360 Digital Security — AI Agents Find ~1,000 Vulnerabilities, Echoing Claude Mythos

AI relevance: China's 360 Digital Security Group deployed a multi-agent AI vulnerability discovery system that found ~1,000 flaws across major platforms — demonstrating that AI-powered offensive security tooling is emerging globally, not just in Western labs.

The Claims

360 Digital Security Group (Qihoo 360), one of China's largest cybersecurity companies, claims its internally developed Multi-Agent Collaborative Vulnerability Discovery System has identified close to 1,000 previously unknown vulnerabilities. The system reportedly contributed roughly half of the vulnerabilities the firm identified at the revived Tianfu Cup hacking contest.

Key Findings

• ~1,000 vulnerabilities found across Windows, Microsoft Office, Android, OpenClaw, IoT devices, and other products.
• 50+ high-severity flaws confirmed among the total.
• CVE-2026-32190 — a critical Microsoft Office vulnerability that 360 says its AI agent identified within minutes, after allegedly going undetected for ~8 years.
• CVE-2026-24293 — a Windows kernel vulnerability claimed by 360, though Microsoft credits researchers from Taiwan and South Korea, casting doubt on 360's attribution.
• The system placed 360 first at the Tianfu Cup, a major Chinese hacking competition revived this year under increased secrecy.

Expert Assessment

ETH Zurich researcher Eugenio Benincasa analyzed 360's claims on the Natto Thoughts blog. His assessment:

• 360's capabilities appear significant but do not yet match the autonomous reasoning described for Anthropic's Claude Mythos.
• A closer comparison is Google's Big Sleep, which accelerates discrete stages of vulnerability research rather than operating as a fully autonomous agent.
• Chinese legislation requires private companies and researchers to report vulnerabilities to government agencies before public disclosure — effectively channeling elite security research into state intelligence pipelines.
• This regulatory framework gives China a structural advantage in aggregating AI-discovered vulnerabilities for state use.

Why It Matters

• AI-driven vulnerability discovery is no longer confined to a single company — multiple organizations (Anthropic, Google, 360) are fielding systems that find vulnerabilities at machine speed.
• The compression of the vulnerability-to-exploitation timeline accelerates for everyone. If AI agents can find an 8-year-old bug in minutes, the window for defensive patching shrinks toward zero.
• China's mandatory disclosure laws create a concerning dynamic: AI-discovered vulnerabilities flow to state actors before the public (or vendors) can patch them.
• The inclusion of OpenClaw among 360's targets confirms that agent platforms are now on the radar of well-resourced vulnerability research organizations.

What to Do

• Assume that AI-powered vulnerability discovery means previously obscure or legacy code is now being systematically audited at scale — no component is "too small" to find.
• For organizations running AI agent platforms (OpenClaw, etc.), treat them as high-value targets — they combine broad system access with exposure to untrusted input.
• Accelerate patch verification cycles. The traditional 30-90 day patch window may be unrealistic when AI can chain newly disclosed flaws within hours.
• Monitor Chinese cybersecurity competitions (Tianfu Cup) and state-aligned research — they serve as early indicators of vulnerability discovery capabilities and potential weaponization timelines.

Sources

• SecurityWeek — Chinese Cybersecurity Firm's AI Hacking Claims
• Natto Thoughts — Where Is China in AI-Driven Vulnerability Discovery?
• SecurityWeek — China Revives Tianfu Cup Under Increased Secrecy