Claude Opus 4.6 finds 500+ vulnerabilities

This is bigger than a benchmark win: Opus 4.6 looks like a real security researcher, not just a better code assistant.

• –The "out-of-the-box" finding is the key detail; if a general model can surface useful bugs without custom harnesses, the bar for effective cyber automation just dropped.
• –Anthropic's validation and patching workflow makes the 500+ number meaningful, but it also means disclosure triage and maintainer coordination will get harder as these reports scale.
• –The Firefox/Mozilla work suggests this is already moving from lab demo to a repeatable disclosure pipeline, not just a one-off stunt.
• –The 1M-token context window matters here because code audits are about keeping whole subsystems, diffs, and invariants in view at once.
• –The dual-use risk is obvious: the same reasoning that helps defenders also makes reconnaissance, proof-of-concept writing, and target prioritization easier.