Chinese cybersecurity company claims it’s built a better-than-Mythos bug finder

Chinese cybersecurity vendor Qihoo 360 claims it's built an AI bug-finder that's better than Anthropic's Mythos model. CEO Zhou Hongyi revealed the model in a speech at the 14th Beijing Cybersecurity Conference, which Qihoo 360 organizes. Chinese media outlets have transcribed the talk, in which Zhou described Mythos as equivalent to a cyber nuclear weapon'," because the USA's ban on foreign nationals accessing the model gives America a tool with which to find flaws in software upon which other nations rely. Zhou thinks China needs equivalent capabilities as a deterrent, but suggested replicating Mythos is not a viable approach. Mythos follows a typical large-scale model approach: the strongest model, the strongest computing power, and the strongest chips - a strategy of sheer brute force," he said. However, this path has an implicit prerequisite: your model capabilities must be sufficiently strong. Objectively speaking, domestically developed models still lag behind by 20 percent to 30 percent in underlying capabilities." The CEO therefore thinks China can't wait for its own models to catch up and needs to find another way to build Mythos-grade bug-finders. Helpfully, Qihoo 360 has found those alternative methods by distilling its 20 years of experience fighting cyber-threats and colossal malware library into security-specific models and agents. The company has put that to work in what Zhou described as a multi-agent swarm." If the American approach is about cultivating a genius hacker, the 360 approach is about organizing a professional attack and defense team," he said. When faced with a target, the swarm doesn't perform single-point analysis, but rather collaborates: first, it models the threat and filters high-risk attack surfaces; then, it follows the data flow across files to discover potential vulnerabilities." The company's agents apparently automatically build sandbox environments, automatically generate exploit code, and conduct real-world testing. The result is that every vulnerability is confirmed' rather than just suspected. After completing a task, the swarm also summarizes and reviews its performance, becoming smarter with each use. This is something a single large model can hardly do." Qihoo calls this approach Tulongfeng" and says it's already finding flaws in open-source and commercial software. We automatically discovered a Windows kernel privilege escalation vulnerability that had been dormant for five years, an Office remote code execution vulnerability that had been dormant for eight years, and an Excel vulnerability that had been dormant for 10 years, earning official recognition from Microsoft," Zhou boasted. The CEO said the tool found plenty of flaws in OpenClaw - a feat that human researchers have also achieved. Zhou said Qihoo 360 has created another AI-powered security tool called Yitianzhen" that automatically simulates potential attacks against an organization's cyber-defenses, then suggests and/or implements remediations. The company has created an alliance of local cybersecurity companies to use it and create a bulwark against Project Glasswing - the group of entities Anthropic allows to use Mythos under controlled conditions. US authorities have sanctioned Qihoo 360 on grounds that it probably supplies China's military. China's National Computer Virus Emergency Response Center (CVERC) often cites and publicizes the company's research, sometimes in its documents that allege the US hacks itself to make China look bad. (R)