\n
![](\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/GettyImages-2167753513-1152x648.jpg\")
<\/p>\n
\n<\/p>\n
The disbelief was palpable when Mozilla\u2019s CTO final month declared that AI-assisted vulnerability detection meant \u201czero-days are numbered<\/a>\u201d and \u201cdefenders lastly have an opportunity to win, decisively.\u201d In spite of everything, it regarded like a part of an all-too-familiar sample: Cherry-pick a handful of spectacular AI-achieved outcomes, miss any of the nice print that may paint a extra nuanced image, and let the hype prepare roll on.<\/p>\n Aware of the skepticism, Mozilla on Thursday offered a behind-the-scenes look into its use of Anthropic Mythos\u2014an AI mannequin for figuring out software program vulnerabilities\u2014to ferret out 271 Firefox safety flaws over two months. In a publish<\/a>, Mozilla engineers stated the lastly ready-for-prime-time breakthrough they achieved was primarily the results of two issues: (1) enchancment within the fashions themselves and (2) Mozilla\u2019s growth of a customized \u201charness<\/a>\u201d that supported Mythos because it analyzed Firefox supply code.<\/p>\n The engineers stated their earlier brushes with AI-assisted vulnerability detection have been fraught with \u201cundesirable slop.\u201d Sometimes, somebody would immediate a mannequin to investigate a block of code. The mannequin would then produce plausible-reading bug stories, and sometimes at unprecedented scales. Invariably, nonetheless, when human builders additional investigated, they\u2019d discover a big share of the small print had been hallucinated. The people would then want to take a position vital work dealing with the vulnerability stories the old school method.<\/p>\n“Nearly no false positives”<\/h2>\n