271 bugs. That's what Mozilla's Firefox team found by pointing Anthropic's AI security tool Mythos at their browser's code - and then went ahead and fixed all of them, according to a Wired report.
Mythos is Anthropic's automated vulnerability-hunting tool, built to do what security engineers call fuzzing - feeding software a flood of unexpected, malformed, or extreme inputs to see what crashes. It's a technique that's existed for decades, but pairing it with an AI model that can generate more targeted and semantically meaningful inputs changes the economics. Human-written fuzz tests tend to hit obvious edge cases. AI-generated ones can probe the weirder corners of a codebase that a person wouldn't think to poke.
What 271 Bugs Actually Tells You
The Firefox codebase is one of the most security-audited pieces of software on the planet. Mozilla has a dedicated security team, a long-running bug bounty program, and decades of accumulated tooling. Finding 271 additional bugs there isn't evidence that prior security work was sloppy - it's evidence that AI-assisted fuzzing can surface a different class of issues than traditional methods catch.
Not every bug in that count is critical. Security audits routinely surface bugs ranging from memory corruption flaws that could let an attacker run arbitrary code, down to edge-case crashes that are technically bugs but practically unexploitable. Mozilla hasn't published a full breakdown of severity. What matters is that the tool found real issues worth fixing, not just noise.
For developers using Claude or Claude Code for coding assistance, this represents the more serious end of what AI can do with code - not just autocomplete or refactoring suggestions, but systematic vulnerability discovery that requires understanding program behavior at a low level.
The Team's Honest Assessment
Here's where the Firefox team's take gets interesting: they don't think AI is going to fundamentally reshape cybersecurity in the long run. Their argument, as far as security fundamentals go, is that AI changes the speed and volume of certain tasks without changing the underlying nature of the problem. Bugs will still exist. Attackers will still probe for them. Defenders will still need to reason about trust boundaries and threat models.
What they do warn about is the near-term transition. Software developers who aren't security specialists are going to have AI write more of their code, faster than ever. AI-generated code can carry the same classes of vulnerabilities as human-written code - sometimes more, because the model may confidently produce code that looks correct but contains subtle flaws in memory management or input validation. The gap between "the code runs" and "the code is secure" doesn't close just because AI wrote it faster.
That's a real tension. Tools like Mythos can help catch those bugs after the fact, but they work best when integrated into the development process early, not applied as a cleanup pass at the end. Mozilla's result is a proof point that AI security tooling works. The harder question is whether development teams will use it systematically, or treat it as a one-time audit.