"Defenders finally have a chance to win, decisively." — Bobby Holley, Mozilla CTO.
Mythos and Anthropic’s Opus 4.6: an unusual pairing
The Mozilla Foundation said it tested Anthropic’s Mythos bug-finding model using Anthropic’s Opus 4.6, and reported results that it characterizes as a watershed for software defenders. Mozilla used the model to examine Firefox releases and compared the output against the kinds of defects traditionally found by automated fuzzers and elite human researchers.
What Mythos found in Firefox 148 and 150
According to Mozilla’s account, Mythos found 22 bugs in Firefox 148 and a much larger haul — 271 vulnerabilities — in Firefox 150. Mozilla’s write-up emphasizes that Mythos improves on the fuzzing tools the project already uses, by reasoning about source code in ways Mozilla had previously relied on scarce human expertise to accomplish.
Bobby Holley’s mixed conclusion: vertigo and optimism
Mozilla CTO Bobby Holley described the two results as producing “vertigo” for the Firefox team as they confronted the scale of fixes. Holley warned that “for a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.”
At the same time he framed the development as a possible turning point. Holley called the results “light at the end of the tunnel,” arguing that until now security had “largely fought security to a draw.” He explained that defenders had been trying to make bugs expensive to find and exploit — “so expensive that only actors with functionally unlimited budgets can afford them” — and said Mythos narrows the gap between machine-discoverable and human-discoverable bugs.
Holley emphasized that Mythos’ findings so far do not represent a new, unfathomable class of defects. “Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher,” he wrote, and added that “Computers were completely incapable of doing this a few months ago, and now they excel at it.” He also wrote, “The defects are finite, and we are entering a world where we can finally find them all.”
What this means for security teams, enterprises, and adversaries
- Security teams and technologists: Mozilla frames Mythos as a force multiplier. The Foundation reports that the model can reason through source code in the way elite researchers do, reducing the bottleneck on scarce human expertise and changing expectations about how many defects can be discovered automatically.
- Affected enterprises and procurement leaders: The sheer count — 271 vulnerabilities in a single Firefox release — suggests organisations that rely on rapid patching and vulnerability management will face a surge in findings to triage and remediate. Mozilla’s own reaction — “vertigo” and the question of keeping up — signals a stress point many IT teams may need to plan for.
- Adversaries and threat actors: Mozilla argues the gap Mythos closes erodes an attacker’s long-term advantage by making discoveries cheaper. Where previously attackers could concentrate months of human effort to find a single high-value bug, Mythos could make similar discoveries much less costly to produce.
Fixing the haul and the promise of automation
Mozilla’s public framing combines urgency with a forecast: the toolset has changed, and with it the balance between human-led discovery and machine-led discovery. Mythos, described as “every bit as capable” as the world’s best security researchers by Mozilla, purportedly finds no category of vulnerability that an elite human cannot find. That claim underpins the Foundation’s optimism: if bugs remain within human-comprehensible categories and are, as Holley wrote, “finite,” then systematic machine assistance could enable defenders to find — and then fix — far more defects than they could before.
Yet Holley’s own words underline the immediate management challenge. He characterises the initial reaction as vertigo and asks whether teams can keep up with the volume of findings. That tension — between a powerful new discovery capability and the operational burden of triage and remediation — is the clearest practical question the Mozilla account leaves on the table.
Mozilla’s test with Mythos and Opus 4.6 marks a concrete data point in the evolving relationship between AI and software security: it is both a signal that automated reasoning can match elite human researchers and a challenge to development and operations teams to scale their response. Can teams fix 271 flaws in a release cycle without sacrificing quality or speed? Mozilla’s CTO says the result feels terrifying in the short term but “ultimately great news for defenders.”
