How Anthropic’s Mythos rewrote Firefox’s approach to cybersecurity

When Anthropic unveiled its new version of Mythos in April, it also issued a stern warning to any developer. The model was very powerful in eliminating software problems, lab saidthat they found thousands of very dangerous bugs that needed to be fixed before they happened.

Now, security researchers for Mozilla’s Firefox browser offer a closer look at how this process looks like in practice, and what the power of Mythos means for the security of all applications.

In a post published on ThursdayMozilla said Mythos has discovered many of the most serious bugs, including some that had been dormant in the code for more than a decade.

That’s a big change from what AI security tools were capable of even six months ago. Until now, AI bug detection tools have come with serious problems, which often confuse security teams and low and false reports. But Mozilla researchers say that recent tools have changed, especially now that operating systems can test their performance and remove negative results.

The researchers wrote: “It is difficult to say how this change has changed in a few months. “First, the models became more capable. Second, we greatly improved our methods connect these models.”

The results are surprising: In April 2026, Firefox sent 423 updates, compared to exactly 31 the previous year. The researchers also published more than 12 bugs, ranging from unusual sandbox problems, to a 15-year-old bug in the way the browser renders an HTML element.

“These things are just suddenly great,” Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch. “We’re seeing that in our internal analysis, we’re looking at external error reports, and we’re seeing this across all types of companies.”

The fact that this system helped reveal vulnerabilities in the “sandbox” of Firefox is very interesting, because of the attack that was supposed to be difficult. In order to find the sandbox vulnerabilities, the model must write a cracked patch for the browser, and attack the most protected part of the application with the newly implemented code. Finding and reporting the error is a simple, multi-step process that requires skill and attention.

To put this into context, Mozilla bug bounty program pays researchers who can find a bug in Firefox’s sandbox up to $20,000 – the highest reward available. Despite their high revenue, Grinstead says Mythos is getting more sandbox stories than human researchers ever did. “We get them,” he told TechCrunch, “but not as much as we can get with this method.”

In particular, the Firefox team is still not using AI to fix bugs, even though the AI ​​writing tools are well documented. The team asks the AI ​​to write patches for each bug, but what follows is often not directly deployable, and instead serves as a model for human engineers.

“For the bugs we’re talking about in this post, everyone is a single engineer who writes a patch and reviews it,” Grinstead says. “We didn’t find it to be automatic.”

It is not yet clear how the emerging capabilities of AI will change the power level of cybersecurity. A month after the Mythos preview, many of the bugs found have not been fixed, making it difficult to determine their impact. Anthropic has been focusing on tracking disclosure trends, but it’s possible that bad actors are using similar tactics behind the scenes, even if the examples they’re using aren’t the best.

Speaking on recent eventAnthropic CEO Dario Amodei was optimistic that the new equipment would be of interest to defenders. “If we handle this well, we can be in a better place than when we started, because we have corrected all these mistakes. There are many problems that we can find,” said Amodei. “So I think there’s a better world on the other side of this.”

After working out the details, Grinstead has a similar view: “It’s useful for both attackers and defenders, but having a weapon available turns a little bit of an advantage into a defense. Honestly, no one knows the answer to that.”