The National Cyber Security Centre has issued a stark warning to British organisations as Mozilla recently announced it fixed 271 vulnerabilities in the Firefox browser, with these vulnerabilities discovered using Claude Mythos, an advanced AI model from Anthropic. This represents a dramatic increase from 22 vulnerabilities found by the previous iteration of Claude, signalling a new era in cybersecurity where artificial intelligence is uncovering security flaws at an unprecedented rate.
The revelation comes as the UK security minister Dan Jarvis disclosed that the NCSC handled more than 200 nationally significant incidents last year, more than double the year before. These statements were made at the CyberUK conference in the Scottish city of Glasgow, where senior officials gathered to discuss the mounting challenges facing British cybersecurity infrastructure.
AI-Powered Vulnerability Discovery Reshapes Threat Landscape
The AI Security Institute conducted evaluations of Anthropic’s Claude Mythos Preview and found that Mythos Preview represents a step up over previous frontier models in a landscape where cyber performance was already rapidly improving. The testing revealed capabilities that would have been unimaginable just two years ago. Two years ago, the best available models could barely complete beginner-level cyber tasks, but now Mythos Preview can execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously, completing tasks that would take human professionals days of work.
This technological leap presents a dual challenge for cybersecurity professionals. While AI models can help defenders identify and patch vulnerabilities more quickly, the same technology can potentially be exploited by malicious actors. Testing shows that Mythos Preview can exploit systems with weak security posture, and it is likely that more models with these capabilities will be developed.
Organizations Must Prioritize Patching Strategies
For the majority of users, the web browser is where most of the external attack surface exists, and Mozilla announced that it fixed 271 vulnerabilities in the Firefox browser found using Claude Mythos. This massive increase in discovered vulnerabilities means that IT departments across the UK will face an enormous workload managing security updates.
Critical flaws under active exploitation, especially those affecting external-facing systems, will need to have their update schedules brought forward. Security experts emphasize that patching alone will not address the systemic cyber security problems faced by the overwhelming majority of organisations. Instead, a more comprehensive approach is required.
Beyond Patching: Fundamental Security Improvements Needed
The NCSC renewed its appeal to technology firms to ensure systemic technical debt is minimised through memory safety and containment technologies where appropriate. This call represents recognition that the sheer volume of vulnerabilities being discovered by AI systems means organisations cannot simply patch their way to security.
At end-user organisations, CISOs should keep focus on the fundamentals of cyber security to improve their overall resilience and reduce the impact of breaches through whatever means they originate, whether that be through a vulnerable product or something else. This includes implementing robust access controls, security configuration, and comprehensive logging systems.
Emerging Technologies Offer Defensive Options
Technology such as remote browser isolation can move the attack surface off the user’s endpoint, minimising the damage if a user is exposed before their browser is patched. This approach acknowledges that in an environment where hundreds of new vulnerabilities can be discovered in a single application, there will inevitably be windows of exposure between discovery and patching.
The testing highlights the importance of cybersecurity basics such as regular application of security updates, robust access controls, security configuration, and comprehensive logging, while the NCSC runs the Cyber Essentials scheme to help organisations protect themselves against common online threats, whether those threats are AI assisted or not.
Dual-Use Nature of AI Cyber Capabilities
AI cyber capabilities are dual use, and while they pose security challenges, they can also help deliver game-changing improvements in defence, with the AISI and NCSC recently releasing a joint blog post on how cyber defenders can both harness and prepare for frontier AI. This balanced perspective suggests that organisations should view AI-powered vulnerability discovery as both a threat and an opportunity.
Future frontier models will be more capable still, so investment now in cyber defence is vital. The message from the NCSC is clear: British organisations must prepare for an ongoing surge in vulnerability disclosures and ensure they have the processes, technologies, and expertise to manage this new reality effectively. The era of AI-accelerated vulnerability discovery has arrived, and those who fail to adapt risk leaving their systems exposed to increasingly sophisticated threats.