When Anthropic's AI model Claude Mythos was pointed at Firefox's source code earlier this year, engineers at Mozilla watched in something close to vertigo as it surfaced 271 confirmed security vulnerabilities in a single evaluation pass — flaws that had survived years of human-led review, some for two decades. When a quote about Mythos and the National Security Agency's classified systems went viral on social media three days ago, it set off a wave of "NSA confirms breach" headlines that the journalist who published the quote has since publicly walked back.

These two stories are about the same underlying technology. The gap between how well-evidenced they are tells you nearly everything about how AI capability claims travel — and why that gap matters right now, with Anthropic's most powerful models still offline under a US export control order and Congress demanding an explanation from the Commerce Department by June 26.

How Agentic AI Broke the Attacker's Cost Advantage

For decades, software security has run on a brutal asymmetry. Defenders must find and patch every vulnerability in a codebase. Attackers need to find only one. Zero-day flaws remain exploitable for years on average before they are patched — giving attackers time to weaponize a single finding while defenders race to close an enormous surface. That economics has historically favored the offense.

The agentic pipeline Mozilla built with Mythos describes a different model. Mozilla's security engineers began experimenting with earlier AI models — GPT-4 and Claude Sonnet 3.5 — for static code analysis, but the high rate of false positives made those tools impractical to scale. What changed the picture was not a more capable model alone, but a new class of system: an agentic harness that does not merely flag suspicious code but actively confirms whether a bug can be triggered.

The pipeline works in four steps: Mythos is placed inside an isolated container with Firefox's source code loaded. The model forms hypotheses about where vulnerabilities might live. It generates reproducible proof-of-concept test cases and executes them dynamically against a running instance of the browser. A bug is only reported if the model can confirm it through execution. That fourth step — active verification rather than static suggestion — is the architectural shift that made scaling feasible. False positives, the chronic problem that had previously made AI-assisted security review impractical, are filtered out before a human ever sees the report.

Mozilla built this harness atop its existing fuzzing infrastructure and parallelized the jobs across multiple ephemeral virtual machines, each assigned to hunt for bugs within a specific target file and writing findings back to a shared bucket. The engineering team integrated the full security bug lifecycle into the system: deduplication against known issues, triage, patch tracking, and release management. More than 100 contributors worked to review, test, and ship the resulting patches.

Mozilla's technical writeup from engineers Brian Grinstead, Christian Holler, and Frederik Braun describes the verification loop in full and names the specific bugs found.

What 271 Vulnerabilities Actually Means

Firefox 150, released April 21, 2026, included fixes for 271 security vulnerabilities that Mythos identified in a single evaluation pass. Mozilla rated 180 of them sec-high — meaning exploitable by a user simply visiting a malicious webpage — and 80 as sec-moderate. The distinctions matter: both sec-high and sec-critical are the categories that qualify as genuine emergencies requiring immediate action. The majority of the Mythos findings cleared that bar.

The total patched that month was 423 vulnerabilities, roughly 20 times Mozilla's monthly average of about 21 in 2025. Three of the 271 received standalone CVE designations directly credited to Anthropic: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758. The remaining 268 were consolidated into three internal security rollups under CVE-2026-6784, CVE-2026-6785, and CVE-2026-6786, consistent with Mozilla's standard practice for internally discovered issues.

Among the publicly disclosed sample of bugs: a 15-year-old flaw in the HTML legend element triggered by meticulous orchestration of edge cases across distant parts of the browser, a 20-year-old vulnerability in Firefox's XSLT engine, and a race condition over an inter-process communication boundary that allowed a compromised content process to manipulate database reference counts and trigger a use-after-free — a class of memory-corruption bug that can enable sandbox escape and, ultimately, full browser compromise.

Firefox CTO Bobby Holley described the experience of seeing those findings arrive as giving the security team "vertigo." His conclusion in Mozilla's post-mortem was pointed: software like Firefox is modular enough that its defects are, in principle, finite — and the team was "entering a world where we can finally find them all."

