Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos

Summary

360 Digital Security Group claims its internally developed Multi-Agent Collaborative Vulnerability Discovery System identified approximately 1,000 vulnerabilities, including critical Office and Windows flaws, contributing to its first-place finish at the Tianfu Cup hacking competition. The claims have drawn comparisons to Anthropic's Claude Mythos model, though cybersecurity researchers suggest 360's AI capabilities may not yet match Mythos's described reasoning abilities. However, experts note that Chinese legislation requiring vulnerability disclosure to government agencies before public release gives China a strategic advantage in channeling elite security research into state intelligence pipelines.

Full text

A Chinese cybersecurity firm has claimed AI-driven vulnerability discovery capabilities that approach the scale of those attributed to Anthropic’s recently unveiled Claude Mythos model. The claims have been analyzed by Eugenio Benincasa, an ETH Zurich cybersecurity researcher focusing on China, in a post published on the Natto Thoughts blog. Anthropic claims that its new Mythos frontier model has autonomously discovered thousands of vulnerabilities. To prevent potential abuse, Mythos has not been publicly released and is only available to a few dozen major organizations through Project Glasswing. However, Anthropic’s own chief executive has suggested that open source models and Chinese developers could replicate Mythos-level performance within 6-12 months, a view echoed by researchers at cloud security firm Wiz. According to Benincasa, claims made by the 360 Digital Security Group at 360 Security Technology (Qihoo 360), one of China’s largest cybersecurity companies, in the weeks surrounding Anthropic’s unveiling of Claude Mythos suggest that the company’s AI may have similar vulnerability-discovery capabilities. 360 Digital Security Group’s claims center on an internally developed ‘Multi-Agent Collaborative Vulnerability Discovery System’, which appears to have played an important role in its first-place finish at Tianfu Cup, a major Chinese hacking competition that was revived this year. Advertisement. Scroll to continue reading. The firm says the system contributed to roughly half of the vulnerabilities it identified at the contest, finding close to 1,000 vulnerabilities in total, including over 50 high-severity flaws across Windows, Microsoft Office, Android, OpenClaw, IoT devices, and other products. The most striking individual claim involves CVE-2026-32190, a critical Office vulnerability that 360 says its AI agent identified within minutes, after it had allegedly gone undetected for roughly eight years. A separate Windows kernel vulnerability (CVE-2026-24293) was also claimed, though Microsoft credits researchers from Taiwan and South Korea with that discovery, casting doubt on 360’s claims. Benincasa cautions that while 360’s AI capabilities appear significant, they do not yet appear to match the reasoning capabilities described for Claude Mythos. A closer comparison, the expert suggests, is Google’s Big Sleep, which accelerates discrete stages of vulnerability research rather than operating as a fully autonomous agent. However, the expert believes other aspects may ultimately matter more than any technical comparison. Chinese legislation requires private companies and researchers to report vulnerabilities to government agencies before disclosing them publicly, effectively channeling elite security research into state intelligence pipelines. This puts China at an advantage compared to the United States, Europe, and other democratic countries, Benincasa noted. As for Mythos’ capabilities, outside of Anthropic’s claims, Mozilla said the AI helped it find over 270 Firefox vulnerabilities, and Palo Alto Networks reported a significant boost in vulnerability discovery. Others, however, pointed out that only a few dozen public CVEs have been credited to Anthropic and only one specifically to Glasswing. Related: AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Related: White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Claude Mythos Finds 271 Firefox VulnerabilitiesGoogle Antigravity in Crosshairs of Security Researchers, CybercriminalsThird US Security Expert Admits Helping Ransomware GangUnsecured Perforce Servers Expose Sensitive Data From Major OrgsData Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to HackingBluesky Disrupted by Sophisticated DDoS AttackNext.js Creator Vercel Hacked Latest News Rilian Raises $17.5 Million for AI-Native Security OrchestrationThe Behavioral Shift: Why Trusted Relationships Are the Newest Attack SurfaceLuxury Cosmetics Giant Rituals Discloses Data BreachAI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Apple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-DayAfter Bluesky, Mastodon Targeted in DDoS AttackMost Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-32190
• cve — CVE-2026-24293

Entities