AI/ML , Generative AI , Application security , Threat Management Firefox report offers early insight into Claude Mythos AI model April 22, 2026 Share By Steve Zurier (Adobe Stock) Firefox on April 21 said that after reviewing an early version of Claude Mythos , this week’s release of Firefox included fixes for 271 vulnerabilities identified during the initial evaluation. While nothing definitive was discovered, the preliminary conclusions from the Firefox researchers represent a ying and yang of our new AI era. On one hand, the Firefox team said they hadn’t seen any bugs that couldn’t have been found by an elite human researcher. They said while some commentators predict that future AI models will unearth entirely new forms of bugs that defy our current comprehension, the Firefox team didn’t think so. At first blush, that response appears ho-hum, but the team also said that the good news is that by offering every team the capability of an elite researcher, Mythos potentially gives defenders a chance to win decisively. “Until now, the industry has largely fought security to a draw,” wrote the Firefox team. “Vendors of critical internet-exposed software like Firefox take security extremely seriously and have teams of people who get out of bed every morning thinking about how to keep users safe. Nevertheless, we’ve all long quietly acknowledged that bringing exploits to zero was an unrealistic goal. Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an expensive asset disincentivizes those actors against casual use." Related reading: 6 steps to harden security programs for the Claude Mythos surge CISOs: Revamp security programs in the wake of Claude Mythos Claude Mythos Preview identifies 27-year-old bug, finds ‘thousands’ of zero-days in weeks Noelle Murata, chief operating officer at Xcape, Inc., said that the debate over whether AI "surpassing" humans is a "good or bad thing" misses the operational reality: AI doesn't need to be smarter than our best researchers; it just needs to run faster, cheaper and tirelessly. Murata said the real risk has never been the singular, hyper-sophisticated "black swan" vulnerability: it’s the sheer volume of "elite-level" bugs that sit undetected for decades because human expertise is a non-scalable bottleneck. “By automating the reasoning of a top-tier security professional, Mythos essentially devalues the zero-day market,” said Murata. “When finding a complex memory corruption bug costs cents in compute rather than months of six-figure human salary, the economic advantage shifts decisively toward the defenders. For executives, the takeaway is that the era of ‘security through obscurity’ is dead. If a bug is discoverable by an expert, it’s now discoverable at scale by anyone with an API key. We are entering a world where software defects are finite, and for the first time, defenders actually have the bandwidth to find them all before the attackers do.” John Gallagher, vice president of Viakoo Labs, asked for people to take a step back and recognize that we are in the early days of understanding the impact of Mythos . Gallagher said as more organizations report on their Mythos experiences, we will see a more complete picture. “Relying on reports from the handful of organizations with access to Mythos can create a very false illusion of security,” said Gallagher. "There are no organizations who produce OT or IoT systems with Mythos access, and those organizations have a dramatically less developed approach for vulnerability management.” Gallagher said very few organizations are like Mozilla, which already have sophisticated processes for finding vulnerabilities before the product gets released. Mozilla represents an organization well-equipped to find and manage vulnerabilities, said Gallagher. “The real threat of Mythos is not with such an organization, it’s with the thousands of OT, IoT, and ICS products being developed and delivered that fully lack such processes,” said Gallagher. “When Mythos is available to the general public, it’s those systems — and not browsers — that will be aggressively attacked.” Matan Shavit, general manger, North America at Hadrian, said that Mythos represents a net positive for defenders in the short-term because it massively scales vulnerability discovery. But structurally, Shavit said it’s neutral to negative over time. “The same capability lowers the barrier for offensive actors — what used to require a top-tier specialist can now be replicated, scaled, and automated,” said Shavit. “The key shift isn’t quality; it’s access and speed. Elite-level capability is no longer scarce. So, good for defenders who move fast; risky for everyone if attackers catch up, and they usually do. Overall, the uptick in CVEs has thus far been a benefit, but once vulnerabilities really start coming it’s going to strain vendors as they try to release patches and then strain companies as they try to apply them.” Yagub Rahimov, chief executive officer of Polygraf AI, added that Claude Mythos at the level of an elite researcher represent both a new paradigm and a risk multiplier. Like any meaningful technology, Rahimov said the outcome depends entirely on who's driving. For defenders, Rahimov said Mythos condenses one month of manual review to an hour, and world class vulnerability discovery available to a team that could not afford an elite researcher: that’s exactly the kind of productivity AI should deliver. But Rahimov pointed out that the same system that gives an edge to a red team will help an adversary map weakness in any codebase they can point it at. Adversarial elite hackers have always existed, but now they come with a click of a button with speed, scale, and accessibility of that skill. “We are seeing elite-level capability becoming a commodity, the threat model is shifting from ‘who has the talent to ‘who has the intent and ‘who is in control,” said Rahimov. “I don't think we need to celebrate or panic. We need to accept that raw capability is no longer the differentiator. To differentiate organizations, need oversight, control, and containment." As awareness of Mythos' capabilities grows since its introduction in early April, reports of unauthorized access to the AI model emerged on April 22. Bloomberg reported that a small group of uses accessed Mythos using various methods, including access to Anthropic via a third-party vendor they worked for. Claude Mythos has not been released to the general public and its use is limited to the 40 organizations that are a part of Project Glasswing , a cybersecurity initiative to discover and fix vulnerabilities using the powerful AI model. An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Steve Zurier Related Security Operations Zero Networks launches AI Segmentation to control AI agents and prevent breaches SC Staff April 22, 2026 The AI Segmentation suite addresses key challenges arising from the proliferation of AI agents within enterprise environments. AI/ML The LiteLLM attack was a warning shot for Agentic AI supply chains Harold Byun April 22, 2026 Here’s why teams have to move to a more active security model. SOC From OODA to SUDA: Why the Agentic SOC has to be customizable Paul Wagenseil April 21, 2026 The ability to see, understand, decide, and act in one seamless process will define the next generation of cybersecurity. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Algorithm Brute Force Cookie Corruption DNS Spoofing Data Mining Disruption Distributed Scans Domain Hijacking Drive-by Download You can skip this ad in 5 seconds