The rapid improvement in AI-powered vulnerability detection is forcing the cybersecurity industry to confront a question it does not yet have a clear answer to: when AI becomes dramatically better at finding software bugs, does that primarily help the people trying to fix them or the people trying to exploit them? Mozilla's experience with Anthropic's Mythos model offers one of the most detailed case studies available so far. On the defensive side, Firefox went from shipping 31 bug fixes in April 2025 to 423 in April 2026, a transformation Mozilla's researchers described in unusually direct terms: "It is difficult to overstate how much this dynamic changed for us over a few short months." Notably, the Firefox team still uses human engineers to write and review every patch — AI finds the bugs but cannot yet reliably fix them, with Grinstead describing the repair process as "not automatable" despite well-documented progress in AI coding tools.

The offensive risk is harder to quantify but impossible to ignore. One month after Mythos was previewed, most bugs it discovered beyond Firefox have likely not yet been patched, creating a window of exposure that sophisticated attackers could exploit. Anthropic has followed responsible disclosure norms carefully, but as Grinstead acknowledged, bad actors are almost certainly using similar techniques with slightly less capable models. Anthropic CEO Dario Amodei expressed optimism that AI will ultimately favor defenders, arguing there are only so many bugs to find and that fixing them proactively leaves software in a stronger long-term position. Grinstead offered a more measured conclusion from the front lines: "It's useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet." That honest uncertainty from someone working through the practical reality is probably the most accurate summary of where the industry stands right now.