What just happened? Mozilla's latest browser release doubles as a live-fire test of how far AI-assisted security has come, and how quickly it's reshaping software development. With Firefox 150, Mozilla says it has fixed 271 vulnerabilities identified not by fuzzers or human red-teamers, but by Anthropic's Mythos Preview model analyzing unreleased Firefox source code.
The result, in the view of Firefox CTO Bobby Holley, marks a decisive shift in the long-running asymmetry between attackers and defenders. "Defenders finally have a chance to win, decisively," he wrote in a blog post.
Holley says Mythos Preview demonstrated the kind of global, semantic reasoning over a large, complex codebase that, until recently, only elite human analysts could perform. By contrast, when Mozilla pointed Anthropic's earlier Opus 4.6 model at Firefox 148, the AI flagged just 22 "security-sensitive" bugs.
The new model, he argues, is now competitive with top human talent. "Computers were completely incapable of doing this a few months ago, and now they excel at it," Holley writes. "We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable."
The core claim isn't that Mythos finds qualitatively new kinds of flaws that humans can't see. Holley notes that the vulnerabilities it uncovered in Firefox 150 could, in principle, also be discovered through intensive fuzzing or by an "elite security researcher" methodically reasoning through the code. The difference is cost and throughput.
Instead of concentrating months of costly human effort to find a single bug, Mythos can sweep large portions of the codebase and produce a high-volume list of issues that engineers can triage and patch.
In Mozilla's telling, that shift changes the economics of software assurance. Holley argues that once it becomes inexpensive for defenders to mine their own code for exploitable patterns, the balance tilts away from attackers – even if the same AI capabilities eventually become available to offensive teams.
"Our belief is that the tools have changed things dramatically, because now we have automated techniques that can cover, as far as we can tell, the full space of vulnerability-inducing bugs," he told Wired.
Mozilla's approach to shipping Firefox has already begun to evolve in response to these tools. Bobby Holley now frames AI-driven code review as an intensive, mandatory phase that software must pass through, as models like Mythos can surface large numbers of previously hidden bugs deep within mature codebases.
He also warns that this adjustment is resource-intensive. In conversations with executives at major tech companies, some have said they expect to reassign thousands of engineers for months to push their products through this new AI-assisted hardening process.
The implications are sharpest for open source, where much of the internet's critical infrastructure is maintained by small teams or even individual volunteers. Firefox's code is public, making it an obvious target for any capable vulnerability-hunting model. Holley cautions that many maintainers lack both the access and the capacity to take advantage of these AI tools – or to act on the flood of issues they uncover.
Mozilla CTO Raffi Krikorian has raised similar concerns about who benefits from AI-accelerated security. In a recent New York Times opinion piece, he argues that Mythos could deepen existing structural imbalances in software. The underlying economics of infrastructure, he contends, haven't changed: critical open-source components that underpin the modern tech stack are still largely maintained by unpaid volunteers, while large companies profit from that work without meaningfully funding its upkeep.
With powerful new AI security capabilities coming online, he warns, well-resourced organizations may be the first to gain access, harden their systems, and reduce their exposure – while underfunded projects and smaller players remain equally or even more vulnerable.
Holley says the Firefox team is already sharing what it has learned through both formal collaborations and more ad hoc relationships with other open source projects. At the same time, he stresses that no amount of automation can resolve the deeper structural issues shaping the open source ecosystem. In his view, AI can scale vulnerability discovery, but the real constraints remain human: time, money, attention, and coordination. Addressing them will require a concerted industry-wide effort rather than a purely technical fix.