Agentic code auditing: what the Firefox Claude Mythos disclosure tells procurement about CI-time defaults

Bottom line. Mozilla’s Firefox 150 release (November 2025) shipped fixes for 271 vulnerabilities surfaced through the Claude Mythos Preview pipeline; ~180 sec-high, ~80 sec-moderate. The headline fact (“AI found 271 bugs”) is true but is not the procurement-relevant change. The procurement-relevant change is that the agentic-verification step (the agent builds and runs its own test cases to triage suspected bugs before reporting) cleared the false-positive wall that blocked earlier read-only GPT-4 / Claude Sonnet 3.5 attempts from production CI. Mozilla CTO’s calibration: elite-human-quality discovery at machine throughput, not superhuman discovery. CI-time agentic auditing becomes the default expectation for any shipping enterprise software in 2026. Three derived procurement questions follow, and one dual-use risk surfaces alongside the defensive disclosure (the reported Anthropic investigation of unauthorized Mythos use via a third-party vendor environment). Source: Mozilla Hacks and Schneier on Security coverage of the Firefox 150 release.

The November 2025 disclosure that Mozilla’s Firefox 150 release shipped fixes for 271 vulnerabilities surfaced through the Claude Mythos Preview pipeline (Mozilla Hacks, Schneier on Security) is the most-cited single data point on agentic AI code auditing as of late 2025. It is also widely misread.

The headline fact is real: Mozilla’s wider April release window addressed 423 security bugs in total, with the Mythos pipeline driving the surge above the historical baseline; the 271 figure is the share Mozilla attributes to the Mythos pipeline in the Firefox 150 release specifically. The misread is treating the 271 number as the procurement-relevant change. It is not. The procurement-relevant change is the methodology change that produced the number: the agentic-verification step cleared the false-positive wall that had blocked earlier read-only GPT-4 and Claude Sonnet 3.5 attempts from production CI integration.

This piece reads the disclosure at the procurement-deck level. Three propositions structure the analysis: what actually changed in the pipeline, how the methodology caveat on per-bug attribution affects the procurement read, and what the dual-use risk in the reported Anthropic investigation means for any enterprise evaluating an agentic-auditing CI pipeline in 2026.

What actually changed in the pipeline

Earlier AI-driven code auditing attempts had a recognised failure mode at scale: the false-positive rate was too high to triage in production. Read-only GPT-4 and Claude Sonnet 3.5 deployments in 2023-2024 produced findings that, if they had landed at a low false-positive rate, would have been operationally useful. They did not. Security teams reported per-finding triage cost that exceeded the engineering hours saved by automating the discovery layer, which negated the efficiency gain that made the integration attractive in the first place.

The Mythos pipeline architecture changes the loop, per Mozilla’s published methodology in the Mozilla Hacks blog post on the release. The agent does not just identify a suspected vulnerability and pass it to the human queue. The agent builds and runs its own test cases against the suspected bug, performs self-triage at the pipeline layer, and reports only what its own verification step confirms. The false-positive load that earlier architectures pushed to humans is now absorbed by the agent itself.

That is the procurement-relevant change. The threshold for production-CI integration is the false-positive rate the security team is willing to triage, not the absolute bug-discovery rate the model can achieve. A lower-discovery-rate pipeline with low false-positives is procurement-deployable; a higher-discovery-rate pipeline with high false-positives is not. Mythos crossed the threshold by changing the verification step, not by improving the discovery step.

The downstream consequence is straightforward. CI-time agentic auditing crosses from “experimental tool that costs more engineering time than it saves” to “default expectation for any shipping enterprise software product.” Vendors shipping software without an analogous agentic-auditing CI step in 2026 start to look procurement-vulnerable in the same way vendors without static analysis became procurement-vulnerable in 2015-2018. The bar moves; the procurement deck moves with it.

The methodology caveat on the 271 bugs

The Firefox 150 release notes individually credit only three bugs as “found with Claude”: two use-after-free vulnerabilities and one invalid-pointer-in-wasm finding. Of those three, public reporting via The Decoder indicates one is rated sec-high. That looks inconsistent with the 271 / 180 aggregate at first reading.

The reconciliation is a Mozilla disclosure convention. Mozilla bundles internally-found bugs into rollup CVEs (CVE-2026-6784, 6785, 6786 totalling 316 bugs across the three IDs) rather than crediting each individually at the public CVE level. The convention is well-documented in Mozilla’s security advisory archive and predates the Mythos pipeline; the per-bug attribution gap is a disclosure-convention artifact, not a credibility defect. The aggregate 271 / 180 figure sits inside Mozilla’s published methodology for disclosure and is methodologically defensible.

