Anthropic Mythos Just Found 271 Bugs in Firefox in One Month
Anthropic gave Mozilla early access to Mythos Preview, its newest model built specifically for cybersecurity. In one month, the model surfaced 271 vulnerabilities in Firefox 150, with 180 rated sec-high. Mozilla shipped 423 total security fixes in April 2026, more than human teams had landed in the prior 18 months combined.
The thing is, the model is not really the headline. The headline is the agentic harness Mozilla built around it. Earlier attempts with GPT-4 and Sonnet 3.5 drowned in false positives because the model only got to read code statically. This time the harness gives the model tools to write a test case, spin up an ephemeral VM, run the test, and watch for a crash. Hypothesis-test loop, parallelized across the codebase, integrated into Mozilla's existing fuzzing pipeline.
Mythos itself is not for sale. Anthropic withheld public release because the model can autonomously discover and exploit zero-days at a scale prior models could not. Distribution is happening through a closed program called Project Glasswing, with AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan, Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks on the list. The defenders' side is getting the model first.
If you build software, the takeaway is uncomfortable but concrete. Static-analysis security tooling is now obsolete the moment a Mythos-class model plus a dynamic test harness gets pointed at your repo. Mozilla published the harness write-up at hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/. Read it before your competitor does.
← Back to all articles
The thing is, the model is not really the headline. The headline is the agentic harness Mozilla built around it. Earlier attempts with GPT-4 and Sonnet 3.5 drowned in false positives because the model only got to read code statically. This time the harness gives the model tools to write a test case, spin up an ephemeral VM, run the test, and watch for a crash. Hypothesis-test loop, parallelized across the codebase, integrated into Mozilla's existing fuzzing pipeline.
Mythos itself is not for sale. Anthropic withheld public release because the model can autonomously discover and exploit zero-days at a scale prior models could not. Distribution is happening through a closed program called Project Glasswing, with AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan, Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks on the list. The defenders' side is getting the model first.
If you build software, the takeaway is uncomfortable but concrete. Static-analysis security tooling is now obsolete the moment a Mythos-class model plus a dynamic test harness gets pointed at your repo. Mozilla published the harness write-up at hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/. Read it before your competitor does.
Comments