- 360 Security Technology says its Tulongfeng tool found over 3,400 software vulnerabilities, though every one of those figures comes from the company's own reporting with no outside audit.
- Founder Zhou Hongyi, according to multiple outlets covering the Beijing conference, openly admitted domestic Chinese AI models still trail US counterparts by roughly 20 to 30 percent in raw capability.
- ETH Zurich researcher Eugenio Benincasa cautioned that some of 360's capability assertions are likely exaggerated, while still concluding that the broader trend toward AI-driven vulnerability research in China is genuine.
What the Chatter Is All About
Well, butter my biscuit—somebody in Beijing just hollered across the fence at Silicon Valley. At the ISC.AI 2026 conference in Beijing, 360 Security Technology founder Zhou Hongyi unveiled what the company describes as a pair of AI-powered security tools traveling under the collective banner 'Yitian Tulong,' a name that reportedly translates to 'Heavenly Sword and Dragon Saber,' according to TechRadar and Quartz. As the company tells it, one blade—Tulongfeng—is aimed at automated vulnerability discovery, while the other—Yitianzhen—is positioned for automated cyber defense and incident response.
Zhou, according to reporting by Quartz and Asia Insurance Post, framed the whole affair in stark strategic terms, arguing that AI-powered bug hunting is a national asset China simply cannot hand over to American players. The company says Tulongfeng is, in Zhou's own words, essentially 'China's version of Mythos'—a direct shout-out to Anthropic's AI model that can autonomously sniff out and exploit software weaknesses at scale. That framing was confirmed by multiple independent outlets including TechRadar, BizzBuzz, and Quartz, all reporting separately on the same Beijing event. The announcements and the jaw-dropping performance numbers, though, flow from 360 itself, so pump the brakes before treating any of it as gospel.
What Is Actually Confirmed and Nailed Down
The conference happened—that part's solid as a cast-iron skillet. Multiple independent news organizations including TechRadar, Quartz, SC Media, BizzBuzz, and Asia Insurance Post all separately covered the ISC.AI 2026 gathering in Beijing and confirmed that Zhou Hongyi made these announcements there. On the American side of the ledger, the export control action against Anthropic is also well-corroborated: Asia Insurance Post and the Skadden legal analysis both report as independently established fact that the US government ordered Anthropic to halt exports of a less powerful variant of Mythos to destinations worldwide, citing national security grounds.
Anthropic's Mythos itself, introduced in April 2026, is reported across multiple outlets as a model genuinely capable of autonomously finding and weaponizing software vulnerabilities at scale. Also confirmed: in April 2026 Anthropic launched what it calls Project Glasswing, giving a handpicked group of technology companies and critical infrastructure operators early access to Mythos, according to the Skadden analysis. And CrowdStrike's 2026 Global Threat Report documented an 89 percent year-over-year jump in adversary attacks that employed AI assistance—a figure that gives the broader race real, independent weight beyond any one company's press conference.
What Nobody Has Actually Verified Yet
Here's where the hound dog loses the scent, folks. The eye-popping specific numbers—360 says Tulongfeng has turned up 3,432 software vulnerabilities, of which 105 were supposedly confirmed by government agencies—trace back entirely to Zhou Hongyi's own speech and a transcript that 360 itself published, according to the available reporting. No independent security researcher has audited those outputs, and no third-party organization has cross-checked the government-confirmation figure. Until somebody other than 360 kicks the tires on these results, those digits are the company's claims and nothing more.
Zhou also asserts, according to TechRadar and Asia Insurance Post, that 360's method of layering weaker base models atop proprietary vulnerability databases and automated tooling closes the gap enough to deliver results equivalent to Mythos—even while he simultaneously admitted domestic Chinese AI models sit roughly 20 to 30 percent behind US counterparts in raw horsepower. Whether 'equivalent results through clever engineering' actually holds up under real-world pressure, or whether it's more like claiming your three-legged mule can win the Kentucky Derby if you strap on enough saddle bags, remains entirely unproven by any external party.
What Actual Outside Experts Have Said
ETH Zurich researcher Eugenio Benincasa published a report in April 2026 on 360's earlier AI vulnerability work—before the Yitian Tulong announcement—and his assessment sits somewhere between a cold bucket of water and a cautious nod. As Insurance Journal reported, Benincasa warned that some of 360's capability assertions are probably puffed up beyond reality. That said, he also concluded the underlying capability trajectory is genuine, so he's not calling the whole thing a barnyard fabrication—just saying the bragging might outpace the doing.
