Anthropic's Mythril Found 271 Security Vulnerabilities in Firefox 150
Mozilla has disclosed that Anthropic's automated security research system, Mythril, identified 271 zero-day vulnerabilities in Firefox 150. The finding represents one of the largest single-audit vulnerability disclosures in the browser's history and was produced not by a human red team, but by an AI system operating at a scope and speed no traditional security engagement could match.
The disclosure positions Mythril as a meaningful proof point for AI-driven vulnerability research — not as a tool assisting human analysts, but as a primary executor of security audits across large, production-grade codebases.
Mythril is Anthropic's internal system built specifically for automated security research. Unlike general-purpose coding assistants or even AI models fine-tuned on security tasks, Mythril appears designed to operate end-to-end across a codebase: identifying attack surfaces, reasoning about exploit conditions, and producing actionable vulnerability reports without requiring human guidance at each step. Mozilla's engagement with Anthropic on Firefox 150 gave the system access to a mature, complex, real-world codebase — the kind of target that typically demands months of work from experienced security researchers.
The 271 vulnerabilities span zero-day classifications, meaning none had been previously identified or patched. The scale alone challenges the economics of traditional security auditing. Even well-resourced teams rarely surface vulnerability counts in that range from a single engagement, and the time-to-discovery timeline for an AI system compresses what would otherwise be multi-month research cycles into something far shorter.
The operational implications extend beyond Firefox. What Mythril demonstrates is that AI systems are now capable of performing high-complexity, high-stakes technical work — security auditing — without human scaffolding at each decision point. This shifts AI from an assistant role into an execution role in a domain where errors carry serious consequences. Organizations that maintain large codebases, particularly those in infrastructure, financial services, and critical systems, now have to reckon with a new baseline: AI-driven audits may surface vulnerabilities their internal teams have not found, and likely at lower cost.
For the security industry specifically, this creates pressure on the traditional penetration testing and vulnerability research market. If automated systems can reliably identify zero-days in production software at this scale, the value proposition of manual auditing changes. It does not disappear — human judgment remains essential for triage, prioritization, and remediation strategy — but the discovery phase, historically the most labor-intensive part of a security engagement, is now a credible candidate for full automation.
There is also a dual-use dimension that cannot be ignored. A system capable of finding 271 zero-days in a browser is, by definition, a system capable of producing an attack surface map of significant value. Anthropic's decision to deploy Mythril in a structured, disclosed research context with Mozilla reflects a deliberate framing of this capability as defensive. How that boundary holds as the capability proliferates — whether through Anthropic's own expansions, competing systems, or open replication — is an open question with significant policy implications.
What this engagement signals longer-term is that AI systems are moving into technical domains previously gated by deep specialist expertise. Security research has long been one of the more defensible human-only activities in software engineering. The Firefox 150 disclosure suggests that gate is no longer closed.
Sources: — Ars Technica (https://arstechnica.com/ai/2026/04/mozilla-anthropics-mythos-found-271-zero-day-vulnerabilities-in-firefox-150/)