The latest major review of Mozilla Firefox has arrived with a major surprise. Behind the scenes: the browser has had to patch 271 security vulnerabilities after its code underwent intensive analysis with Claude Mythos, Anthropic's cybersecurity-focused artificial intelligence model. Far from being a simple experiment, the case is being considered a potential turning point in how large internet-connected applications are protected.
Mozilla has been boasting for years that Firefox is one of the more audited and robust open-source browsersHowever, the collaboration with Anthropic revealed a considerable number of latent vulnerabilities. The good news is that these were fixed before they could be exploited; the concern stems from discovering the extent to which the attack surface still concealed weaknesses that neither manual testing nor traditional analysis techniques had detected.
Firefox 150: an update marked by 271 vulnerabilities fixed
According to Bobby Holley, CTO of Mozilla, the work is part of a direct collaboration with Anthropic Within Project Glasswing, the restricted program through which the AI ​​company allows technology partners to analyze critical software, the scan focused on the browser's source code, paying particular attention to sensitive components such as the rendering engine, the sandbox, and process isolation layers.
Holley acknowledges that, historically, the industry has assumed that Completely eliminating exploits was an unrealistic goal.The strategy involved making attacks as difficult as possible through layers of defense in depth, sandboxing, and more secure languages ​​like Rust, but always accepting that some vulnerability would eventually appear. The massive discovery of Mythos reinforces this idea, but at the same time shows that the balance may be starting to shift in favor of the defenders.
The CTO himself points out that a single failure of the category found would have been red alert in 2025 for a highly protected targetHence the vertigo that, according to Mozilla, has spread through other security teams when they have seen the total number of vulnerabilities uncovered at once, a scenario that tests the reaction capacity of any organization.
From Opus to Mythos: A leap forward in AI auditing
The collaboration between Mozilla and Anthropic didn't begin with Mythos. Months earlier, the foundation had tested Claude Opus 4.6Anthropic's advanced model was used to review an earlier version of the browser. That first test resulted in the correction of 22 security vulnerabilities in Firefox 148, some of them severe, and was considered a remarkable achievement even then.
The arrival of Claude Mythos Preview has, however, meant a a jump in scale of about twelve times in the number of vulnerabilities detectedWhile Opus 4.6 identified a couple dozen vulnerabilities, Mythos has uncovered 271 and, in internal testing, has generated over 180 working exploits demonstrating the actual exploitability of these errors. In terms of audit productivity, this is a significant improvement.
Mozilla emphasizes that Anthropic's model has achieved a performance comparable to that of elite human researchersThe important thing, they clarify, is not that it discovers entirely new types of vulnerability, but that it is able to systematically locate many of the problems that an expert could also find, but in a much shorter time and on a scale that is practically unmanageable for manual teams.
One point that the organization insists on highlighting is that No vulnerabilities have been detected that were beyond the reach of a good human researcher.This aligns with Mozilla's view, which doesn't believe that AI will create attack methods out of thin air that completely challenge our current understanding of security; rather, it amplifies the work that can already be done, but without the limitations of time, fatigue, or resources.
For a complex, modular application like Firefox, designed precisely so that humans can reason about its different parts, this approach makes sense. What changes is not so much the nature of the errors as the ability to discover much more in less timeThis is key for a browser that serves as a gateway to thousands of services and applications, including financial platforms, remote work tools, and online public services in the European Union.
From the offensive model to the attempt at a defensive advantage
For years, software security has moved in a An uneasy balance between attackers and defendersThe attack surface of a modern browser is so large that it is impossible to cover it completely with traditional tools, which has given attackers an asymmetric advantage: they only need to find a well-placed vulnerability to achieve their goal.
Mozilla admits that its strategy has relied on a combination of defense in depth, strict sandboxing, and heavy use of Rust to minimize certain families of errors. This is complemented by techniques such as fuzzing, which subjects the code to random inputs to force unexpected failures. However, the Firefox team itself acknowledges that there are areas of the code that are much harder to fuzzThis leaves gaps in coverage that can be exploited by patient attackers.
Using an AI like Claude Mythos introduces a new piece to that puzzle. Unlike random testing or manual reviews, the model is capable of reason about the source code, identify suspicious patterns, and propose exploits which demonstrate whether a fault is truly critical. This reduces the exclusive reliance on highly specialized teams, which are scarce and unable to handle the amount of software that needs to be reviewed.
For Mozilla, this opens the door to to gradually close the gap between the errors that machines can detect and those that human experts can locate.If the cost of finding vulnerabilities falls drastically for defenders, part of the structural advantage that attackers had, accustomed to dedicating months of work to hunting a single profitable flaw, disappears.
Holley admits that the initial shock of seeing so many errors at once was nothing short of an internal earthquake, but maintains that, once the initial shock subsided, the feeling is positive: if resources can be prioritized and efforts focused on correcting what the AI ​​reveals, The defenders can start playing with the same weapons.That is, provided there are teams capable of absorbing the volume of results and translating them into effective patches.