The collaboration had started smaller. In January 2026, Anthropic and Mozilla ran a preliminary two-week scan using Claude Opus 4.6, then publicly available, against nearly 6,000 C++ files across Firefox's codebase. That pass produced 22 confirmed security-sensitive bugs — almost a fifth of all high-severity Firefox vulnerabilities patched in all of 2025. Those results were what earned Mozilla early access to Mythos through Project Glasswing, Anthropic's controlled-access cybersecurity program. When Mythos replaced Opus 4.6 in the same pipeline, it found more than 12 times as many vulnerabilities.

Mozilla is not the only organization to have documented results at this scale. In its May 2026 Glasswing update, Anthropic reported that Cloudflare found 2,000 vulnerabilities across its critical-path systems — 400 rated high or critical severity — with a false-positive rate the Cloudflare team considered better than human testers. Across Glasswing's roughly 50 partner organizations in the program's first month, more than 10,000 high- or critical-severity vulnerabilities were identified. Six independent security research firms validated a sample of 1,752 high- or critical-severity findings from Anthropic's open-source scan work and confirmed a 90% true-positive rate.

The AI Security Institute (AISI) in the United Kingdom provided an independent quantitative benchmark. In an evaluation published April 13, 2026, AISI confirmed that Mythos was the first AI model to complete a 32-step corporate network attack simulation from start to finish — a workflow the Institute estimates takes a human expert roughly 20 hours. Mythos completed it on three of ten attempts. AISI was explicit about the limits of that finding: its test range lacked active defenders and real-time detection systems, meaning the result established that Mythos can autonomously attack weakly-defended simulated networks — not that it can reliably breach hardened enterprise infrastructure.

The NSA Claim: What a Senate Hearing Actually Said

The statement that went viral beginning June 21 originated at a Senate Intelligence Committee hearing on June 11. Sen. Mark Warner, the committee's vice chair, told his colleagues that Gen. Joshua Rudd — who leads both the National Security Agency and US Cyber Command — had relayed to him that Mythos had broken into "almost all of our classified systems, not in weeks, but in hours."

The Economist published that quote in a June 14 piece on export controls and AI safety. The article went largely unnoticed for a week. On June 21, a single social media post amplified the sentence — stripped of context — under framings like "NSA confirms AI breach." The phrase spread across prediction markets and tech forums.

Shashank Joshi, The Economist's defense editor who wrote the piece, responded within 24 hours. He said reading the quote literally would be a mistake, and that the capability described depended on Mythos working alongside other tools in specific conditions. The picture that was circulating, he indicated, was not what the article had intended to convey.

The evidentiary situation remains narrow. The only primary source for the specific claim is Sen. Warner relaying what Gen. Rudd told him in a private briefing — a single piece of secondhand testimony in a hearing context where Warner was explicitly arguing for mandatory pre-release government safety testing of frontier AI models, not warning of a hostile breach. The NSA has issued no statement. No Cybersecurity and Infrastructure Security Agency bulletin exists. No independent incident report has been published.

Security researchers were quick to identify technical difficulties with the literal interpretation. NSA systems operate across multiple classification levels, including large numbers of physically isolated machines that are disconnected from any network connection by design. Lateral movement across such systems without a human physically transporting a payload is, by construction, not possible through remote network access alone. The more credible reading of the Rudd account — consistent with what several analysts and at least one separate reporting outlet described as an authorized red-team exercise — is that the NSA used Mythos to probe its own systems for vulnerabilities, exactly as Mozilla did with Firefox. That is what red-teaming means. It is defensive security work conducted with authorization, not hostile intrusion.

That context is not a trivial distinction. When Mozilla red-teamed Firefox, the result was 271 patches. When the NSA red-teamed its own infrastructure using Mythos, if Rudd's account is accurate, the result would be a classified inventory of vulnerabilities — and, presumably, a remediation program. Neither constitutes a breach suffered.

Why Fable 5 and Mythos 5 Are Still Offline

The broader context that makes this story particularly live today: as of June 24, 2026, Anthropic's two most powerful models — Fable 5 and Mythos 5 — remain offline globally.

