Anthropic's Frontier Red Team pointed Claude Opus 4.6 at the Firefox codebase in January 2026 and, over two weeks, the model identified 22 security vulnerabilities that had somehow survived decades of expert review, continuous fuzzing, and open-source scrutiny. Mozilla assigned 14 of those as high-severity. That is roughly a fifth of all high-severity Firefox bugs remediated in the entirety of 2025, compressed into a two-week window.
The vulnerabilities have been patched in Firefox 148, which shipped on February 24. But the speed of discovery, and what Anthropic did next, tells a more complicated story than "AI finds bugs."
Twenty minutes to a use-after-free
Anthropic's technical writeup describes the process. The team started by having Opus 4.6 reproduce known historical CVEs in older Firefox versions to see if it could identify bugs that took human researchers considerable effort to find. It could. But the possibility that those CVEs were in the model's training data made the results hard to trust.
So they pointed it at the current codebase. After just twenty minutes of exploration, Claude flagged a use-after-free vulnerability in Firefox's JavaScript engine, a memory flaw that could let attackers overwrite data with malicious content. Three separate Anthropic researchers validated the bug independently before filing it in Bugzilla.
By the time they finished validating that first bug, Claude had already found fifty more unique crashing inputs.
That pace is what caught Mozilla's attention. Brian Grinstead, a senior principal engineer at Mozilla, told Axios the organization essentially treated the incoming reports as an incident response. Over a hundred bug reports in bulk, triaged across multiple engineering teams.
"This is a large influx," Grinstead said. "We did mobilize as sort of an incident response to get the 100+ bugs that were filed, triaged and most of them fixed."
112 unique reports in total. Nearly 6,000 C++ files scanned. Beyond the 22 CVEs, roughly 90 additional non-security bugs surfaced, including logic errors that Mozilla's own fuzzers had never caught.
The exploit question
Finding bugs is one thing. What Anthropic did next is the part that should make people uncomfortable, or at least attentive.
They gave Claude access to the vulnerabilities it had discovered and asked it to write working exploits. Specifically, the model needed to demonstrate file read and write access on a target system through a stripped-down version of Firefox's JavaScript shell. Several hundred attempts. About $4,000 in API credits. And Claude managed to produce a functional exploit in exactly two cases.
Two out of several hundred is a low success rate, and Anthropic is careful to frame it that way. The exploit writeup on their red team blog details one of these, CVE-2026-2796, a type confusion bug in the WebAssembly module import path. The exploit only worked in a testing environment with the browser sandbox deliberately disabled. Firefox's defense-in-depth architecture, the sandbox especially, would have mitigated these attacks in practice.
But "Claude can occasionally write a crude browser exploit" is a sentence that didn't exist a year ago. And crude exploits have a way of getting less crude over time.
What the asymmetry means
The cost breakdown is worth sitting with. Finding 22 CVEs: two weeks and whatever compute Anthropic's red team burned through. Turning those CVEs into exploits: $4,000 in API credits and a 2-out-of-several-hundred success rate. The gap between finding and exploiting is enormous right now. Anthropic frames this as good news for defenders, and I think they're right, for the moment.
Logan Graham, head of Anthropic's Frontier Red Team, described the urgency in an Axios interview: the models are good at this, and he expects them to get much better. The trajectory is what matters. In late 2025, Opus 4.5 was close to solving all tasks in CyberGym, a benchmark for reproducing known vulnerabilities. Opus 4.6 blew past that and started finding novel ones.
And it is not just Firefox. Anthropic disclosed in early February that Opus 4.6 had found over 500 zero-day vulnerabilities across open-source projects, including the Linux kernel and libraries like GhostScript and OpenSC. No custom scaffolding, no specialized prompting. The model just reasoned about the code.
The fix pipeline is the real problem
Mozilla handled this well. They pulled in engineers, triaged fast, shipped patches in Firefox 148. But Mozilla has resources. Grinstead noted that exploiting any single vulnerability would have required chaining it with others. The browser's layered defenses held.
Not every open-source project has that luxury. Martin Alderson, an independent security researcher, made this point in a blog post shortly after Anthropic's February disclosure: the scary problem is not maintained software where patches get shipped, it is the enormous long tail of abandoned projects that nobody will ever fix. He tested Claude against an unmaintained PHP application and found critical, directly exploitable vulnerabilities within the time it took to make a coffee.
Snyk's Peter McKay made a related observation after Anthropic launched Claude Code Security on February 20. Finding vulnerabilities was never the hard part. The hard part is fixing them. Mean time to remediate balloons from hours to months. And with AI-assisted coding driving a 20% increase in pull requests per author (per Cortex's 2026 Engineering Benchmark), the backlog is growing faster than the industry can patch.
There is a painful irony buried in Snyk's own data: AI-generated code is 2.74 times more likely to introduce XSS vulnerabilities than human-written code. So we have models that can find 500 zero-days in production code while simultaneously producing new vulnerable code at scale. I'm not sure what to make of that yet.
Market panic, briefly
When Anthropic launched Claude Code Security, cybersecurity stocks cratered. CrowdStrike fell 8%, Cloudflare dropped 8.1%, and the Global X Cybersecurity ETF hit its lowest level since November 2023. CrowdStrike CEO George Kurtz publicly asked Claude whether it could replace his company's product. Claude said no.
The Register's assessment seems closer to the mark: Claude Code Security is useful but it is not sufficient, and humans are still required. The tool is available as a limited research preview for Enterprise and Team customers, with free access for open-source maintainers. It is not replacing your security team. Not this year, anyway.
What comes next
Anthropic says it has begun integrating real-time detection probes to identify and block attempts to misuse Claude's vulnerability-finding capabilities, which they acknowledge will create friction for legitimate security research. Mozilla's engineers have started experimenting with Claude internally. And Anthropic has published coordinated disclosure principles for working with maintainers.
The FTC and regulatory bodies have not weighed in on AI-powered vulnerability discovery yet, and the legal framework around responsible disclosure of AI-found bugs is, to put it politely, underdeveloped. Anthropic is following standard industry norms for now but has said it may need to adjust as models improve.
Firefox 149 is scheduled for March 24. The remaining bugs from Anthropic's batch will be fixed in upcoming releases. And somewhere, Opus 4.6 is probably already scanning something else.
