“Mythos is equivalent to a ‘cyber nuclear weapon’,” Qihoo 360 CEO Zhou Hongyi told attendees at the 14th Beijing Cybersecurity Conference, framing a new Chinese effort as both deterrent and countermeasure to restricted Western tools.
Zhou Hongyi at the 14th Beijing Cybersecurity Conference
Zhou Hongyi unveiled the claims in a speech at the 14th Beijing Cybersecurity Conference, which Qihoo 360 organizes. Zhou argued that the United States’ ban on foreign nationals accessing the Mythos model gives American actors a powerful capability to find software flaws upon which other nations rely, and that China therefore needs equivalent tools as a deterrent. He rejected an attempt to simply copy Mythos, saying: “Mythos follows a typical large-scale model approach: the strongest model, the strongest computing power, and the strongest chips – a strategy of sheer brute force.” Zhou also assessed that “domestically developed models still lag behind by 20 percent to 30 percent in underlying capabilities,” and said China therefore needs alternative technical paths rather than waiting for parity.
Qihoo 360’s Tulongfeng “multi-agent swarm” approach
Qihoo 360 says it built an alternative by distilling “20 years of experience fighting cyber-threats and [a] colossal malware library” into security-specific models and agents. Zhou described the result as a “multi-agent swarm.” Rather than a single, monolithic large model, the swarm is presented as a coordinated professional team: it first models the threat, filters high‑risk attack surfaces, follows data flow across files to discover potential vulnerabilities, and then—Qihoo says—automatically builds sandbox environments, automatically generates exploit code, and conducts real-world testing so that “every vulnerability is ‘confirmed’ rather than just suspected.”
Yitianzhen, the local alliance, and Project Glasswing
Qihoo said it has also created another AI-powered security tool, “Yitianzhen,” which it describes as automatically simulating potential attacks against an organization’s cyber-defenses and then suggesting or implementing remediations. Zhou said Qihoo has formed an alliance of local cybersecurity companies to use Yitianzhen and to create “a bulwark against Project Glasswing” — the group of entities Anthropic allows to use Mythos under controlled conditions, as Zhou characterized it. The company framed these collective tools and partnerships as an organized defense-and-attack capability distinct from the “genius hacker” model Zhou attributes to the American approach.
Vulnerabilities Qihoo 360 says it found and Microsoft recognition
Zhou boasted several concrete discoveries he said were produced by the approach. Qihoo claims to have “automatically discovered a Windows kernel privilege escalation vulnerability that had been dormant for five years, an Office remote code execution vulnerability that had been dormant for eight years, and an Excel vulnerability that had been dormant for 10 years, earning official recognition from Microsoft.” Zhou also said the tool found “plenty of flaws in OpenClaw,” a target human researchers have also examined, according to his remarks. Qihoo’s account emphasizes confirmation through exploit generation and real-world testing rather than mere flagging of suspicious code paths.
Sanctions, CVERC citations, and the optics of official recognition
Qihoo 360 operates in a complex official environment. The company has been sanctioned by US authorities “on grounds that it probably supplies China’s military,” a point Zhou used to underscore constraints on cross-border technology access. China’s National Computer Virus Emergency Response Center (CVERC) often cites and publicizes Qihoo’s research; the source material notes that CVERC sometimes includes Qihoo findings in documents that allege the US “hacks itself to make China look bad,” illustrating how technical research is being folded into broader narratives.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Qihoo’s stated approach shifts attention from single-model scaling to orchestration of specialized agents, automated sandboxing, and exploit confirmation. Teams watching for high‑risk surface discovery and automated exploit-generation workflows will want to track the specific outputs Qihoo claims to produce.
- Policymakers and regulators: Zhou’s framing links access controls on models to national security asymmetries and to sanctions already in place. Regulators considering access, export controls, or sanctions will find that Qihoo portrays its work as a strategic response to restricted foreign tools and existing sanctions.
- Affected enterprises and software maintainers: Qihoo’s claims about long‑dormant Windows kernel, Office, and Excel vulnerabilities—and Microsoft’s “official recognition,” as Zhou put it—underscore that automated discovery and weaponization claims can rapidly intersect with enterprise patching priorities and vendor disclosure processes.
Qihoo 360’s public case is clear: lacking parity with the largest general-purpose models, the company says it is using accumulated threat intelligence, specialized agents and automation to fill the gap. Whether that strategy yields a toolset comparable to or materially different from Mythos will hinge on independent verification of the vulnerabilities Qihoo says it has found, the behavior of its agents in real deployments, and the responses of the vendors and authorities Zhou invoked. For now, the company’s presentation adds a new, explicitly strategic voice to a contest over who can automatically find—and confirm—software flaws.
