For decades, attackers have had the advantage in cybersecurity. Artificial intelligence may be about to change that.
The results highlight how advanced AI systems can analyze large codebases and locate weaknesses that previously required extensive manual review by human cybersecurity researchers.
“As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus,” Mozilla wrote. “For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.”
Mozilla had earlier tested another Anthropic model that identified 22 security-sensitive bugs in a previous Firefox release. Despite these successes, Mozilla acknowledged that the cybersecurity industry has long treated the complete elimination of software exploits as an “unrealistic goal.”
“Until now, the industry has largely fought security to a draw,” the company wrote. “Vendors of critical internet-exposed software like Firefox take security extremely seriously and have teams of people who get out of bed every morning thinking about how to keep users safe.”
Mozilla said the new AI system can analyze source code and identify vulnerabilities in ways that previously depended on scarce human expertise. However, Mozilla said the company was encouraged to see that no bugs were found that couldn't have been discovered by "an elite human researcher."
"Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so," they said. "Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex."
The results, however, suggest AI tools could allow developers to uncover large numbers of vulnerabilities before attackers exploit them—though conversely, in the wrong hands, it could spell big trouble for software firms and users alike.
Testing conducted before the model’s release showed it could identify thousands of previously unknown vulnerabilities across major operating systems and web browsers.
However, the same technology could also enable new forms of cyberattacks. Security researchers say AI systems capable of analyzing code at scale could automate the discovery of exploitable vulnerabilities across widely used software.
Mozilla said the results point to a potential shift in cybersecurity, where defenders may begin to close the long-standing advantage attackers have held.
“We are extremely proud of how our team rose to meet this challenge, and others will too,” Mozilla wrote. “Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively.”
Mozilla did not immediately respond to a request for comment by Decrypt.
