On May 7, 2026, Mozilla published a Hacks blog post explaining how it had spent the previous three months pointing Anthropic's unreleased Claude Mythos Preview at the Firefox source tree. The numbers attached to the post are the kind that make a casual reader stop scrolling. Firefox 150, which shipped to hundreds of millions of users, included 271 security fixes the model had found. Of those, 180 were rated sec-high, 80 sec-moderate, 11 sec-low. Across all of April, Mozilla closed 423 security bugs in Firefox releases, per The Decoder's writeup of the same post. The Firefox 2025 baseline was about 20 to 30 bugs a month. The previous monthly record — March 2026 — was 76.

The Loop covered Mythos six weeks ago, when Anthropic announced it would not be shipping the model. The framing then was that Mythos crossed a capability threshold on long-horizon autonomy and offensive cyber benchmarks, including AISI's Last Ones corporate-network range, and that selling API access to the thing was a risk Anthropic preferred not to take. AISI's follow-up evaluation of GPT-5.5 on April 30 confirmed the capability was real. What neither of those posts showed was what the model would do if you pointed it at a giant C++ codebase and asked it to find bugs in the code, instead of bugs with the code. May 7 is the answer.

The model Anthropic wouldn't sell, in production at one user

The Mozilla Hacks post is co-authored by Brian Grinstead (Distinguished Engineer, Firefox), Christian Holler (Firefox Tech Lead and Principal Engineer), and Frederik Braun (Manager, Firefox Application Security). Their account of the engagement starts in February 2026, when Anthropic's Frontier Red Team sent Mozilla a batch of fixes for vulnerabilities they had found running Claude Opus 4.6 against Firefox's JavaScript engine. That round was disclosed in March: 112 reports submitted, 22 confirmed as vulnerabilities by Mozilla, 14 of those sec-high, $4,000 in API credits burned, two of the bugs the model could chain into working exploits in a test environment. It was a quiet, well-handled red-team exercise. Firefox 148 shipped the patches.

Mozilla read it as a recipe rather than a one-off. "Just a few months ago," the post reads, "AI-generated security bug reports were mostly known for being unwanted slop." What changed was not that the inbox got better. It was that the Firefox team built a pipeline. They wired Claude Mythos Preview into a harness that could compile, run, and instrument Firefox builds, then asked it to confirm or refute its own hypotheses against real binaries. "The key feature of such a harness," the post reads, "is that, given the right interfaces and instructions, it can create and run reproducible test cases to dynamically test hypotheses about bugs in code."

That sentence is the project. The model is not telling humans to go check; the model is checking, and the humans triage what survives.

What the 271 actually are

Mozilla's headline number breaks down by severity into 180 sec-high, 80 sec-moderate, and 11 sec-low. Three of the bugs got CVE numbers credited to Anthropic — CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758 — though the post is careful to note that the rest were classified internally rather than externally disclosed. The 423-figure for April covers everything: 271 from the Mythos pipeline, 41 from external researchers, 111 from Mozilla's own internal methods (fuzzing, manual review, prior tooling).

The post lists examples that do the work of explaining what "271 bugs" means in practice. Bug 2024918 is a WebAssembly GC struct-initialisation issue that yields a fake-object primitive — the kind of bug that is one chained gadget away from a sandbox escape. Bug 2024437 is a 15-year-old defect in the <legend> element involving recursion and cycle collection; bug 2025977 is a 20-year-old XSLT reentrant key() hash-table bug. Bug 2021894 is a race condition in inter-process communication that produces a use-after-free on IndexedDB and a sandbox escape behind it. The Decoder also flags an HTML table counter that overflows past 65,535 rows.

These are not bugs a fuzzer was about to trip into. Two of them had been sitting in Firefox since some of the people who fixed them were children. "Over 100 people contributed code to this effort," the post says, "to ship the most secure Firefox yet." That is a lot of senior engineers reviewing a lot of patches generated by one model that nobody outside Mozilla can buy.

The benchmark question, inverted

Hold the AISI report and the Mozilla report up against each other, because they are about the same model, and the conclusions are almost mirror images.

AISI tested Mythos Preview on offensive capability: capture-the-flag challenges, multi-step attack ranges, jailbreak resistance. Mythos finished AISI's hardest range, The Last Ones, in 3 of 10 attempts, the first model ever to do so. That was the data point Anthropic used when it argued the model should stay in the lab.

Mozilla tested the same model on defensive capability: take a 30-million-line C++ codebase that ships to hundreds of millions of users and find the bugs nobody else found. The model found 271 of them in a single release cycle, plus another roughly 150 across the rest of April. The capability that AISI flagged in its red-team evaluation is the same capability Mozilla is now using to ship a more secure browser than it has ever shipped before. The bench measured both edges of the same blade.

What this means for the "withhold the dangerous one" lever is the question. Anthropic's argument was that broad API access is a risk because it lets attackers find and exploit bugs as fast as defenders can patch them. Mozilla's argument is that targeted, vendor-supervised access lets defenders find their own bugs at a pace nobody can match externally. Both can be right at once. The thing both arguments agree on is that the same model does both jobs well, and the question of who gets access is now load-bearing in a way it was not when the model was a vendor demo.

The cynical reading is that Anthropic gets the best of both worlds: the prestige of refusing to ship a "too dangerous" model, and a co-marketing partnership with Mozilla on the upside of running it anyway. The charitable reading is that this is what gated capability deployment is supposed to look like — a single defender, a contract, a clear scope, and a public writeup of what got found. Both readings can be right at once.

What to watch

1. Whether the pipeline survives leaving Firefox. Mozilla wrote it because Mozilla had a vendor relationship and a reason. Chromium's security team is bigger, better resourced, and reports to Google, which has its own frontier-model pipeline. If the Chrome project ships a comparable post in Q3 — using Gemini, or Mythos, or anything else — the pattern is industry. If it does not, this is a single-vendor partnership dressed up as a methodology.
2. CI integration. The Mozilla post says they intend to move from file-based scanning to scanning patches as code lands. That is a different scaling story. Per-patch analysis at Firefox velocity is hundreds of API calls a day, with latency budgets a research engagement does not have. The release where Mozilla announces a pre-commit Mythos hook is the release where this stops being a one-time campaign.
3. What the next "won't ship" model gets used for. Anthropic's next-generation model after Mythos will, on the current trajectory, hit the same set of capability thresholds and get the same withhold-from-API treatment. The interesting question is whether the partner pipeline scales — whether the next Mozilla is Linux kernel maintainers, or curl, or OpenSSL, or whether the playbook only works for one well-resourced, browser-shaped customer. This week's post is the first chapter of that story, not the last.

The number to remember from this is not 271. It is the ratio. Mozilla's monthly security throughput went from 20–30 bugs to 423 in a month — a single-model intervention that is, on Firefox's own count, the biggest single jump in finding rate the project has ever had. The model that did it is the one Anthropic told the world it would not sell. It turns out would not sell and would not deploy are different sentences.