A Chinese cybersecurity firm has claimed AI-driven vulnerability discovery capabilities that approach the scale of those attributed to Anthropic’s recently unveiled Claude Mythos model.
The claims have been analyzed by Eugenio Benincasa, an ETH Zurich cybersecurity researcher focusing on China, in a post published on the Natto Thoughts blog.
Anthropic claims that its new Mythos frontier model has autonomously discovered thousands of vulnerabilities. To prevent potential abuse, Mythos has not been publicly released and is only available to a few dozen major organizations through Project Glasswing.
However, Anthropic’s own chief executive has suggested that open source models and Chinese developers could replicate Mythos-level performance within 6-12 months, a view echoed by researchers at cloud security firm Wiz.
According to Benincasa, claims made by the 360 Digital Security Group at 360 Security Technology (Qihoo 360), one of China’s largest cybersecurity companies, in the weeks surrounding Anthropic’s unveiling of Claude Mythos suggest that the company’s AI may have similar vulnerability-discovery capabilities.
360 Digital Security Group’s claims center on an internally developed ‘Multi-Agent Collaborative Vulnerability Discovery System’, which appears to have played an important role in its first-place finish at Tianfu Cup, a major Chinese hacking competition that was revived this year.
The firm says the system contributed to roughly half of the vulnerabilities it identified at the contest, finding close to 1,000 vulnerabilities in total, including over 50 high-severity flaws across Windows, Microsoft Office, Android, OpenClaw, IoT devices, and other products.
The most striking individual claim involves CVE-2026-32190, a critical Office vulnerability that 360 says its AI agent identified within minutes, after it had allegedly gone undetected for roughly eight years. A separate Windows kernel vulnerability (CVE-2026-24293) was also claimed, though Microsoft credits researchers from Taiwan and South Korea with that discovery, casting doubt on 360’s claims.
Benincasa cautions that while 360’s AI capabilities appear significant, they do not yet appear to match the reasoning capabilities described for Claude Mythos. A closer comparison, the expert suggests, is Google’s Big Sleep, which accelerates discrete stages of vulnerability research rather than operating as a fully autonomous agent.
However, the expert believes other aspects may ultimately matter more than any technical comparison. Chinese legislation requires private companies and researchers to report vulnerabilities to government agencies before disclosing them publicly, effectively channeling elite security research into state intelligence pipelines.
This puts China at an advantage compared to the United States, Europe, and other democratic countries, Benincasa noted.
As for Mythos’ capabilities, outside of Anthropic’s claims, Mozilla said the AI helped it find over 270 Firefox vulnerabilities, and Palo Alto Networks reported a significant boost in vulnerability discovery.
Others, however, pointed out that only a few dozen public CVEs have been credited to Anthropic and only one specifically to Glasswing.
Related: AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers
Related: White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology
