Mozilla Completes 14 Months of Security Patches in 30 Days with Anthropic's 'Claude Mythos'

Mozilla has accelerated the speed of fixing security vulnerabilities in the Firefox browser to unprecedented levels using Anthropic's latest AI model, 'Claude Mythos Preview'. In April 2026, Mozilla fixed a total of 423 security bugs, an explosive increase compared to the 31 fixes recorded in April 2025. This achievement matches the total number of fixes over the previous 14 months (approximately 420), demonstrating AI's disruptive potential in security engineering.

Completing 14 months' worth of security patches in just 30 days signifies a paradigm shift in cybersecurity defense systems.

During this large-scale patching process, Mozilla succeeded in finding 'ancient' vulnerabilities that human auditors had failed to discover for decades. Specifically, an XSLT-related bug hidden in the code for 20 years and a 15-year-old HTML element parsing error were identified by Claude Mythos. These bugs were not simple new errors but long-dormant flaws in legacy code that were difficult to detect with existing manual inspections or automated tools.

Claude Mythos: The Core Engine of Security Discovery

Developed by Anthropic, Claude Mythos was designed as a 'frontier model' specialized for cybersecurity. According to Mozilla engineers, the model showed remarkable accuracy with a near-zero false-positive rate while identifying 271 vulnerabilities. This reliability allowed Mozilla to quickly apply AI-suggested fixes to actual production environments, suggesting that AI has moved beyond a simple assistant tool to the stage of practical deployment.

• Security fixes in April 2026: 423 (approx. 13x increase year-over-year)
• 271 identified vulnerabilities confirmed with near-zero false positives
• Resolved 20-year-old XSLT bug and 15-year-old HTML parsing error
• Adopted a restricted defense strategy through Project Glasswing

To prevent misuse of the Mythos model, Anthropic established a restricted alliance called 'Project Glasswing' instead of releasing it to the public. Major IT companies, including Mozilla, AWS, Apple, Google, Microsoft, and NVIDIA, are participating in this project. This is part of a 'defense-first' strategy to ensure defenders can fix security flaws before attackers can use AI to find zero-day vulnerabilities.

Security experts are defining these changes as the beginning of an 'AI Vulnerability Storm'. As the speed of vulnerability discovery accelerates due to AI, corporate incident response teams face extreme time pressure to complete patches before disclosed bugs are exploited. Mozilla's case foreshadows that AI-based automated patching systems will become an essential element of modern software maintenance in the midst of this storm.

Combining Defense-in-Depth with AI

Fortunately, Firefox's existing 'Defense-in-depth' system had already significantly mitigated the potential risks of many vulnerabilities discovered by the AI. According to Mozilla's analysis, many of the bugs found by Mythos were structured in a way that made them difficult to turn into actual attacks due to the browser's multiple security layers. This case shows that the best security results can be achieved when offensive reinforcement through AI is combined with a robust existing architecture.

Anthropic stated that Mythos discovered more than 2,000 undisclosed vulnerabilities during a testing period of approximately seven weeks. While this performance has the positive effect of narrowing the technical gap among security experts, it also raises concerns that malicious users could cause serious damage without a technical background. Therefore, controlled deployment methods like Project Glasswing are likely to become the standard for operating AI security tools in the future.

A New Standard for Software Security

In conclusion, Mozilla's experiment has set a new benchmark for software security. AI lowers the barrier to entry for vulnerability discovery while providing defenders with an overwhelming speed advantage. For software companies, AI-based security automation will become an essential strategy for survival rather than an option, and it is expected to serve as a catalyst for raising the security level of the entire IT ecosystem.