The global race for artificial intelligence just hit a scary new phase, and it has nothing to do with writing poetry or generating deepfake videos. It's about automated weapon discovery.
When Zhou Hongyi, the outspoken billionaire founder of Chinese security giant 360 Security Technology, took the stage at the ISC.AI conference in Beijing, he didn't mince words. He introduced a pair of AI security tools called Yitian Tulong, explicitly framing them as China's direct answer to Anthropic’s Mythos model. He called these kinds of automated vulnerability finders a "cyber nuclear weapon". Meanwhile, you can explore related stories here: Why Top Ai Minds Are Abandoning Chatbots For The Physical World.
If you aren't tracking what Mythos is or why China is scrambling to build its own version, you're missing the real story of modern geopolitical friction. This isn't just corporate boasting. It's an admission that the field of hacking and defense has fundamentally transformed, and the old ways of protecting networks are officially obsolete.
The Reality of One Way Transparency
To understand why a major Chinese tech executive is sounding the alarm, you have to look at what happened in the US earlier this year. In April, Anthropic previewed Mythos, an AI system built specifically to hunt down bugs and flaws in complex software. During testing exercises under an initiative called Project Glasswing, Mythos didn't just find standard bugs. It reportedly breached classified US government systems within hours, a feat that usually takes human teams weeks or months of manual labor. To see the bigger picture, we recommend the excellent report by Engadget.
That speed changes everything. It democratizes the ability to find zero-day vulnerabilities—the unpatched security flaws that hackers covet because no defense exists for them yet.
Zhou Hongyi introduced a concept that should make every security professional pause: "one-way transparency". If the US holds an exclusive monopoly on AI models that can autonomously scan any software, find its breaking points, and potentially script an exploit, then everyone else's infrastructure becomes completely transparent to American intelligence. China, or any other nation without equivalent tech, is left completely blind, running defensive operations with a blindfold on.
I think Zhou is entirely right to be terrified of this imbalance. If an adversary can see inside your house while you can't even see your own front door, you've already lost the conflict before it starts.
Inside the Yitian Tulong Architecture
So what exactly did 360 build to stop this? They didn't just launch a singular chatbot; they built a dual-pronged system named after a classic Chinese martial arts novel, the "Heavenly Sword and Dragon Saber".
The system splits into two distinct operational components:
- Tulongfeng: This is the direct equivalent to Anthropic's Mythos. Its entire job is automated vulnerability discovery. It scans codebases, maps out dependencies, and pinpoints where an attacker could force a system failure. 360 claims Tulongfeng has already uncovered 3,432 software vulnerabilities, with 105 of them formally verified by Chinese state authorities.
- Yitianzhen: This handles automated defense and active incident response. Instead of hunting for new bugs, it monitors networks in real-time, triages alerts, and attempts to contain active breaches without waiting for a human analyst to wake up and read a log file.
While Western observers might be tempted to dismiss these numbers as state-approved marketing, doing so is incredibly dangerous. Even if only a fraction of those 3,432 flaws are critical, the sheer scale of machine-driven discovery means that software auditing is moving at a speed humans cannot match.
Bypassing the Silicon Blockade with AI Agents
The most fascinating part of Zhou’s presentation wasn't the software itself, but how 360 built it despite heavy US chip restrictions.
Since 2022, Washington has systematically cut off China's access to the highest-end Nvidia and AMD processors. Without those chips, training massive frontier LLMs is an uphill battle. Zhou openly admitted this reality, stating that domestic Chinese models still suffer from a 20% to 30% gap in base capabilities compared to their American counterparts.
But instead of waiting for Chinese chip foundries to catch up—a luxury China doesn't have—360 pivoted to an AI agent architecture.
Think of it this way: the US strategy is to breed a single, hyper-intelligent genius hacker. They build massive, compute-heavy models like Mythos that know a little bit about everything and a lot about code. 360's strategy is different. They are organizing a professional, digital military unit.
They take smaller, less capable base models and wrap them inside specialized software layers. They plug these models directly into proprietary security knowledge bases, decades of human vulnerability data, and automated scripting pipelines. The model doesn't need to know how to write a poem or pass a medical exam; it just needs to execute tightly defined security workflows perfectly.
I've seen this play out in enterprise software design repeatedly. A collection of highly focused, well-engineered AI agents working in a swarm often outperforms a massive, generalized model that costs ten times as much to train. By focusing on specialized workflows rather than raw parameter size, China has effectively neutralized a massive portion of the US hardware advantage in this specific sector.
The Escalating Invisible War
The timing of this announcement isn't a coincidence. It follows explosive allegations from Anthropic, which accused operators tied to Chinese e-commerce giant Alibaba of launching a massive model extraction campaign. Between late April and early June, these operators allegedly generated nearly 29 million interactions with Claude models to map out and scrape their capabilities.
Why would they do that? Because scraping the logic paths of an advanced model allows competitors to train their own systems significantly faster and cheaper. Anthropic explicitly warned that this campaign could speed up China's ability to copy systems like the Mythos Preview.
Meanwhile, Washington is panicking. The Trump administration recently issued sweeping orders restricting Anthropic from exporting even scaled-down versions of these security models. They even banned certain government agencies from utilizing specific frontier models over fears that a simple prompt jailbreak could hand an adversary the keys to the entire federal network.
What we are witnessing is the birth of an automated arms race. When both sides possess tools that can find thousands of flaws in commercial operating systems, web browsers, and power grid software in minutes, the entire concept of a "secure system" goes out the window.
How You Need to Prepare for Automated Exploits
If you're managing enterprise security, you can't treat this like a distant political squabble between Washington and Beijing. These tools will inevitably leak, modify, or inspire open-source variants that criminal syndicates will use against everyday targets. When software flaws are found a hundred times faster and at a fraction of the cost, your current patch management schedule is dead.
You need to alter your defensive playbook immediately. Here is what you should be doing right now:
Move Beyond Periodic Penetration Testing
If you're still relying on a human team to test your applications once or twice a year, you are essentially wide open. An automated tool can find a flaw the day after your test concludes and exploit it before your next scheduled audit. You need to implement continuous, automated code analysis directly into your deployment pipelines.
Enforce Strict Zero Trust Architecture
Assume your software has unpatched vulnerabilities that an AI can find instantly. The only way to survive is to ensure that even if an attacker compromises a specific application, they cannot move laterally through your network. Micro-segment your systems, strictly enforce least-privilege access, and require continuous re-authentication for every single network hop.
Automate Your Incident Triage
Human security analysts cannot fight machine-speed attacks. If your incident response plan involves an engineer getting a text message, opening a laptop, and reviewing log entries, you will lose your data before they finish their first cup of coffee. Invest heavily in automated defense systems that can isolate compromised servers, revoke API tokens, and alter firewall rules automatically the moment anomalous behavior occurs.
The era of human-vs-human cyber warfare is ending. We are moving into a world where machines hunt for flaws and machines defend them. If you aren't upgrading your defenses to match that reality, you're leaving your entire organization completely exposed.
