How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity

When Anthropic unveiled its caller Mythos exemplary successful April, it besides delivered a stern informing to anyone processing software. The exemplary was truthful almighty astatine sniffing retired bundle vulnerabilities, the laboratory claimed, that it had discovered thousands of high-severity bugs that would request to beryllium fixed earlier it could beryllium made public.

Now, information researchers for Mozilla’s Firefox browser are providing a person look astatine what that process has looked similar successful practice, and what Mythos’ powers mean for bundle information astatine large.

In a station published connected Thursday, Mozilla said Mythos has unearthed a wealthiness of high-severity bugs, including immoderate that had lain dormant successful the codification for much than a decade.

That’s a important betterment from what AI information tools were susceptible of adjacent six months ago. Until now, AI bug-finding tools person travel with terrible drawbacks, often inundating information teams with low prime reports and mendacious positives. But Mozilla’s researchers accidental the latest procreation of tools person turned a corner, peculiarly present that agentic systems tin measure their ain enactment and filter retired atrocious results.

“It is hard to overstate however overmuch this dynamic changed for america implicit a fewer abbreviated months,” the researchers wrote. “First, the models got a batch much capable. Second, we dramatically improved our techniques for harnessing these models.”

Image Credits:Firefox

The results are striking: In April 2026, Firefox shipped 423 bug fixes, compared to conscionable 31 precisely a twelvemonth earlier. The researchers person besides published details connected 12 of the bugs, which scope from a brace of antithetic sandbox vulnerabilities, to a 15-year-old mistake successful however the browser parses an HTML element.

“These things are really conscionable abruptly precise good,” Brian Grinstead, a distinguished technologist astatine Mozilla, told TechCrunch. “We spot that connected our ain interior scanning, we spot that connected outer bug reports, and we spot that successful each sorts of signals crossed the industry.”

The information that the strategy helped uncover vulnerabilities successful Firefox’s “sandbox” strategy is peculiarly impressive, fixed however intricate an onslaught that exploits it needs to be. To find sandbox vulnerabilities, the exemplary indispensable constitute a compromised spot for the browser, past onslaught the astir unafraid portion of the bundle with the caller codification implemented. Finding and demonstrating the bug is simply a delicate, multi-step process, requiring some creativity and adjacent attention. 

To enactment this into context, Mozilla’s bug bounty program pays researchers who tin find a bug successful Firefox’s sandbox up to $20,000 — the highest reward available. Despite the top-dollar bounty, however, Grinstead says Mythos is uncovering much sandbox issues than quality researchers ever did. “We bash get them,” helium told TechCrunch, “but not astatine the measurement that we are capable to find with this technique.”

Notably, the Firefox squad inactive isn’t utilizing AI to hole the bugs, contempt well-documented advancement successful AI coding tools. The squad does inquire AI to codification up patches for each bug, but the resulting codification usually can’t beryllium deployed directly, and alternatively serves arsenic a exemplary for a quality engineer.

“For the bugs we’re talking astir successful this post, each azygous 1 is 1 technologist penning a spot and 1 technologist reviewing it,” Grinstead says. “We person not recovered it to beryllium automatable.”

It’s inactive not wide however AI’s emerging capabilities volition alteration the broader equilibrium of powerfulness successful cybersecurity. One period since Mythos was previewed, astir of the bugs discovered apt haven’t been patched, which makes it hard to seizure the afloat scope of their impact. Anthropic has been scrupulous astir pursuing liable disclosure norms, but it’s apt atrocious actors are utilizing akin techniques down the scenes, adjacent if the models they’re utilizing aren’t rather arsenic good.

Speaking astatine a caller event, Anthropic CEO Dario Amodei was optimistic that the caller tools would yet favour defenders. “If we grip this right, we could beryllium successful a amended presumption than we started, due to the fact that we fixed each these bugs. There are lone truthful galore bugs to find,” Amodei said. “So I deliberation there’s a amended satellite connected the different broadside of this.”

Having dealt with the gritty details, Grinstead has a much measured view: “It’s utile for some attackers and defenders, but having the instrumentality disposable shifts the vantage a small spot to defense. Realistically, cipher knows the reply to this yet.”