results.

“It is difficult to overstate how much this dynamic changed for us over a few short months,” the researchers wrote. “First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models.”

Image credit: Firefox

Results

• April 2026: Firefox shipped 423 bug fixes.
• April 2025: Only 31 bug fixes were shipped.
• Details on 12 of the bugs have been published, ranging from unusual sandbox vulnerabilities to a 15‑year‑old error in HTML parsing.

“These things are actually just suddenly very good,” said Brian Grinstead, distinguished engineer at Mozilla, to TechCrunch. “We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry.”

Sandbox Vulnerabilities

The system’s ability to reveal vulnerabilities in Firefox’s sandbox is particularly impressive given the complexity of attacks that target it. To find sandbox issues, the model must:

1. Write a compromised patch for the browser.
2. Attack the most secure part of the software with the new code implemented.

This multi‑step process requires creativity and close attention.

Mozilla’s bug bounty program pays researchers up to $20,000 for finding a sandbox bug—the highest reward available. Despite the lucrative bounty, Grinstead says Mythos is finding more sandbox issues than human researchers ever did.

“We do get them,” he told TechCrunch, “but not at the volume that we are able to find with this technique.”

AI‑Generated Patches

While the Firefox team uses AI to suggest patches, the generated code usually cannot be deployed directly and serves only as a model for a human engineer.

“For the bugs we’re talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it,” Grinstead explains. “We have not found it to be automatable.”

Future Outlook

One month after Mythos was previewed, most of the discovered bugs have likely not yet been patched, making it hard to gauge the full impact. Anthropic follows responsible disclosure norms, but there is concern that bad actors could employ similar techniques.

Speaking at a recent event, Anthropic CEO Dario Amodei was optimistic:

“If we handle this right, we could be in a better position than we started, because we fixed all these bugs. There are only so many bugs to find. So I think there’s a better world on the other side of this.”

Grinstead offers a measured view:

“It’s useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet.”