A counter-narrative is worth flagging. The flyingpenguin.com critique referenced in the Schneier comments argues that the “271 zero-days” framing in some secondary coverage overstates the strict-zero-day count. The strict zero-day definition requires the vulnerability to be undisclosed and unpatched at the moment of discovery; most of the 271 Mythos-surfaced bugs were Mozilla-internal discoveries that flowed through the standard release-and-fix cadence rather than being independently exploited before disclosure. Reading the disclosure as “agentic auditing surfaced 271 internally-discoverable security bugs at production-CI scale” is procurement-grade. Reading it as “agentic auditing found 271 zero-days” is procurement-noise.

The procurement-deck reading should anchor on the lower-precision-but-defensible aggregate, with the per-bug attribution gap and the strict-zero-day caveat both noted. Vendor pitches that surface the 271 number without either caveat are using the marketing version of the number; vendor pitches that surface the 271 number with both caveats are using the procurement version.

What the Mozilla CTO calibration tells procurement

The most useful procurement-grade calibration available on agentic-auditing capability as of late 2025 comes from Mozilla CTO’s framing in the SecurityWeek coverage: “We haven’t seen any bugs that couldn’t have been found by an elite human researcher. Some commentators predict future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so.”

The calibration distinguishes capability from throughput. The agent does not find bugs that humans cannot find. The agent finds bugs that humans rarely find, because humans rarely have the time, the focus, or the combinatorial-reasoning bandwidth to search the space at scale.

The 15-year-old use-after-free in the <legend> element that the Mythos pipeline surfaced is the canonical anchor for the throughput-not-capability distinction. The bug had survived a decade of fuzzing and manual code review because it required combinatorial reasoning across three independent behaviours: a specific HTML form-element interaction, a specific CSS layout state, and a specific event-handler ordering. Each behaviour was individually well-understood; the combination triggering the use-after-free required holding all three in mind simultaneously and reasoning about their interaction. Fuzzers cannot do that; humans rarely have time for it. The agent did.

The procurement implication is that the value proposition for CI-time agentic auditing is throughput-anchored, not capability-anchored. The deploying enterprise should expect the agent to find what an elite human researcher would have found if they had been allocated the time, on every bug, on every release. That is a meaningful expansion of the bug-discovery capacity at any organisation shipping software, but it is not a leap into a different capability class. Vendor pitches that frame agentic auditing as superhuman are misreading the calibration; vendor pitches that frame it as elite-human throughput at machine scale are reading the same calibration the Mozilla CTO published.

The dual-use risk: the Anthropic investigation

CSO Online reporting indicates Anthropic is investigating unauthorized use of the Mythos pipeline by a small group who reportedly gained access via a third-party vendor environment. The investigation is ongoing as of this writing; concrete details on scope, remediation, and conclusion are not yet public.

The dual-use risk is structural. The same pipeline architecture that surfaces bugs in the deploying organisation’s own codebase works in reverse on third-party codebases. An attacker with access to a procurement-grade Mythos-class pipeline can run it against any open-source or otherwise accessible target. The 15-year-old <legend> use-after-free that survived a decade of human review at Mozilla is the same kind of bug that survives a decade of human review at any other software organisation; an agentic-auditing pipeline does not care which side of the disclosure cycle it operates on.

This maps cleanly onto the AM-007 vendor-response-split framework. Cohort A vendors disclose the dual-use risk publicly, name the compensating-control posture, and commit to a response-SLA when the dual-use surface is exploited or near-misses are observed. Cohort B vendors classify the exposure as “intended functionality” of the agentic-auditing capability or do not disclose at all. Anthropic’s investigation, if it produces a public conclusion with concrete remediation, places Anthropic in Cohort A on this product class. The absence of a comparable investigation disclosure from a competitor shipping a parallel agentic-auditing pipeline would be a procurement signal in the opposite direction.

The procurement-deck consequence for any enterprise evaluating a procurement-grade agentic-auditing CI pipeline in 2026 is that the dual-use risk is part of the procurement decision, not a downstream HR or security-policy question. The deploying enterprise inherits the residual risk that an attacker with access to the same product class can run it against the deploying enterprise’s own codebase from outside; the contractual and operational compensating controls need to be specified at procurement, not negotiated after the first dual-use incident.

Three procurement-deck questions for any software-vendor procurement in 2026

The questions add to the AM-140 procurement-committee six pre-pilot questions and to the AM-007 cross-agent five. They focus specifically on agentic-auditing CI integration and the dual-use risk that flows from it.