Benincasa additionally flagged something that transcends performance metrics entirely: China's legal framework compels security researchers to hand newly discovered vulnerabilities over to state security agencies before publicly disclosing them. That regulatory pipeline, he argued per Insurance Journal, makes 360's work a particular concern for foreign governments regardless of how accurate any specific benchmark claim turns out to be. That structural point doesn't depend on whether Tulongfeng hit 3,432 vulnerabilities or 343—it's baked into the operating environment.
The Dual-Use Elephant Stomping Around the Barn
Zhou himself, according to Quartz and Asia Insurance Post, didn't exactly hide the offensive dimension of these tools—he reportedly described capabilities that could deliver 'offensive advantage' in the same breath as pitching them as defensive assets for national cyber resilience. That's a tension big enough to drive a pickup truck through. Security analysts have broadly noted that any tool sophisticated enough to hunt vulnerabilities at scale is, by basic logic, also sophisticated enough to exploit them against someone else's systems. 360 frames its suite as a defensive and strategic national resource, but as the Skadden legal analysis covering this space makes clear, the line between AI-powered defense and AI-powered offense is about as thin as a coat of paint on a screen door.
The broader context here is undeniable and well-corroborated across sources. The US government signed an executive order on June 2, 2026 establishing a public-private AI cybersecurity clearinghouse, according to the Skadden analysis. CrowdStrike's threat report independently documented that AI-assisted adversary attacks surged 89 percent in a single year. Whether 360's tools are anywhere near as capable as the company says, the arms-race dynamic itself is as real as dirt.
Our Analysis: What This Might Actually Mean
Analysis: If you set aside the unverified performance theater and just look at the strategic signaling, this announcement is doing a whole lot of work for Beijing. By explicitly branding Tulongfeng as 'China's version of Mythos' in Zhou's own words—confirmed by multiple outlets—360 and, arguably, the Chinese government behind it are staking out a rhetorical position in the AI cyber race that didn't exist publicly six months ago. Even if the actual capability gap remains closer to that admitted 20 to 30 percent than Zhou's rosy framing suggests, the very act of making this claim loudly at a national conference is its own strategic move, like painting a barn to make it look bigger than it is.
Analysis: The more durable concern raised by Benincasa's prior research—that China's vulnerability-disclosure laws funnel security findings straight to state agencies—doesn't hinge on whether Tulongfeng's numbers are accurate. If the tool works even partially as the company claims, the regulatory pipeline ensures findings flow toward state actors automatically. For critical infrastructure operators outside China, that structural reality is probably worth more attention than the specific benchmark disputes. Whether 360's suite is a genuine peer to Mythos or an ambitious mule dressed up in thoroughbred colors, the race itself is clearly underway.
Who is doing the hollering
These links show where the chatter came from. A link is attribution, not our endorsement or independent confirmation.
- Chinese cybersecurity company 360 unveils 'China's version of Mythos', and Yitianzhen, to automate cyber defenseTechRadar · top tier
- China's 360 Claims It Built a Domestic Rival to Anthropic's MythosBizzBuzz News · specialist
- China's 360 Security claims AI vulnerability tool rivals Claude MythosQuartz · top tier
- China's 360 says it has developed tools to match Anthropic's MythosAsia Insurance Post · specialist
- China's 360 Hunts Software Flaws With AI, Echoing MythosInsurance Journal · specialist
- AI-Enabled Vulnerability Discovery: What Next-Gen Tools Mean for the Management of Cybersecurity RiskSkadden, Arps, Slate, Meagher & Flom LLP · specialist
- Tune In: The Future of AI-Powered Vulnerability DiscoveryCrowdStrike · specialist
Last checked Jun 27, 2026, 9:08 AM EDT. Talk Around Town: Key performance figures—including the 3,432 vulnerabilities discovered and the claim that Tulongfeng achieves 'Mythos-equivalent capabilities'—come exclusively from 360 Security Technology's own statements. No independent technical audit or government verification of these results has been reported. Treat all capability comparisons as attributed claims, not established fact.