On June 12, the US Department of Commerce issued an export control directive instructing Anthropic to suspend all access to both models by any foreign national, including the company's own non-citizen employees. Unable to filter users by nationality in real time at commercial API scale, Anthropic disabled both models for all users worldwide within hours of receiving the order. The directive cited national security authorities but did not provide specific technical details. In its published response, Anthropic disputed the government's characterization, saying the jailbreak cited as the trigger was narrow, non-universal, and capable of being replicated using other publicly available models not subject to similar controls.

This marked the first time US export control authorities have been applied to a commercially deployed AI model. Anthropic is separately challenging a Pentagon "supply chain risk" designation — issued earlier this year after the company refused contract terms that would have permitted its models to be used for mass surveillance and fully autonomous weapons systems — in federal court. The two disputes are legally separate but politically entangled.

Four bipartisan members of Congress sent a formal letter to Commerce Secretary Howard Lutnick on June 18 demanding a written explanation of the Fable 5 and Mythos 5 controls. The deadline for that response is June 26.

What the Evidence Standard Actually Requires

The Mozilla case is a model for how documented AI capability closes the evidentiary gap. It has bug IDs with public links, CVE numbers formally credited in Mozilla's advisory database, a detailed technical post from Mozilla's own engineers naming the specific bugs found, and an independently verifiable track record from multiple Glasswing partner organizations.

The NSA claim, in its current form, has one sentence, relayed through two speakers, in a political context where the speaker was explicitly advocating for AI safety regulation rather than alleging a hostile event — and the journalist who reported it has since walked back the literal reading.

That is not an argument about whether Mythos is capable of offensive operations. The AISI evaluation establishes that it can execute multi-stage attacks autonomously against weakly-defended simulated networks. Anthropic has disclosed that Mythos autonomously constructed a working exploit for a 27-year-old signed integer overflow in OpenBSD's TCP stack, among thousands of other findings. The offensive capability is real and documented at scale.

What is not documented is a hostile, unauthorized breach of NSA classified systems. Those are different claims, and the evidence for each is not interchangeable.

Frequently Asked Questions

Did Claude Mythos hack the NSA?

No evidence confirms an unauthorized breach. The claim originates with Sen. Mark Warner relaying what NSA Director Gen. Joshua Rudd told him in a private briefing: that Mythos, during what multiple reports describe as an authorized internal red-team exercise, had accessed nearly all of the NSA's classified systems. That is a controlled defensive security test, not a hostile intrusion. The Economist's defense editor, who first published the quote, said it should not be read literally, and no government agency has issued an incident report or confirmed the breach framing.

What Firefox security vulnerabilities did Claude Mythos find?

In April 2026, Mythos identified 271 previously unknown vulnerabilities in Firefox during a single evaluation pass. Mozilla rated 180 as sec-high — exploitable by visiting a malicious webpage — and 80 as sec-moderate. The bugs included a 15-year-old flaw in the HTML legend element and a 20-year-old vulnerability in Firefox's XSLT engine. Three received standalone CVE designations credited to Anthropic. All were patched in Firefox 150 and subsequent releases.

Why are Fable 5 and Mythos 5 currently unavailable?

On June 12, 2026, the US Commerce Department issued an export control directive requiring Anthropic to suspend access to both models for all foreign nationals, including Anthropic's own non-citizen staff. Unable to filter users by nationality at scale, Anthropic disabled both models for all users globally. The models remain offline as of June 24. A congressional deadline for the Commerce Department to explain the controls falls on June 26.

How does the agentic AI vulnerability pipeline actually work?

The pipeline places an AI model inside an isolated container alongside a target codebase. The model forms hypotheses about where bugs might exist, generates proof-of-concept test cases, and executes them against a running instance of the software to confirm or rule out each finding before reporting it. That dynamic verification step — which earlier static-analysis AI tools lacked — eliminates false positives, making the system practical to deploy at scale. Mozilla built its harness atop its existing fuzzing infrastructure and parallelized it across multiple virtual machines, each assigned to a specific target file.