Anthropic and Mozilla made headlines claiming Mythos, an AI security auditing tool, found 271 vulnerabilities in Firefox 150 for under $20,000. A detailed analysis at xark.es tells a different story. That $20,000 budget covered roughly 1,000 scaffolded runs across Firefox's major attack surfaces, including the DOM, graphics, networking, JavaScript, and layout engines. The "271 vulnerabilities" figure aggregates multiple bug types: memory safety fixes, non-exploitable bugs, defensive code cleanups, and stability patches. The four main CVE entries alone link to 317 bug references, and those cover Thunderbird and ESR releases, not just Firefox 150. As the author notes, there is a wide spectrum between finding a correctness bug and finding a weaponizable exploit chain, and collapsing that spectrum into a single headline number gets attention but loses precision.
For defenders, this is still valuable work. Memory safety issues, lifetime mistakes, race conditions, and incorrect ownership patterns are exactly what security teams want fixed before attackers find them. But the evidence doesn't support claims that AI has cracked offensive vulnerability research. Many of the fixes predate Anthropic's announcement by days or weeks. Hacker News commenters noted that large C/C++ projects typically have backlogs of thousands of similar issues waiting to be triaged. The cost works out to roughly $73 per finding. That's volume, not precision.
Mozilla's new CEO Anthony Enzor-DeMeo has been described as an "AI booster" with plans to transform Firefox into a "modern AI browser." Mozilla's own blog post was titled "The zero-days are numbered". That's a bold claim. The public evidence suggests Mythos is a genuinely useful tool for defensive security work at scale. But the gap between what was demonstrated and what's being claimed tells you more about marketing incentives than the state of AI security research.