1. Does the vendor’s CI pipeline include an agentic-auditing step at the same architectural shape as the Mythos pipeline (verification at the agent layer, not human triage of agent suggestions)? A vendor whose CI pipeline runs static analysis and traditional fuzzing but does not integrate agentic auditing at the verification-included shape is operating on the pre-2026 baseline. The procurement-deck consequence is not that the vendor is disqualified, but that the procuring enterprise inherits a known-unfixed-class of vulnerability surface (the combinatorial-reasoning bugs the <legend> use-after-free represents) that an analogous agentic-auditing pipeline would have surfaced.

2. What is the vendor’s disclosure posture when bugs are found in the vendor’s own product by agentic-auditing tools (their own or external researchers’)? The shape: does the vendor publish bug-discovery counts and severity distributions on a per-release basis (Mozilla pattern); does the vendor disclose the methodology of the agentic-auditing pipeline used; does the vendor commit to a response-SLA for newly-disclosed agent-surfaced bugs? The Cohort A vs Cohort B distinction from AM-007 applies. A vendor in Cohort B on this axis leaves the procuring enterprise inheriting the disclosure-gap as an audit-defense burden when a regulator or external researcher raises a question about the vendor’s product.

3. What is the vendor’s posture on the dual-use risk that the same pipeline architecture works in reverse? The Anthropic Mythos investigation is the canonical example, but the principle generalises to any vendor shipping agentic-auditing capability. Has the vendor specified the compensating controls the deploying enterprise should run on its own codebase to detect the dual-use exploitation surface? Does the vendor name the partnership posture with security-research firms running the same pipeline class? A vendor that has not addressed the dual-use surface in writing is asking the procuring enterprise to absorb the residual risk implicitly.

A software vendor that cannot answer all three in writing for the in-flight procurement is not procurement-disqualified per se; the procurement-decision shape changes. The residual risk lands on the deploying enterprise’s deployment-layer practice rather than on the vendor’s platform-layer commitment, and the procurement contract needs to absorb that asymmetry explicitly.

What the data implies for Q3-Q4 2026 software vendor procurement

Three operational moves follow from the Mythos disclosure at the cohort scale.

First, the named-success agentic-auditing CI cohort is currently small: Mozilla via the Mythos integration is the canonical case as of late 2025. The expectation through 2026 is that 5-10 major enterprise software vendors (Microsoft, Google, AWS, Salesforce, Adobe, ServiceNow, GitLab, GitHub, the Linux distribution maintainers) publish analogous disclosures naming their CI pipeline architecture and bug-discovery counts. Vendors that do not publish equivalent disclosures by end-2026 read as Cohort B on the agentic-auditing axis, regardless of whether they have integrated the capability internally.

Second, the dual-use disclosure cohort is currently very small: Anthropic’s reported investigation is the only public example of a major model provider acknowledging the dual-use surface of their own agentic-auditing tool as of this writing. The expectation through 2026 is that the parallel agentic-auditing tools from OpenAI, Google DeepMind, and Microsoft Security Response Center each face equivalent dual-use surface incidents and that the disclosure posture differentiates Cohort A from Cohort B vendors at the same shape AM-007 frames for the cross-agent class.

Third, the procuring-enterprise side of the agentic-auditing question becomes a discrete procurement-line in 2026 budgets. The CIO who has not allocated budget for either an internal agentic-auditing CI capability or a vendor-side commitment to that capability through procurement is operating on the 2024 baseline in 2026. The bar moves; the budget needs to move with it.

Holding-up note

The primary claim of this piece (that the Firefox Claude Mythos disclosure marks the operational shift from “AI can find bugs” to “agentic verification clears the false-positive wall,” that CI-time agentic auditing becomes the default expectation for any shipping enterprise software in 2026, and that three derived procurement-deck questions follow alongside one dual-use risk surfaced by the reported Anthropic investigation) is on a 60-day review cadence. Five kinds of evidence would move the verdict.

A major enterprise software vendor publishing an analogous CI-time agentic-auditing disclosure with named pipeline and named bug counts would extend the named-success cohort and either strengthen or qualify the “default expectation” framing depending on the disclosure shape. A published reproduction of the Mozilla pipeline by an independent third party (academic security team, security-research firm) would confirm or qualify the false-positive-wall-falls finding at the methodology level. A public disclosure by Anthropic concluding the unauthorized-Mythos-use investigation, with concrete remediation, would either strengthen the Cohort A framing or weaken it depending on the disclosure depth. The flyingpenguin.com strict-zero-day critique gaining traction in security-research literature would reframe the disclosure scope and potentially require updating the procurement-deck reading on the 271 figure. Regulatory action (EU AI Act post-market monitoring, US FTC, sectoral regulator) imposing mandatory agentic-auditing CI requirements on shipping software would substantively shift the procurement-deck weight from a vendor-discretionary capability to a regulated baseline requirement.

If any land, the Holding-up record for AM-147 captures what changed, dated. Original claim stays visible. Nothing is quietly removed.