Claude Mythos: AI Security Agent That Found 271 Firefox Bugs
Claude Mythos found 271 Firefox bugs in one pass. How Anthropic's restricted security agent works — and what it means for defenders.
On April 21, 2026, Mozilla shipped Firefox 150 with patches for 271 security vulnerabilities — every one of them found by Anthropic’s Claude Mythos Preview, a frontier AI model that most developers cannot access and Anthropic does not plan to release publicly.
For context: Mozilla addressed roughly 73 high-severity Firefox vulnerabilities across all of 2025. Mythos found nearly four times that many in a single evaluation pass. The previous AI-assisted attempt — Claude Opus 4.6 analyzing Firefox 148 — found 22 bugs. Mythos found 271. More than 12 times as many.
This is not a product launch you can sign up for. It is the most consequential demonstration yet that autonomous AI agents can operate as peer-level security researchers — and the clearest signal that the way we think about software vulnerability disclosure needs to change.
What Is Claude Mythos and Project Glasswing?
Claude Mythos Preview is a frontier AI model purpose-built for security research, released on April 7, 2026 alongside Project Glasswing — a controlled-access program that distributes the model to a curated set of organizations maintaining critical software infrastructure.
Unlike Claude Opus 4.6 (Anthropic’s publicly available frontier model), Mythos is not available via the Anthropic API. It is not on claude.ai. Anthropic has explicitly stated it will not release Mythos publicly, citing its potential for misuse: specifically, that it could enable attackers to autonomously discover zero-day vulnerabilities and develop working exploits at scale and speed previously impossible for any human team.
The Project Glasswing founding consortium includes 12 named partners — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself — plus more than 40 additional organizations managing critical software infrastructure.
Mozilla’s access came through a direct collaboration with Anthropic, separate from the formal consortium structure.
Anthropic’s official Project Glasswing announcement — the controlled-access program distributing Claude Mythos Preview to critical infrastructure partners.
The Capability Gap: Mythos vs. Opus 4.6
The benchmarks from Anthropic’s safety report tell a story that raw numbers understate.
Vulnerability Discovery
On internal testing against hardened targets (full defense stack — PIE, stack canaries, ASLR, CFI):
- Mythos Preview: 595 crashes at severity tiers 1-2 (full memory corruption or worse)
- Claude Opus 4.6: 150-175 crashes
Exploit Development
This is where the capability gap becomes significant. On CyberGym (the industry benchmark for autonomous exploit development):
- Mythos: 83.1% success rate
- Opus 4.6: 66.6% success rate
On Firefox specifically, Mythos constructed working exploits 181 times versus 2 times for Opus 4.6. Opus can find bugs. Mythos can find bugs and automatically turn them into working weapons. That is a qualitative shift, not just a quantitative one.
Exploit Complexity
The exploits Mythos constructs are not simple stack-smashing attacks. In one documented case, Mythos wrote a browser exploit chaining four separate vulnerabilities together. For a FreeBSD target, it developed an exploit requiring a 20-gadget ROP chain split across multiple packets to achieve unauthenticated root access — the kind of work that takes elite human researchers weeks to develop manually.
Palo Alto Networks shared data from their Project Glasswing testing: Mythos accomplished the equivalent of a year’s worth of penetration testing in under three weeks.
The Mozilla Collaboration: What 271 Bugs Actually Means
Mozilla’s post-mortem by Bobby Holley is the most technically honest assessment of what Mythos can and cannot do.
The 271 vulnerabilities span memory corruption down to lower-severity logic bugs. The Register notes that only three received official CVEs in the Firefox 150 advisory — many of the 271 are lower-severity issues that don’t independently meet CVE threshold, but which represent real latent flaws that could be chained into critical exploits. Mythos demonstrated the ability to chain medium- and low-severity issues into critical attack paths automatically.
Mozilla’s capability assessment:
“Mozilla has many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable, with no category or complexity of vulnerability that humans can find that this model can’t.”
That statement carries weight. It is not marketing copy — it is a capability judgment from an organization that has run Firefox’s security research program for decades.
The qualifier: Mozilla also noted they haven’t seen any bugs Mythos found that couldn’t have been found by an elite human researcher. The machine’s advantage is not that it finds fundamentally different bugs — it’s that it finds them at machine speed, continuously, across thousands of targets simultaneously, and then writes the exploit automatically.
As Holley wrote: “Defenders finally have a chance to win, decisively.”
The Governance Question: Who Gets Access — and Who Decides?
Anthropic’s decision to restrict Mythos to a curated consortium has attracted substantial expert commentary.
Simon Willison’s Take
Simon Willison endorsed the restricted-access model:
“Something happened a month ago, and the world switched. Now we have real reports.” — Greg Kroah-Hartman, Linux kernel maintainer
Willison quoted Nicholas Carlini (Anthropic researcher): “I’ve found more bugs in the last couple of weeks than I found in the rest of my life combined.”
