When AI Finds Vulnerabilities: What Changes for Cybersecurity and Compliance

The collaboration between Anthropic and Mozilla revealed something more than a simple technical experiment. Using an AI model to analyze Firefox's code, 22 real vulnerabilities were identified in about two weeks, of which 14 were classified as high severity. The result is not just a breakthrough in software security research. It's a signal of structural change in how vulnerabilities and technological risks can be detected.

For many years, cybersecurity has relied on a relatively stable model: periodic audits, scheduled penetration tests, manual code reviews, and configuration analysis. This approach works when systems evolve slowly. Today, however, software changes continuously, infrastructures are distributed, and code is updated almost constantly. Human capacity to analyze every change doesn't scale with development speed.

The experiment conducted on Firefox's code suggests a different paradigm: continuous automated analysis supported by AI models.

1. Vulnerability Discovery Pipeline

During the experiment, the model generated over one hundred reports of potential bugs. Only a portion of these were classified as actual security vulnerabilities.

This type of pipeline is typical of automated analysis systems: AI generates a high number of possible anomalies, and human experts intervene to verify, classify, and prioritize the results.

2. Compression of Discovery Time

One of the most significant aspects concerns the speed at which vulnerabilities were identified.

In many industrial contexts, discovering vulnerabilities requires weeks or months of manual auditing. AI-based automation drastically reduces this interval.

3. Comparison with Annual Vulnerability Cycle

The number of high-severity vulnerabilities found by AI represents about 20% of all those fixed in Firefox during 2025.

The comparison doesn't demonstrate that AI will replace security researchers. It shows instead that it can multiply analysis capacity.

Implications for Cybersecurity and Compliance

This technological change has direct implications for the compliance world as well. European regulations like NIS2, DORA, and the AI Act increasingly require that technological risks be identified and managed continuously. It's no longer sufficient to demonstrate that a policy or procedure exists: it's necessary to prove the system is effectively monitored.

Automated code and infrastructure analysis tools can produce verifiable technical evidence: vulnerabilities identified, remediation times, controls implemented, and anomalies detected. This information can become part of the documentation required during audits and certifications.

In this scenario, the role of security professionals changes. Less time spent on manual searches for basic vulnerabilities and more time dedicated to designing secure architectures, defining risk models, and supervising the automated systems that monitor security.

Software security doesn't become an episodic activity performed during an annual audit. It becomes a continuous property of digital systems. Artificial intelligence doesn't eliminate the work of experts, but profoundly changes their starting point: security is no longer something verified occasionally, but something analyzed constantly.