Two weeks ago, Mozilla stunned the security community with a single announcement: Anthropic’s new AI model, Claude Mythos Preview, had discovered and helped fix 271 latent security vulnerabilities in the Firefox browser, all patched in the release of Firefox 150. Today, Mozilla published a detailed technical blog post explaining exactly how they did it — and responding to critics who questioned whether AI bug-hunting was producing meaningful results or merely generating noise.

The May 7 blog post, authored by Brian Grinstead, Christian Holler, and Frederik Braun from Mozilla, is the most technically detailed account yet of how AI-assisted security analysis can be made reliable at scale. It directly addresses the longstanding criticism that AI-generated vulnerability reports are cheap to produce but expensive to verify — a dynamic that had frustrated open-source maintainers for years.

“It is difficult to overstate how much this dynamic changed for us over a few short months.” — Mozilla Hacks, May 7, 2026

The Background: A Multi-Month Collaboration

The story begins earlier in 2026. In January, Anthropic’s security researchers partnered with Mozilla and deployed Claude Opus 4.6 to scan Firefox over a two-week period. That effort yielded 22 vulnerabilities — 14 of them classified as high-severity — representing nearly a fifth of all high-severity Firefox bugs patched throughout all of 2025. Those fixes shipped in Firefox 148 in late February.

Buoyed by that success, Mozilla was granted early access to Claude Mythos Preview, Anthropic’s newest and most powerful model, specifically designed with cybersecurity capabilities in mind. The results were dramatically more comprehensive.

What Claude Mythos Is — and Why It’s Restricted

Claude Mythos is Anthropic’s most capable model to date, and it is not publicly available. According to SecurityWeek and Decrypt, Anthropic has explicitly withheld it from general release because of its extraordinary cybersecurity power — the model can, under the right conditions, autonomously discover and exploit zero-day vulnerabilities at a scale no previous model could achieve.

Instead, Anthropic distributes access through a program called Project Glasswing, a vetted-partner initiative that includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks — as well as Mozilla. Researchers warn that the same capabilities that benefit defenders could also dramatically accelerate automated cyberattacks in the wrong hands.

The Agentic Harness: Solving the False-Positive Problem

The core innovation Mozilla describes in today’s post is not the model itself, but the agentic harness built around it. For years, a fundamental obstacle to AI-assisted security work was the economics of false positives: an LLM can trivially generate a report claiming it found a bug, but verifying whether that report is real costs significant time from skilled engineers.

Mozilla’s harness solves this by giving the model the ability to dynamically test its own hypotheses. Rather than simply analyzing code statically, the model is given tools to write test cases, execute them, and observe whether they produce a crash or exploitable behavior. If the model believes there is a use-after-free in a particular code path, it must construct HTML or JavaScript that triggers it — and the harness runs that code against an instrumented Firefox build.

Only bugs that reproducibly crash or exhibit exploitable behavior are surfaced to developers. This effectively eliminates speculation. According to the Mozilla engineers, the resulting pipeline delivers virtually no false positives in the reports that reach human reviewers, giving developers high confidence that any report they act on represents a real, confirmed vulnerability.

“The introduction of agentic harnesses that can reliably detect security issues has completely changed this. These can find real bugs and dismiss unreproducible speculation.” — Mozilla Hacks, May 7, 2026

Mozilla built its harness on top of its existing fuzzing infrastructure and initially ran small-scale experiments with Claude Opus 4.6 targeting sandbox escapes. Once the approach was working well, the jobs were parallelized across multiple ephemeral virtual machines — each one independently hunting for bugs across different parts of the codebase simultaneously.

What Was Found: Severity and Scope

Mozilla applies its own internal severity ratings distinct from CVE scoring. The categories are:

Note that Mozilla makes no technical distinction between sec-critical and sec-high — the critical rating is reserved specifically for issues that are already being exploited or disclosed. Of the 271 vulnerabilities, SecurityWeek reports that only three received standalone CVE identifiers (CVE-2026-6746, CVE-2026-6757, CVE-2026-6758), indicating that many of the remaining bugs are lower-severity, defense-in-depth improvements, or hardening fixes that don’t meet the public CVE threshold.

Mozilla noted that, encouragingly, none of the discovered bugs was beyond the reach of an elite human researcher — the AI found nothing that a sufficiently skilled person could not have found. The significance lies in the speed and scale of discovery, not in the discovery of fundamentally novel attack classes.

Sample Bugs: A Window into the Findings

To counter skepticism about the quality of AI-found bugs, Mozilla released 12 complete Bugzilla reports drawn from a cross-section of browser subsystems. A sample of the disclosed issues illustrates both the depth and diversity of the findings:

Many of the bugs are sandbox escapes — exploits that assume an attacker has already compromised the sandboxed renderer process and is attempting to escalate into the privileged parent process. Such bugs are notoriously difficult to surface via traditional fuzzing, making AI analysis particularly valuable here.

What the Models Couldn’t Break

Perhaps as illuminating as what Claude Mythos found is what it failed to find. Mozilla’s engineers reviewed the harness logs and observed many attempts by the model to pursue prototype-pollution-based sandbox escapes — a class of exploit that had yielded several real vulnerabilities in recent years. All such attempts were blocked by an architectural change Mozilla made previously: freezing parent-process prototypes by default.

“Observing such direct payoff from previous hardening work was even more rewarding than finding and fixing more bugs.” — Mozilla Hacks, May 7, 2026

This finding validates a key argument for proactive security hardening: architectural defenses compound over time, and AI analysis can serve as a live test of whether past investments are holding.

Implications for the Broader Software Ecosystem

Mozilla is not treating this as a competitive advantage to keep quietly. Today’s blog post explicitly frames itself as a call to action for other software teams, with practical advice for projects looking to adopt similar agentic pipelines.

The broader message is stark. If a browser as extensively fuzzed, reviewed, and hardened as Firefox — with decades of scrutiny from some of the world’s best security researchers — still contained 271 previously unknown vulnerabilities discoverable in weeks by an AI system, other widely deployed software likely harbors far larger backlogs of undiscovered flaws.

Mozilla compares the current moment to the early days of fuzzing: a new technique that initially seemed marginal has now become an indispensable part of security practice. The engineers suggest that agentic AI security analysis is on the same trajectory — and that defenders who move first will have a significant, if temporary, advantage.

Sources: Mozilla Hacks (May 7, 2026) · Mozilla Blog (April 21, 2026) · SecurityWeek · Decrypt · Help Net Security