Risks of such powerful security AI: a clear double-edged sword
Alongside Mozilla's moderate enthusiasm, much of the European cybersecurity sector is closely watching the potential for abuse of tools like Claude MythosThe same system that allows finding flaws in Firefox could be used, in the wrong hands, to automate the discovery of vulnerabilities in operating systems, hot wallets, decentralized applications, or critical infrastructure services.
Anthropic is aware of that risk and, in fact, maintains Mythos is available under very limited access through Project GlasswingMajor technology companies like Apple, Microsoft, Google, Amazon Web Services, the Linux Foundation, and Mozilla itself are part of this group, which uses the model to audit its own software and, in some cases, strategic infrastructure. The idea is to closely control what is analyzed and for what purposes.
Recent reports indicate that, in controlled tests, Claude Mythos has reached Identify and exploit zero-day vulnerabilities in widely used systemsfrom browsers to operating systems. It has even been documented that it can perform complex cyber operations quite autonomously, such as multi-stage intrusion simulations on corporate networks.
These capabilities have sparked interest not only from companies, but also from governments and intelligence agenciesIn the United States, for example, it has been reported that the National Security Agency has even run Mythos on classified networks, despite public reservations about the use of such tools in war or surveillance contexts.
For Europe, where the debate on the AI regulation and data protection It is especially intense; cases like Firefox and Mythos offer ammunition to all sides: on the one hand, they show the value of well-governed AI to protect millions of users; on the other, they highlight the need to ensure that these types of models do not end up fueling new generations of large-scale automated attacks.
Impact on the open software ecosystem and on European users
Firefox occupies a unique position in the browser landscape. Although it has lost market share to Chromium and its derivatives, it remains a a key component in environments where free software and privacy are valued, as many European public administrations, academic institutions and advanced users of GNU/Linux systems.
In that context, the discovery of 271 vulnerabilities can be interpreted in two ways. On the one hand, it confirms that even Highly audited open-source projects can hide a large number of bugs.Simply because the codebase is enormous and manual review can't reach everywhere. On the other hand, it demonstrates that the open development model makes it easier for external tools, including advanced AI, to inspect the code and contribute to improving its security.
Mozilla acknowledges that, with the help of Mythos, it now has a long list of pending tasks to strengthen security of their flagship application. For end users in Spain and the rest of Europe, the recommendation is simple: keep browser updated to benefit from these patches. Version 150 not only fixes the detected bugs, but also maintains the pace of improvements in performance, compatibility, and features such as sandboxing and local network permission management.
Furthermore, the Firefox case can serve as a precedent for other open source projects These tools are used daily in businesses, public bodies, and critical services. Widely deployed tools—web servers, cryptographic libraries, development frameworks—could benefit from similar AI-powered audits, which is especially relevant in the European Union, where directives on cybersecurity and digital resilience are becoming increasingly stringent.
The challenge, as Mozilla itself admits, is that many of these projects do not have the sufficient human or economic resources to absorb the flow of findings that a model like Mythos can generate. That's where both free software foundations and public policies supporting open source security come into play, an issue that has already been raised in Brussels following incidents like Log4Shell.
A new phase in the relationship between humans and AI in cybersecurity
Beyond the anecdote of the 271 vulnerabilities, what the Firefox case raises is a change of focus in the relationship between human researchers and AI in cybersecurity. Instead of pitting one against the other, Mozilla advocates for a model in which advanced tools expand the capabilities of security teams, without replacing their judgment or experience.
The organization describes Claude Mythos as a kind of tireless security researchercapable of reviewing large amounts of code, proposing exploits, and identifying risk patterns. Alongside them, human specialists remain responsible for prioritizing, confirming, correcting, and deciding which changes are introduced into the final product.
This collaborative vision has direct implications for the European cybersecurity market, where companies and research centers already operate that They are experimenting with AI for code audits, malware analysis, or intrusion detection.If Mozilla's results are replicated in other projects, we may see reaction times to critical failures shortened and the pressure on overwhelmed security teams reduced, at least in part.
At the same time, the experience of Anthropic and Mozilla makes clear the importance of Re-evaluate the methods used to measure the performance of AI models in security tasks. Anthropic itself has admitted that many current benchmarks have already fallen short in assessing the real capabilities of its latest systems, which necessitates the design of more demanding and representative tests.
If there's one thing both Mozilla and Anthropic seem to agree on, it's that, for now, There is no complete substitute for human judgment in risk management. AI accelerates and expands the search for problems, but the decision of what to fix, how to do it, and on what timeline still depends on teams of people who have to balance security, user impact, and available resources.
Everything points to the release of Firefox 150 with patches for 271 vulnerabilities flagged by Claude Mythos being remembered as the moment when Cybersecurity took a serious step towards intelligent automation.Mozilla's browser thus becomes a case study on how to integrate high-level AI into the development and maintenance lifecycle of a critical product, without losing sight of the associated risks or the need for close human oversight. For users, developers, and policymakers in Spain and Europe, the lesson is clear: artificial intelligence is no longer just a futuristic concept, but a tool that is beginning to rebalance the scales in a battle that had been tilted in favor of attackers for decades.
