A prominent Chinese cybersecurity company has announced that its AI-driven vulnerability discovery capabilities are comparable to those associated with the newly introduced Claude Mythos model by Anthropic.
Claims Analyzed by Notable Researchers
The assertions made by the Chinese firm have been scrutinized by Eugenio Benincasa, a cybersecurity researcher at ETH Zurich specializing in Chinese technology, as outlined in a post on the Natto Thoughts blog. According to Anthropic, their Mythos model has independently identified thousands of vulnerabilities. This model is kept from public access and is limited to select major organizations through Project Glasswing to prevent misuse.
Anthropic’s CEO has indicated that similar performance levels could be achieved by open-source models and Chinese developers within six to twelve months, a sentiment shared by researchers from cloud security firm Wiz.
Details of the Chinese AI System
The 360 Digital Security Group from 360 Security Technology (Qihoo 360), one of China’s leading cybersecurity firms, claims their AI system, the ‘Multi-Agent Collaborative Vulnerability Discovery System,’ played a crucial role in their success at the Tianfu Cup, a significant hacking competition in China.
According to the company, this system was responsible for identifying around half of the vulnerabilities they discovered during the contest, totaling nearly 1,000, with more than 50 categorized as high-severity across various platforms, including Windows, Microsoft Office, Android, and IoT devices.
Controversy and Comparative Analysis
One of the standout claims involves the identification of CVE-2026-32190, a critical vulnerability in Microsoft Office, which 360 Security asserts their AI detected within minutes, despite being undetected for eight years. Another claim regarding a Windows kernel vulnerability has been contested, as Microsoft attributes that discovery to researchers from Taiwan and South Korea.
Benincasa advises caution, noting that while 360’s AI appears advanced, it does not yet match the comprehensive reasoning capabilities of Claude Mythos. A more fitting comparison might be Google’s Big Sleep, which enhances specific stages of vulnerability research rather than functioning as a fully autonomous system.
Importantly, Benincasa highlights that Chinese laws require private firms and researchers to report vulnerabilities to government bodies before public disclosure, thereby funneling elite security research into state intelligence, potentially giving China an edge over Western nations.
Future Outlook and Implications
Beyond Anthropic’s internal claims, other organizations like Mozilla and Palo Alto Networks have reported substantial benefits from Mythos in identifying vulnerabilities. However, only a limited number of public CVEs have been attributed to Anthropic, and just one to Glasswing.
As technology advances, the interplay between AI-driven cybersecurity tools and international regulations will continue to shape the landscape, offering both challenges and opportunities for global cybersecurity efforts.
