Vincent Everts

Firefox is one of the most fuzzed, audited, and reviewed codebases on the planet. Decades of continuous security testing. Claude found bugs that survived all of it in twenty minutes. 22 CVEs in two weeks. 14 high-severity. More than any single month in 2025. Mozilla had to mobilize incident response teams to triage 100+ bug reports filed in bulk from a single AI. The cost to find all of this? Roughly $4,000 in API credits. That's why cybersecurity stocks lost $15B+ before this blog post even dropped. Claude Code Security launched as a "limited research preview" two weeks ago and CrowdStrike shed 18%. Palo Alto fell 9%. The Global X Cybersecurity ETF hit its lowest since November 2023. But the chart above isn't the scary part. The scary part is what Anthropic buried deeper in the research. They gave Claude hundreds of attempts to exploit the same bugs it found. It built working browser exploits in two cases. Crude ones, only functional in test environments with the sandbox removed. Six months ago, the previous model couldn't do this at all. Anthropic's own benchmarks show these capabilities doubling every 4-6 months. Anthropic's closing line says everything: "It is unlikely that the gap between vulnerability discovery and exploitation abilities will last very long." When the company building the model tells you the defender advantage has an expiration date, believe them.