Anthropic's AI found 22 Firefox flaws in two weeks, but crafting exploits proved costly and limited.
The AI model identified 14 high-severity, 7 moderate, and 1 low-severity vulnerability in January 2026 using Claude Opus 4.6. Mozilla resolved 14 of these in Firefox 148, with remaining fixes pending.
The system scanned 6,000 C++ files and submitted 112 unique reports, with 22 confirmed as valid vulnerabilities. Despite this, exploit generation attempts cost $4,000 per vulnerability but succeeded in only 2 cases.
"Almost a fifth" of 2025's high-severity Firefox patches were attributed to this AI, according to Mozilla. The cost of identifying vulnerabilities remains cheaper than creating exploits, as noted by Anthropic researchers.
A specific example, CVE-2026-2796 (CVSS 9.8), involved JIT miscompilation in WebAssembly. Mozilla confirmed AI-assisted discovery of 90 additional bugs beyond the 22 reported.
"Large-scale, AI-assisted analysis is a powerful new addition to security engineers toolbox," said Mozilla in validating the approach.
Anthropic cautioned that while AI can "automatically develop a crude browser exploit... even if only in a few cases," the feasibility of exploit generation remains limited.