Qihoo 360 Claims AI Bug-Finder 'Tulongfeng' Outperforms Anthropic's Mythos
Qihoo 360 claims its AI bug-finder 'Tulongfeng' outperforms Anthropic's Mythos model, using a multi-agent swarm approach to discover long-dormant vulnerabilities.
Chinese cybersecurity vendor Qihoo 360 claims it has built an AI bug-finder that outperforms Anthropic's Mythos model. CEO Zhou Hongyi revealed the model, named 'Tulongfeng,' in a speech at the 14th Beijing Cybersecurity Conference, which Qihoo 360 organizes. Zhou described Mythos as 'equivalent to a cyber nuclear weapon,' because the U.S. ban on foreign nationals accessing the model gives America a tool to find flaws in software relied upon by other nations. Zhou argued that China needs equivalent capabilities as a deterrent, but replicating Mythos is not viable due to China's lag in underlying model capabilities.
Instead of brute-force scaling, Qihoo 360's approach uses a 'multi-agent swarm' that leverages the company's 20 years of threat intelligence and malware library. 'If the American approach is about cultivating a genius hacker, the 360 approach is about organizing a professional attack and defense team,' Zhou said. The swarm models threats, filters high-risk attack surfaces, follows data flow across files, automatically builds sandbox environments, generates exploit code, and conducts real-world testing. After each task, the swarm summarizes and reviews its performance, improving over time.
Qihoo 360 claims Tulongfeng has already discovered significant vulnerabilities. Zhou boasted that the tool automatically found a Windows kernel privilege escalation vulnerability dormant for five years, an Office remote code execution vulnerability dormant for eight years, and an Excel vulnerability dormant for ten years, earning official recognition from Microsoft. The tool also found numerous flaws in OpenClaw, a feat human researchers have also achieved.
The company also introduced 'Yitianzhen,' an AI that automatically simulates potential attacks against an organization's defenses and suggests or implements remediations. Qihoo 360 has formed an alliance of Chinese cybersecurity companies to use these tools and counter Project Glasswing, the group Anthropic allows to use Mythos under controlled conditions.
Qihoo 360's claims come amid geopolitical tensions over AI-powered vulnerability discovery. The U.S. has sanctioned Qihoo 360 on grounds that it likely supplies China's military. China's National Computer Virus Emergency Response Center (CVERC) often cites the company's research, sometimes in documents alleging the U.S. hacks itself to make China look bad. The development underscores the growing race between nations to harness AI for offensive and defensive cybersecurity capabilities.