- Mozilla used Anthropic’s Mythos AI to find hundreds of Firefox vulnerabilities, matching the ability of the best human researchers
- Experiment suggests AI can now reason through code to discover complex bugs at scale
- This change could reduce the advantage attackers have traditionally had in discovering valuable zero-day vulnerabilities.
Mozilla believes AI could forever change the way bugs are found, so it released a version of the Claude model in its own browser code. The company’s security team has spent the last few months collaborating with Anthropic and testing an early version of the Claude Mythos Preview model with its browser code.
In just one round of testing, the AI model helped find 22 security-sensitive bugs, all fixed before the latest Firefox release, along with another 90 bugs.
“Mythos Preview is as capable” as the world’s best security researchers, Mozilla concluded.
Article continues below.
Error bottleneck
Software security has always depended on a small number of people who can read complex code and see where it could go wrong. These investigators do not rely on brute force. They are based on reasoning, tracking how different parts of a system interact and identifying places where those interactions fail.
Automated tools like fuzzers can test systems at scale, but they tend to be uneven. They explore some paths thoroughly and ignore others entirely. That’s where human experts come in. But Mythos could replicate the work humans did, matching their abilities in many ways.
“Elite security researchers find bugs that fuzzers cannot find largely by reasoning through the source code. This is effective, but it is time-consuming and limits limited human expertise,” Mozilla explained in its post. “Computers were completely incapable of doing this a few months ago, and now they do it with excellence.”
For the Mozilla team, the immediate reaction was less celebration than recalibration. Finding a serious vulnerability used to trigger a focused response. Finding hundreds at once required something completely different.
Essentially, AI made discovering errors less time-consuming. Fixing it is the challenge.
Evolution of cybersecurity defense
The cybersecurity industry often assumes that circumstances favor attackers, as a system may have many potential weaknesses and an attacker only needs one. Defenders, on the other hand, need to protect everything.
That’s why companies try to make it expensive to exploit vulnerabilities instead of trying unsuccessfully to get rid of them all. High-value failures, known as zero days, have been treated as rare assets. But AI models like Mythos could change that equation.
“This may be scary in the short term, but is ultimately great news for advocates,” the company wrote. “A gap between machine- and human-detectable bugs favors the attacker, who can focus many months of costly human effort on finding a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheaper.”
Mozilla frames this as the start of more balanced competition. That said, the flaws discovered by Mythos are not new; They were just found much faster. The uncomfortable side of this, which Mozilla chooses to ignore, is that attackers have access to the same AI tools, and it has become a race between AI for defense versus AI for offense.
If Mythos can maintain this pace, researchers will have to work faster to deal with it. The Mozilla team had to adapt quickly, focusing on fixing the most important bugs while keeping the browser code stable.
“We have turned the corner and can envision a much better future than simply keeping pace,” Mozilla wrote. “Defects are finite and we are entering a world where we will eventually be able to find them all.”
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
The best business laptops for every budget
