360 Unveils AI Tools To Match Anthropic's Mythos

360 Security Technology's announcement illustrates a recurring pattern in AI security: a lab that concedes a 20-30% model-capability gap versus frontier US systems claims to close it through agentic orchestration and domain data rather than raw model scale, a framing eWeek compares to DeepSeek's efficiency-over-compute approach. At the ISC.AI 2026 conference in Beijing, founder Zhou Hongyi unveiled Tulongfeng, calling it "China's version of Mythos," plus a second tool, Yitianzhen, for automated cyber defense, per Reuters and a full transcript of Zhou's speech published the same day. 360 says Tulongfeng has found 3,432 vulnerabilities, 105 confirmed by Chinese authorities, but Reuters states it could not independently verify those figures, a caveat that matters since the numbers are entirely self-reported. The announcement lands alongside June's US export controls barring foreign nationals, including Anthropic's own non-citizen staff, from Mythos and Fable 5, and China's exclusion from Anthropic's 40-plus-member Project Glasswing alliance, which 360 frames as a "one-way transparency" risk. Zhou's transcript also claims Tulongfeng found zero-days in the agent framework openclaw and 13 in the AI platform Flowise, pointing at AI infrastructure itself as an emerging vulnerability-discovery target.
The pattern behind the announcement
360's rollout is a case study in a pattern now recurring across Chinese AI announcements: a company that explicitly concedes a 20-30% model-capability gap against frontier US systems claims parity through agentic orchestration, domain-specific data, and multi-agent workflows rather than larger models or more compute. Founder Zhou Hongyi's own framing, laid out in a full transcript of his ISC.AI 2026 keynote, describes this directly as an alternative to "the strongest model, the strongest computing power, the strongest chips" route, an approach eWeek separately likens to DeepSeek's efficiency-over-scale strategy. The comparison matters for practitioners because it signals that capability gaps versus frontier models can be partly compensated for with orchestration and domain tooling, which should change how buyers evaluate vendor claims that a system matches a better-resourced competitor.
What was announced
Speaking at the ISC.AI 2026 conference in Beijing, Zhou unveiled two AI systems under the banner "Yitian Tulong": Tulongfeng, an automated vulnerability-discovery agent he called "China's version of Mythos," and Yitianzhen, an automated cyber-defense and incident-response system described as nearing full release, per Reuters and the full transcript of Zhou's speech published the same day. 360 says Tulongfeng has identified 3,432 software vulnerabilities to date, with 105 confirmed by Chinese authorities, but Reuters states plainly that it could not independently verify those figures. That caveat carries real weight: the numbers are entirely self-reported by 360, with no third-party audit cited in any of the reporting reviewed.
The Mythos backdrop
Zhou's speech frames the release as a response to Anthropic's Mythos, which the company said in April had found "thousands" of vulnerabilities across operating systems and browsers during red-team testing. The US government subsequently ordered export controls barring foreign nationals, including Anthropic's own non-citizen employees, from Mythos 5 and the safety-throttled Fable 5, and Anthropic extended Mythos scanning access to more than 40 organizations under its Project Glasswing alliance, from which China was excluded. Zhou calls this exclusion a "one-way transparency" risk, comparing mutual vulnerability-discovery capability to nuclear deterrence. That framing is an explicit strategic argument from 360's own founder rather than an LDS assessment, and is worth reading as company positioning, particularly since the underlying vulnerability counts remain unverified.
Technical claims, per Zhou's transcript and unverified by outside parties
The transcript attributes specific results to Tulongfeng beyond the vulnerability count Reuters reported: a Windows kernel privilege-escalation bug dormant for five years, an Office remote-code-execution flaw dormant for eight years, and an Excel vulnerability dormant for ten years, all of which 360 says earned formal acknowledgment from Microsoft. Notably, 360 also claims Tulongfeng found zero-day vulnerabilities in the AI agent framework openclaw and 13 zero-days in the AI application-building platform Flowise, covering authentication and access-control issues. If accurate, that detail matters more immediately to practitioners than the geopolitical framing: it indicates vulnerability-discovery AI, on both the Mythos and Tulongfeng sides, is now being pointed directly at the agentic AI tooling stack itself, not just conventional operating systems and applications.
For practitioners
Treat 360's vulnerability counts as unverified vendor claims until an independent researcher or the affected vendors, Microsoft and the openclaw and Flowise maintainers, confirm them directly, the same standard Reuters applied. Teams running agent frameworks or AI app-builder platforms should track official advisories from those specific projects rather than relying on either company's self-reported discovery numbers. More broadly, security and procurement teams operating in or with China should expect continued bifurcation in access to frontier vulnerability-discovery tools: US export controls on one side, and on the other a limited, state-vetted rollout of Tulongfeng and Yitianzhen to key state-backed and critical-infrastructure units, per Zhou's transcript, rather than open commercial availability of either system in the near term.
Key Points
- 1360 Security unveiled Tulongfeng, styled as "China's version of Mythos," and Yitianzhen, a cyber-defense system, at ISC.AI 2026 in Beijing.
- 2360 claims parity with a stronger US model through agentic orchestration rather than raw scale, but Reuters could not verify its 3,432-vulnerability count.
- 3Practitioners should treat vendor vulnerability counts as unverified and watch for advisories from Microsoft, openclaw, and Flowise given claimed AI-tooling zero-days.
Scoring Rationale
Verified via Reuters' wire report (confirmed through an identical syndicated copy), independent reporting from eWeek and SCMP, and a full transcript of Zhou Hongyi's keynote that surfaces additional unverified claims, including Tulongfeng zero-days found in the AI agent framework openclaw and the Flowise AI app-building platform. The core vulnerability counts remain entirely self-reported and explicitly unverified by Reuters, which caps the score below 'major,' but the transcript's detail on AI-infrastructure-targeting vulnerability discovery is directly relevant to the AI/ML practitioner audience and modestly raises the story's stakes versus a pure geopolitical-positioning read.
Sources
Primary source and supporting public references used for this report.
View 6 more sources
- ISC.AI 2026 Full Keynote Transcript: Zhou Hongyi, 'China Must Have Its Own Mythos' (Chinese language)k.sina.com.cn
- China's 360 says it has developed tools to match Anthropic's Mythosreuters.com
- Chinese Cyber Firm Claims New AI Tool Rivals Anthropic's Mythoseweek.com
- Mutually assured disruption? Why China wants its own Mythos AI deterrentamp.scmp.com
- China's 360 Security unveils AI tools that 'match' Anthropic's Mythoscryptopolitan.com
- China unveils Mythos rival as Anthropic accuses Alibaba of 'illicitly ...enterpriseai.economictimes.indiatimes.com
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

