China’s 360 Hunts Software Flaws With AI, Echoing Mythos

A large Chinese cybersecurity firm is using artificial intelligence to identify security vulnerabilities in widely used software applications, positioning itself as a competitor to Anthropic PBC, according to a new report.

The company, 360 Digital Security Group, has in recent months said it has developed an AI-powered “Vulnerability Discovery Agent” that has uncovered close to 1,000 previously unknown vulnerabilities, including in Microsoft’s Office and in OpenClaw, an open-source framework for building and deploying AI agent workflows, according to the report published Wednesday by Natto Thoughts, a research group focused on Chinese cybersecurity.

Representatives for 360 did not immediately respond to requests for comment.

Earlier this year, Beijing-based 360 said it had developed AI tools that speed the identification of flaws and the construction of so-called exploit chains. which are required to hack into targeted computers, according to the report.

The effort resembles the new AI model from Anthropic, Mythos, which the company says can autonomously uncover and exploit software flaws in popular technologies. The model is so powerful, according to Anthropic, that the company has only released it to a select group of organizations, encouraging them to use it to find and plug their holes before attackers do. The US government is also moving to make some version of Mythos available to federal agencies.

China’s 360 said that its use of AI had evolved “from an auxiliary tool to the core engine of vulnerability discovery,” according to the report, which reviewed a series of recent Chinese-language announcements from the organization.

Eugenio Benincasa, the author of the report and a senior researcher at ETH Zurich’s Center for Security Studies, said that 360 appears to be positioning itself as a direct competitor to Anthropic’s Mythos.

Even if some of the company’s claims are overstated, he said, the developments point to the maturation of underlying capabilities. “AI is moving from an auxiliary tool to something closer to a scalable engine for vulnerability research, and firms like 360 are well positioned to push that forward in China,” he said.

Benincasa said China poses a particular threat due to its government’s control over the cybersecurity industry and legal requirements that force cybersecurity researchers to disclose any software vulnerabilities they find to security agencies, which can use them to enable cyber intrusions.

The Chinese government’s wide-reaching domestic authority may give its AI capabilities “greater operational impact,” Benincasa said. “Closer integration between private firms and state actors mean that improvements in discovery can translate more directly into offensive use.”

Photo credit: Victor J. Blue/Bloomberg