China Is Already Building Its Own Mythos.The Cyber Arms Race.

China Is Already Building Its Own Mythos.The Cyber Arms Race.

Quick Reads

• Chinese cybersecurity firm 360 is now using AI to actively scan for and identify software vulnerabilities, following the same approach as Anthropic’s Mythos.
• Mythos Preview, Anthropic’s AI security tool, found 271 Firefox flaws alone and identified high-severity vulnerabilities across every major operating system and web browser.
• The race to use AI offensively and defensively in cybersecurity is accelerating globally, with OpenAI also releasing a limited cyber-focused model the week after Mythos launched.
• The race to use AI offensively and defensively in cybersecurity is accelerating globally, with OpenAI also releasing a limited cyber-focused model the week after Mythos launched.
• Experts warn that AI has compressed the window between vulnerability discovery and exploitation to near zero.

When Anthropic announced its Mythos AI model earlier this month, it was careful about the language it used. The tool could find software flaws faster than any human team, could identify vulnerabilities across every major operating system and browser, and was considered serious enough that the company initially held back from a full release.

This is not a surprise, and that is part of what makes it significant. It was covered that the Mythos described how AI’s capability to find security flaws shifted noticeably in early 2026, following the release of a new generation of frontier models in late 2025. Daniel Stenberg, lead developer of cURL, a 30-year-old data transfer tool embedded in everything from cars to medical devices, told NPR that in the first three months of 2026 alone, his team had already found and fixed more vulnerabilities than in either of the two prior full years. One-click AI scans flagged over 100 bugs in code that had passed multiple rounds of human review.

What Mythos made plain is the pace problem. That traditional vulnerability patching follows a cycle measured in months. A security researcher finds a flaw, notifies the company, and the company builds a fix. AI collapses that timeline dramatically on the discovery side without any corresponding improvement on the patching side.

The 360 Security development adds a geopolitical dimension that makes explicit. A US company with a tool powerful enough to hack most modern computing infrastructure is a problem. A Chinese company developing equivalent capability is a different scale of problem for Western governments, banks, and critical infrastructure operators who are already trying to quantify the Mythos threat. OpenAI responded one week after Mythos launched by releasing its own cyber-focused model to a limited group, signalling that no major AI lab intends to sit out this particular competition.

The practical result for anyone running software, which is everyone, is that the gap between a vulnerability being discovered and being actively exploited has shrunk to near zero. The report documented a mean time to exploit of negative seven days, meaning attackers are regularly using flaws before the vendor even knows they exist. AI hunting tools on the offensive side make that window shorter still. The defensive race to match that pace is still very much in progress.