Claude just completed one of the most consequential AI-driven security audits in open-source history. According to TechCrunch AI, Anthropic’s Claude Opus 4.6 identified 22 vulnerabilities in Firefox over a two-week security engagement with Mozilla, 14 of them classified as high-severity.
That’s a striking result for a codebase Mozilla has spent decades hardening. Anthropic’s team specifically chose Firefox because, as TechCrunch AI reports, it’s “both a complex codebase and one of the most well-tested and secure open-source projects in the world.” If Claude could find holes here, the implications for less battle-tested software are significant.
How the Audit Unfolded
The team didn’t throw Claude at the entire browser at once. The process was methodical:
- Week one: Claude focused on the JavaScript engine, historically a rich target for browser exploits
- Week two: The scope expanded to other portions of the codebase
- Output: 22 vulnerabilities total, most already patched in Firefox 148 (the February 2026 release), with a few fixes deferred to the next release
This kind of structured, incremental approach mirrors how experienced human security researchers work, which is exactly why the results are credible.
The Exploit Gap
What stands out here is a meaningful distinction between finding vulnerabilities and weaponizing them. Claude proved far more capable at discovery than exploitation. Anthropic’s team spent $4,000 in API credits trying to build proof-of-concept exploits; they only succeeded in two cases.
This is actually reassuring for the security community. The asymmetry suggests that while AI dramatically lowers the cost of vulnerability discovery, writing reliable exploits remains genuinely hard, even for frontier models. For now, defenders appear to benefit more from this technology than attackers.
Why This Matters
Security audits are expensive, slow, and bottlenecked by human expertise. Most open-source projects can’t afford professional penetration testing. This engagement demonstrates that AI tools can run continuous, scalable security analysis against critical infrastructure at a fraction of traditional costs.
The flip side, already well-documented: AI also turbocharged the volume of low-quality pull requests flooding open-source maintainers. Useful signal, noisier channel.
For security teams, the immediate takeaway is practical. AI-assisted auditing isn’t a future capability; it’s available now, it works, and it found 14 high-severity bugs in one of the most scrutinized browsers on the planet. Organizations protecting complex codebases should treat this as a baseline, not a novelty.
More details are available at TechCrunch AI’s full coverage of the Anthropic-Mozilla partnership.