“Whoever masters automated vulnerability discovery technology holds the upper hand in cyber offense and defense” – Zhou Hongyi, Chairman and CEO, 360 Digital Security Group (2018)

On April 7, 2026, artificial intelligence developer Anthropic introduced its new general-purpose model Claude Mythos Preview to a restricted partnership of over 40 vetted organizations, including major technology and cybersecurity firms, as part of its defensive security initiative Project Glasswing. The company stated that the Claude Mythos model has identified thousands of high-severity vulnerabilities across widely used software, including major operating systems and web browsers. Crucially, in some cases it can autonomously develop exploits and chain vulnerabilities without human intervention. Anthropic has not released the system publicly, citing the risks associated with such capabilities and the need for further safeguards before deployment at scale.

While independent assessment remains limited and technical details are sparse, governments are already responding: U.S. officials have reportedly briefed financial institutions on AI-enabled cyber risks, while German authorities have warned of significant disruption and the capacity of such systems to transform vulnerability discovery.

Recent developments suggest that similar capabilities are being explored in China. In February 2026, Natto Thoughts described how a team from 360 Digital Security Group (奇虎360, hereafter “360”), which won first place at the 2026 Tianfu Cup, a major Chinese exploit hacking contest,1 had relied extensively on AI-assisted discovery and exploitation, with its team lead stating that AI has evolved “from an auxiliary tool to the core engine of vulnerability discovery.” The team that placed third made similar claims. This raises a central question: have Chinese companies already developed systems with capabilities comparable to those claimed for Claude Mythos, and how might differences in institutional context shape their impact?

This analysis focuses on 360 as a primary case study, given its position as a leading cybersecurity company in China, its strong track record in top-tier vulnerability research, and the relative visibility of its recent AI-related disclosures.2 Recent disclosures describe internally developed multi-agent systems capable of identifying vulnerabilities, supporting exploit development, and automating parts of the research workflow that were previously manual, with claimed discovery at a scale approaching Anthropic’s description of Claude Mythos. Other firms appear to be pursuing similar approaches, though with more limited public information. The analysis then considers how such capabilities could translate into an asymmetric offensive advantage in China’s favor.