Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos

A Chinese cybersecurity firm has claimed AI-driven vulnerability discovery capabilities that approach the scale of those attributed to Anthropic’s recently unveiled Claude Mythos model.  The claims have been analyzed by Eugenio Benincasa, an ETH Zurich cybersecurity researcher focusing on China, in a post published on the Natto Thoughts blog. Anthropic claims that its new Mythos frontier model has autonomously discovered thousands of vulnerabilities. To prevent potential abuse, Mythos has not been publicly released and is only available to a few dozen major organizations through Project Glasswing.  However, Anthropic’s own chief executive has suggested that open source models and Chinese developers could replicate Mythos-level performance within 6-12 months, a view echoed by researchers at cloud security firm Wiz.  According to Benincasa, claims made by the 360 Digital Security Group at 360 Security Technology (Qihoo 360), one of China’s largest cybersecurity companies, in the weeks surrounding Anthropic’s unveiling of Claude Mythos suggest that the company’s AI may have similar vulnerability-discovery capabilities.  360 Digital Security Group’s claims center on an internally developed ‘Multi-Agent Collaborative Vulnerability Discovery System’, which appears to have played an important role in its first-place finish at Tianfu Cup, a major Chinese hacking competition that was revived this year.  The firm says the system contributed to roughly half of the vulnerabilities it identified at the contest, finding close to 1,000 vulnerabilities in total, including over 50 high-severity flaws across Windows, Microsoft Office, Android, OpenClaw, IoT devices, and other products. The most striking individual claim involves CVE-2026-32190, a critical Office vulnerability that 360 says its AI agent identified within minutes, after it had allegedly gone undetected for roughly eight years. A separate Windows kernel vulnerability (CVE-2026-24293) was also claimed, though Microsoft credits researchers from Taiwan and South Korea with that discovery, casting doubt on 360’s claims. Benincasa cautions that while 360’s AI capabilities appear significant, they do not yet appear to match the reasoning capabilities described for Claude Mythos. A closer comparison, the expert suggests, is Google’s Big Sleep, which accelerates discrete stages of vulnerability research rather than operating as a fully autonomous agent.  However, the expert believes other aspects may ultimately matter more than any technical comparison. Chinese legislation requires private companies and researchers to report vulnerabilities to government agencies before disclosing them publicly, effectively channeling elite security research into state intelligence pipelines.  This puts China at an advantage compared to the United States, Europe, and other democratic countries, Benincasa noted. As for Mythos’ capabilities, outside of Anthropic’s claims, Mozilla said the AI helped it find over 270 Firefox vulnerabilities, and Palo Alto Networks reported a significant boost in vulnerability discovery.  Others, however, pointed out that only a few dozen public CVEs have been credited to Anthropic and only one specifically to Glasswing. Related: AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Related: White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Claude Mythos Finds 271 Firefox Vulnerabilities Google Antigravity in Crosshairs of Security Researchers, Cybercriminals Third US Security Expert Admits Helping Ransomware Gang Unsecured Perforce Servers Expose Sensitive Data From Major Orgs Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking Bluesky Disrupted by Sophisticated DDoS Attack Next.js Creator Vercel Hacked Latest News Cloudsmith Raises $72 Million in Series C Funding Rilian Raises $17.5 Million for AI-Native Security Orchestration The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface Luxury Cosmetics Giant Rituals Discloses Data Breach AI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers  Apple Patches iOS Flaw Allowing Recovery of Deleted Chats Recent Microsoft Defender Vulnerability Exploited as Zero-Day After Bluesky, Mastodon Targeted in DDoS Attack Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email