And buried inside that release was a signal that should have every enterprise board, CISO, software vendor, cloud provider, and regulator paying close attention: Mozilla says Firefox 150 includes fixes for 271 vulnerabilities identified during an initial evaluation using Anthropic’s Claude Mythos Preview. Mozilla also said that only weeks earlier, an earlier Anthropic model helped find 22 security-sensitive bugs in Firefox 148. That is not a small incremental gain. It is a step-change. Roughly speaking, the jump from 22 to 271 is about a twelvefold increase in discovered issues in Mozilla’s public examples.
What matters here is not just the number.
It is what the number means.
Mozilla’s CTO, Bobby Holley, did not describe Mythos as a cute assistant or a productivity boost. He said the model is “every bit as capable” as elite human security researchers for the classes of bugs Mozilla has examined so far, and that Mozilla had found no category or complexity of vulnerability that humans could find but the model could not. Mozilla’s argument is not that AI has invented a new physics of software failure. Their argument is more unsettling: the defects were already there, buried in mature code, and AI is now dramatically better at surfacing them at scale.
That is the real story.
This was not AI “making up” theoretical issues. Mozilla says it used the model to identify vulnerabilities, and Firefox 150 shipped with the corresponding fixes. Mozilla’s security advisory for Firefox 150 lists a large set of high-, moderate-, and low-impact issues, including several with descriptions noting memory corruption and the presumption that some could have been exploited to run arbitrary code. The advisory also credits multiple reports “using Claude from Anthropic.”
Anthropic’s own disclosure makes the picture even sharper.
According to Anthropic, Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed to do so. Anthropic says the model has written a browser exploit that chained together four vulnerabilities and escaped both renderer and OS sandboxes. It also says non-experts inside Anthropic have asked Mythos to find remote-code-execution vulnerabilities overnight and woken up to a complete working exploit.
That is the point where the conversation changes.
We are no longer talking only about faster code review.
We are talking about a system that, by Anthropic’s own account, can help compress the path from bug discovery to exploit development. On one Firefox-related benchmark, Anthropic says the prior model produced working exploits only two times out of several hundred attempts, while Mythos produced 181 working exploits and achieved register control on 29 more. Anthropic also notes an important caveat: that benchmark targeted a harness mimicking a Firefox 147 content process and did not include the browser’s full sandbox and other defense-in-depth mitigations. That nuance matters. But even with that caveat, the directional signal is unmistakable.
So how effective was it?
Effective enough that Mozilla reorganized around the output. Effective enough that Mozilla described the moment as vertigo-inducing. Effective enough that Anthropic restricted Mythos to a gated research preview under Project Glasswing rather than releasing it broadly. Effective enough that Anthropic’s platform docs say access is invitation-only for defensive cybersecurity work.
That last point is critical, because it leads directly to the darkest part of this story.
Reuters reports that Anthropic is investigating a claim that a small group of unauthorized users accessed Mythos through a third-party vendor environment. Reuters also reports that the group was allegedly not using Mythos for cybersecurity purposes. That distinction matters, and it should be preserved. There is a difference between “the wrong hands obtained access” and “the wrong hands already used it to launch cyberattacks.” The public reporting, as of April 22, 2026, supports the first claim, not the second.
But that does not reduce the seriousness. It increases it.
Because once a system exists that can find and help exploit subtle vulnerabilities at machine speed, the risk profile changes even before widespread malicious use is publicly confirmed. The danger is not just one spectacular zero-day. The danger is industrialized vulnerability discovery. The danger is exploit chaining. The danger is faster weaponization of newly disclosed flaws. The danger is pressure on underfunded open-source maintainers who suddenly have to defend codebases against capabilities that used to require elite teams and large budgets. Mozilla explicitly warned that smaller projects and open source may struggle most in this transition.
In plain English, here is what “wrong hands” could mean.
It could mean a criminal group using a Mythos-class model to scan old codebases, edge appliances, SDKs, plugins, browsers, drivers, and infrastructure software for buried bugs faster than defenders can patch them. It could mean taking public patches and rapidly turning them into working N-day exploits against organizations that are slow to update. It could mean stitching together multi-step exploit chains that bypass the layers of protection companies have relied on for years. It could mean finding the quiet, boring, forgotten software that no one budgeted to harden because it “still works.” That is an inference from the capabilities Anthropic and Mozilla describe, but it is a grounded inference, not science fiction.
This is also why the old enterprise mindset is now dangerous.
Many organizations still think about cyber defense as if the attacker must spend scarce human talent slowly, carefully, one target at a time. Mozilla’s framing is that this assumption is breaking. If machines can now cover the territory that used to require elite human reasoning, then the backlog of latent flaws inside mature software may be much larger and much more reachable than many leadership teams realize.
The strategic question is no longer whether AI will matter in cybersecurity.
It already does.
The strategic question is whether defenders can operationalize the same class of capability before attackers, insiders, criminal brokers, or state actors normalize it. Anthropic’s entire Project Glasswing structure appears to be built around that premise: get critical defenders a head start, keep access limited, and try to harden the software ecosystem before Mythos-class capabilities become commonplace. Anthropic says Project Glasswing includes major launch partners and over 40 additional organizations that build or maintain critical software infrastructure, backed by up to $100 million in usage credits and $4 million in donations to open-source security organizations.
That is the optimistic reading.
The pessimistic reading is that the head start may be brief.
And once these capabilities diffuse, “secure enough” software may need to be redefined across the entire stack.
What enterprises should do now
First, assume that mature software contains more reachable vulnerabilities than your current testing program has found.
Second, compress patch validation and patch deployment cycles, especially for externally exposed assets and third-party components.
Third, prioritize applications and services that sit behind trust boundaries but connect to high-value data, because those become ideal stepping stones if AI-assisted exploit chaining becomes routine.
Fourth, treat open-source dependency risk as a live operational problem, not a procurement checkbox, because Mozilla is explicitly warning that smaller maintainers may not have the resources to absorb this transition.
Fifth, strengthen identity, access, and approval controls around the systems that can cause outsized damage if compromised. This is where tools like iValt fit the moment: high-risk actions should require stronger identity assurance, device context, and explicit approval controls, especially for sensitive workflows.
Sixth, build an evidence-first AI security testing layer before broad internal deployment of agents and model-connected workflows. This is where AI PQ Audit belongs in the conversation: organizations need a way to test AI-connected systems, record what was evaluated, show what changed, and prove how a system behaved before trust is extended at scale.
And seventh, remember that the next shock may not come from AI “deciding” to attack you. It may come from AI giving ordinary attackers, compromised insiders, or forgotten vendor pathways a level of offensive reach that used to belong only to the best-funded operators.
That is why this Mozilla story matters.
Not because AI found bugs.
But because it showed, in a live browser used by hundreds of millions of people, that the distance between elite human security work and machine-scale security work is collapsing.
And once that gap closes, the organizations that move first on defense will not merely be safer.
They may be the only ones still in control.
Hashtags