Mozilla says Anthropic’s Mythos is ‘every bit as capable’ as ‘the world’s best security researchers’ after Firefox experiment — and says the ‘zero-days are numbered’

News
By published

New AI tools could shift the balance of power in cybersecurity

A graphical rendering of the Mozilla Firefox icon.
(Image credit: Rubaitul Azad / Unsplash)
  • Mozilla used Anthropic’s Mythos AI to find hundreds of Firefox vulnerabilities, matching top human researchers in capability
  • The experiment suggests AI can now reason through code to uncover complex bugs at scale
  • This shift could reduce the advantage attackers have traditionally had in discovering valuable zero-day vulnerabilities

Mozilla thinks AI could change how bugs are found for good — so it turned a version of the Claude model loose on its own browser code. The company's security team has spent the past few months collaborating with Anthropic and testing an early version of the Claude Mythos Preview model against its browser code.

In just one round of testing, the AI model helped find 22 security-sensitive bugs, all fixed ahead of Firefox’s latest release, along with 90 other bugs.

“Mythos Preview is every bit as capable” as the world’s best security researchers, Mozilla concluded.

Article continues below

Bug bottleneck

Software security has always depended on a small number of people who can read complex code and see where it might fail. These researchers do not rely on brute force. They rely on reasoning, tracing how different parts of a system interact and identifying the places where those interactions break down.

Automated tools like fuzzers can probe systems at scale, but they tend to be uneven. They explore some paths thoroughly and miss others entirely. That's where human experts come in. But Mythos could reproduce the work that humans did, matching their abilities in many ways.

“Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise," Mozilla explained in its post. “Computers were completely incapable of doing this a few months ago, and now they excel at it.”

For Mozilla’s team, the immediate reaction was less celebration than recalibration. Finding one serious vulnerability used to trigger a focused response. Finding hundreds at once required something else entirely.

Essentially, the AI made it so that discovering the bugs doesn't take long. Fixing it is the challenge.

Cybersecurity defense evolution

The cybersecurity industry usually assumes that circumstances favor attackers, as a system can have many potential weaknesses, and an attacker only needs one. Defenders, by contrast, need to protect everything.

So companies try to make it costly to exploit vulnerabilities rather than fruitlessly trying to get rid of all of them. Highly valuable flaws, known as zero-days, have been treated as rare assets. But AI models like Mythos could change that equation.

“This can feel terrifying in the immediate term, but it’s ultimately great news for defenders,” the company wrote. "A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap."

Mozilla frames this as the beginning of a more balanced contest. That said, the flaws uncovered by Mythos are not new; they were just found much faster. The uncomfortable flip side of this, which Mozilla chooses to ignore, is that attackers have access to the same AI tools, and it's become a race of AI for defense vs AI for offense.

If Mythos can keep up this pace, researchers will have to work faster to deal with it. Mozilla's team had to adjust quickly, focusing on fixing the biggest flaws while keeping the browser code stable.

“We’ve turned the corner and can glimpse a future much better than just keeping up,” Mozilla wrote. "The defects are finite, and we are entering a world where we can finally find them all."

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Purple circle with the words Best business laptops in white
The best business laptops for all budgets

➡️ Read our full guide to the best business laptops
1. Best overall:
Dell 14 Premium
2. Best on a budget:
Acer Aspire 5
3. Best MacBook:
Apple MacBook Pro 14-inch (M4)

TOPICS
Eric Hal Schwartz
Eric Hal Schwartz
Contributor

Eric Hal Schwartz is a freelance writer for TechRadar with more than 15 years of experience covering the intersection of the world and technology. For the last five years, he served as head writer for Voicebot.ai and was on the leading edge of reporting on generative AI and large language models. He's since become an expert on the products of generative AI models, such as OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, and every other synthetic media tool. His experience runs the gamut of media, including print, digital, broadcast, and live events. Now, he's continuing to tell the stories people want and need to hear about the rapidly evolving AI space and its impact on their lives. Eric is based in New York City.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.