For years, the open-source community struggled with the 'asymmetric cost' of AI-assisted security reports. It was trivial for an LLM to hallucinate potential bugs, but significantly more expensive for human maintainers to verify whether those reports were legitimate security threats or mere 'slop.' That dynamic has recently shifted, thanks to the deployment of more capable, specialized models.

Mozilla recently demonstrated this pivot by utilizing an advanced, unreleased preview version of Anthropic's Claude, referred to as 'Claude Mythos,' to scan the codebase of the Firefox web browser. By layering multiple AI agents—each designed to steer, scale, and filter the model's output—Mozilla successfully transformed the noise of AI-generated suggestions into high-quality, actionable security intelligence.

The results were striking. While the project historically averaged roughly 20 to 30 security fixes per month throughout 2025, that number skyrocketed to 423 in April 2026. This leap highlights how sophisticated AI-driven engineering workflows can move beyond simple code completion, serving as an active defense-in-depth mechanism.

Beyond the raw numbers, the discovery process itself is noteworthy. The AI successfully surfaced deeply buried issues, including a legacy XSLT (Extensible Stylesheet Language Transformations) bug that had persisted for two decades, as well as a 15-year-old vulnerability within the standard

HTML element.

The most reassuring takeaway for the security community is that many of the AI's most aggressive attack attempts were still thwarted by Firefox's existing architectural safeguards. This integration confirms that modern AI does not replace core engineering rigor; rather, it amplifies the ability of developers to identify weaknesses that human eyes might have overlooked for years. As these techniques mature, we are likely to see similar 'AI-hardening' strategies becoming standard operating procedure for critical software infrastructure.

For years, the open-source community struggled with the 'asymmetric cost' of AI-assisted security reports. It was trivial for an LLM to hallucinate potential bugs, but significantly more expensive for human maintainers to verify whether those reports were legitimate security threats or mere 'slop.' That dynamic has recently shifted, thanks to the deployment of more capable, specialized models.

Mozilla recently demonstrated this pivot by utilizing an advanced, unreleased preview version of Anthropic's Claude, referred to as 'Claude Mythos,' to scan the codebase of the Firefox web browser. By layering multiple AI agents—each designed to steer, scale, and filter the model's output—Mozilla successfully transformed the noise of AI-generated suggestions into high-quality, actionable security intelligence.

The results were striking. While the project historically averaged roughly 20 to 30 security fixes per month throughout 2025, that number skyrocketed to 423 in April 2026. This leap highlights how sophisticated AI-driven engineering workflows can move beyond simple code completion, serving as an active defense-in-depth mechanism.

Beyond the raw numbers, the discovery process itself is noteworthy. The AI successfully surfaced deeply buried issues, including a legacy XSLT (Extensible Stylesheet Language Transformations) bug that had persisted for two decades, as well as a 15-year-old vulnerability within the standard

HTML element.

The most reassuring takeaway for the security community is that many of the AI's most aggressive attack attempts were still thwarted by Firefox's existing architectural safeguards. This integration confirms that modern AI does not replace core engineering rigor; rather, it amplifies the ability of developers to identify weaknesses that human eyes might have overlooked for years. As these techniques mature, we are likely to see similar 'AI-hardening' strategies becoming standard operating procedure for critical software infrastructure.