- Mozilla used Anthropic’s Mythos AI to find hundreds of Firefox vulnerabilities that match top human researchers in capability
- The experiment suggests that AI can now reason through code to uncover complex errors at scale
- This shift could reduce the advantage attackers have traditionally had in discovering valuable zero-day vulnerabilities
Mozilla believes AI could change how bugs are found forever — so it turned a version of the Claude model loose on its own browser code. The company’s security team has spent the past few months working with Anthropic and testing an early version of the Claude Mythos Preview model against its browser code.
In just one round of testing, the AI model helped find 22 security-sensitive bugs, all fixed prior to Firefox’s latest release, along with 90 other bugs.
“Mythos Preview is as capable” as the world’s best security researchers, Mozilla concluded.
The article continues below
Bug bottleneck
Software security has always relied on a small number of people who can read complex code and see where it might fail. These researchers do not rely on brute force. They rely on reasoning, tracing how different parts of a system interact and identifying the places where those interactions break down.
Automated tools like fuzzers can probe large-scale systems, but they tend to be patchy. They explore some paths thoroughly and completely miss others. This is where human experts come into play. But the Mythos could reproduce the work that humans did and match their abilities in many ways.
“Elite security researchers find bugs that fuzzers largely cannot by reasoning through the source code. This is efficient, but time-consuming and the bottleneck of barely human expertise,” Mozilla explained in its post. “Computers were completely incapable of doing this a few months ago, and now they excel at it.”
For Mozilla’s team, the immediate reaction was less celebration than recalibration. Finding a serious vulnerability that is used to trigger a focused response. Finding hundreds at once required something entirely different.
Essentially, the AI made it so that the detection of the errors did not take long. Fixing it is the challenge.
The evolution of cyber security defense
The cyber security industry usually assumes that circumstances favor attackers, as a system can have many potential weaknesses and an attacker only needs one. Defenders, on the other hand, must protect everything.
So companies try to make it expensive to exploit vulnerabilities instead of fruitlessly trying to get rid of them all. Highly valuable errors, known as zero days, have been treated as rare assets. But AI models like Mythos could change that equation.
“This may feel scary at the moment, but it’s ultimately good news for defenders,” the company wrote. “A gap between machine-detectable and human-detectable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all detections cheap.”
Mozilla frames this as the beginning of a more balanced competition. That said, the flaws exposed by Mythos aren’t new; they were just found much faster. The unpleasant flip side of this, which Mozilla chooses to ignore, is that attackers have access to the same AI tools, and it has become a race of AI for defense vs AI for offense.
If Mythos can keep up this pace, scientists will have to work faster to deal with it. Mozilla’s team had to adjust quickly and focused on fixing the biggest bugs while keeping the browser code stable.
“We’ve turned the corner and can see a future much better than just watching,” Mozilla wrote. “The defects are limited and we are entering a world where we can finally find them all.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
The best business laptops for all budgets
