There had been much buzz about the abilities of Claude Mythos, and it appears that at least some of the hype might’ve been justified.
Mozilla’s Firefox team has published a detailed behind-the-scenes account of how it used Claude Mythos Preview — Anthropic’s restricted frontier model — to identify and fix an unprecedented number of security vulnerabilities. The numbers are pretty remarkable: Firefox shipped fixes for 423 security bugs in April 2026 alone. In the prior 15 months combined, the monthly average hovered between 17 and 31. The model didn’t just move the needle — it redrew the chart entirely.
From Slop to Signal
Not long ago, AI-generated security reports were mostly noise. They looked plausible, were often wrong, and imposed an asymmetric burden on maintainers — cheap to generate, expensive to evaluate. Firefox’s engineering team describes that reality as having changed dramatically in a matter of months, driven by two factors: significantly more capable models, and much better techniques for harnessing them at scale.
The team began by building an agentic harness on top of their existing fuzzing infrastructure. The key insight was dynamic validation — rather than doing static analysis and hoping, the harness could build and execute actual proof-of-concept test cases to confirm or rule out a suspected bug. That shift from speculation to reproducibility was what made the output trustworthy enough to act on at scale.
What Claude Mythos Actually Found
Of the 271 bugs attributed to Claude Mythos Preview in Firefox 150, 180 were rated sec-high and 80 were sec-moderate — meaning the vast majority could be triggered through normal browsing behavior. The sample bugs Mozilla disclosed publicly illustrate the depth of reasoning involved. Mythos helped find a 20-year-old XSLT bug involving a hash table rehash that freed its backing store while a raw pointer was still in use. It also discovered a race condition over IPC allowing a compromised content process to manipulate refcounts in the parent process and trigger a use-after-free — a potential sandbox escape. It also flagged a rowspan overflow bug exploiting HTML table semantics to bypass clamping and overflow a 16-bit bitfield — undetected by fuzzers for years.
These are not the kind of bugs a simple static scan surfaces. They require multi-component reasoning across a large codebase, understanding of trust boundaries between browser processes, and the ability to construct conditions that reproduce edge cases reliably.
The Pipeline, Not Just the Model
Firefox’s team is careful to credit the model within a broader system. The harness handles discovery, but a full security pipeline — deduplication, triage, tracking, patching, and release management — is what made it useful at scale. Over 100 people contributed code to ship the fixes. Anthropic’s compute constraints that have been throttling consumer Claude users don’t apply to Mythos, which as Anthropic CEO Dario Amodei has noted runs on a tiny fraction of the company’s total compute — access is rationed by design, not capacity.
The team also noted what the model couldn’t do: multiple attempts to exploit prototype pollution for sandbox escapes were blocked by an architectural change Firefox had already made — freezing prototypes by default. Watching the AI repeatedly run into that wall and fail was, by their account, as satisfying as finding new bugs.
What This Means for Software Security
The Firefox case is one of the most concrete public demonstrations yet of AI being used for autonomous security hardening at production scale. The team’s advice to other projects is direct: start now with whatever model is available, observe the results, and iterate. The pipeline can be built on publicly available models today, and swapping in a better model later is trivial once the infrastructure exists.
The broader implication is harder to ignore. If a single AI model — still under restricted access — can surface 271 previously unknown vulnerabilities in one of the most heavily audited open-source codebases in existence, the security assumptions underpinning most software need urgent re-examination. The defenders have a new tool. So, presumably, do the attackers.