The Willison analysis frames Project Glasswing as a justified “industry-wide reckoning” — an acknowledgment that AI vulnerability research now outpaces human ability to patch, and that giving defenders a structured head start is the least-bad option available.
Bruce Schneier’s Counter-argument
Schneier and co-author David Lie identified three structural problems with the access model:
- Transparency gaps: Anthropic has not disclosed Mythos’s false-positive rate. Without knowing how often it hallucinates non-existent vulnerabilities, independent evaluation is impossible.
- Training distribution bias: LLMs perform best on widely-used open-source projects — exactly the software maintained by Glasswing’s consortium partners. Specialized infrastructure (medical devices, industrial control systems, regional banking software) likely falls outside Mythos’s training distribution, creating a protected inner circle while specialized critical infrastructure remains exposed.
- Concentrated power: “Any technology that can find thousands of exploitable flaws should not be governed solely by creators’ internal judgment.” Schneier and Lie argue for globally coordinated independent auditing frameworks, not unilateral corporate governance.
The Unauthorized Access Incident
The governance debate became concrete when, on April 7, 2026 — the same day as the Project Glasswing announcement — a small group gained unauthorized access to Mythos by guessing the model’s URL based on familiarity with Anthropic’s naming conventions. The group, which communicates via a private Discord focused on “gathering intelligence on unreleased AI models,” demonstrated their access to Bloomberg News through screenshots and live demos.
Access was gained through a gap between Anthropic’s controls and those of a third-party contractor. Anthropic confirmed it is investigating and stated there is “currently no evidence that the access has impacted Anthropic’s core systems.” The incident illustrates that “restricted access” is harder to maintain in practice than in policy — especially when an AI system has to be made available to dozens of partner organizations via API endpoints.
What This Means for Teams Building AI Security Agents
Mythos Preview is not available via the Anthropic API. But its existence and capabilities are directly relevant to anyone building agentic workflows involving code, infrastructure, or security review.
The capability floor is rising rapidly. Claude Opus 4.6 — publicly available today — found 22 Firefox vulnerabilities. That’s not Mythos-class, but it’s not zero. The question for security teams is no longer whether AI can contribute to vulnerability research, but how to operationalize it safely and with appropriate scope controls.
Exploit development is where the risk concentrates. Mythos’s benchmarks show that autonomous exploit construction — turning a discovered bug into a weaponizable payload — is where the capability gap between AI and humans is now widest and growing fastest. Teams building security scanning pipelines should scope their AI agents narrowly: vulnerability discovery is lower-risk than exploit generation. Apply the same scoping principles discussed in our AI agent security risks guide.
The Glasswing model is a preview of enterprise agent governance. Project Glasswing is, structurally, a problem that every organization running agentic AI will eventually face: how do you give an AI agent the permissions it needs to do useful work without making it a security liability? Glasswing’s approach — vetting, isolation, contractual responsibility, 90-day disclosure timelines — is a template for enterprise agent deployment in high-stakes contexts.
Patch velocity matters more than it did. If AI systems can find and weaponize vulnerabilities in parallel across every major OS and browser, the window between vulnerability disclosure and active exploitation narrows. Teams running critical software need to rethink patch deployment timelines — 30-day cycles designed around human attacker timelines may not survive contact with Mythos-class capabilities becoming more widely available.
Technical Benchmarks
| Metric | Claude Opus 4.6 | Claude Mythos Preview |
|---|---|---|
| CyberGym exploit success | 66.6% | 83.1% |
| Firefox exploits constructed | 2 | 181 |
| Severity tier 1-2 crashes | 150-175 | 595 |
| Multi-vuln chaining | Limited | Up to 4 documented |
| Autonomous ROP chain dev | No | Yes (20-gadget example) |
| Public API availability | Yes | No (Project Glasswing only) |
The Bottom Line
Claude Mythos Preview is the clearest demonstration yet that AI agents can operate as peer-level security researchers — not assistants to human researchers, but autonomous systems that find vulnerabilities, develop exploits, and identify attack chains at a scale and speed no human team can match.
The 271 Firefox vulnerabilities are a proof of concept. The thousands of zero-days Anthropic has reportedly found across every major OS and browser are the actual story. Mozilla’s framing — “defenders finally have a chance to win” — is the optimistic read. The pessimistic read is that the same capabilities that let defenders find bugs first will eventually reach attackers too.
What’s clear: the security calculus has changed. The industry has approximately the time it takes for Mythos-class capabilities to proliferate — likely not long — to build the governance frameworks, patch velocity, and agent deployment practices that the new era requires.
Community analysis of Claude Mythos and Project Glasswing — the cybersecurity implications of AI-driven vulnerability discovery.
Sources: Anthropic Project Glasswing · Anthropic Red Team Report · Mozilla Blog · SecurityWeek · The Hacker News · Simon Willison · Schneier on Security · The Next Web — Unauthorized Access · The Register · Foreign Policy
Stay in the loop
Stay updated with the latest AI agents and industry news.