2 min read AI-generated

China's 360 Unveils AI Cyber Weapons — as an Answer to Mythos

Copy article as Markdown

Chinese security firm 360 has presented two AI tools: Tulongfeng automatically discovers software vulnerabilities, Yitianzhen automates cyber defense. Founder Zhou Hongyi calls vulnerability-finding AI a 'national strategic asset'.

Featured image for "China's 360 Unveils AI Cyber Weapons — as an Answer to Mythos"

There’s a reason the US government pulled Mythos specifically out of circulation: the model is exceptionally good at finding software vulnerabilities. That exact capability now has a Chinese rival.

Two tools, one message

Chinese cybersecurity firm 360 has unveiled two AI tools. Tulongfeng is built to automatically discover security flaws in software. Yitianzhen is built to automate cyber defense and incident response. According to reports, 360 positions Tulongfeng explicitly as a counterpart to Anthropic’s Mythos.

The launch came with a pointed message. According to Reuters, 360 founder Zhou Hongyi described vulnerability-finding AI as a ‘national strategic asset.’ And he warned of what he called ‘one-way transparency’ — a situation where some actors hold advanced vulnerability-detection capabilities while others don’t.

The uncomfortable symmetry

That’s the exact logic Washington used to justify its ban. Mythos and Fable 5 have been blocked for non-Americans since mid-June, because their cyber capabilities are deemed too dangerous to make freely available. Zhou flips the same argument: whoever has the better tools for finding flaws holds an advantage — so China isn’t going to sit and watch that advantage stay one-sided.

While Sakana in Tokyo framed its Fugu launch as a hedge against lock-in, 360 isn’t hedging. This isn’t about resilience — it’s about an arms race. Offensive vulnerability hunting and automated defense are two sides of the same coin, and both now run on AI.

My take

This is the part of the story that gives me the most pause. With Sakana, you can talk about architecture and elegance. With 360, we’re talking about tools whose main purpose is to find holes in other people’s software — automated, at scale.

That dual-use nature is what makes the whole debate so thorny. The same capability a defender uses to harden their own software helps an attacker break into someone else’s. Export controls are meant to slow one side down — but they don’t stop the other side from building the same thing themselves. The Mythos block didn’t prevent these models from existing. It only shifted who controls them.

And that may be the most sobering lesson of the week: for a technology you can rebuild with a few thousand GPUs, a ban isn’t a lock. At best, it’s a head start that runs on a clock.


Sources: