Qihoo 360’s Tulongfeng: 3,432 Vulns Found, AI Sovereignty Debate Heats Up

Qihoo 360 unveils Tulongfeng AI vulnerability hunter claiming 3,432 flaws; Zhou frames it as cyber nuclear deterrence, fueling AI sovereignty debate.

June 30, 2026 · By BizScoreAI · 8 min read
Greek marble temple statue under the Qihoo 360 logo with a Chinese flag, engraved marble band reading Tulongfeng

⏱ 5 min read · Last updated 2026-06-30

Qihoo 360, a Beijing-based cybersecurity firm on the U.S. Entity List, has unveiled two homegrown AI tools designed to compete with Anthropic’s Mythos vulnerability hunter. The company says its Tulongfeng platform has already flagged 3,432 software vulnerabilities, while its Yitianzhen system automates cyber defense. CEO Hongyi Zhou framed the effort as a necessity for digital sovereignty, comparing advanced bug-finding AI to nuclear weapons.

Vulnerability-hunting AI has become a cyber nuclear weapon: no nation can afford to be the only one without it.

Why It Matters

AI-powered vulnerability discovery is reshaping cybersecurity. Anthropic’s Mythos has found tens of thousands of flaws across open-source code, raising alarms about catastrophic risk and geopolitical control. The emergence of a Chinese counterpart intensifies the debate, echoing Cold War deterrence logic. Qihoo 360’s placement on the U.S. Entity List in 2020 for enabling China’s high-technology surveillance underscores the delicate intersection of national security, AI, and international trust.

What’s New / How It Works

Rather than a single frontier model, Tulongfeng is an orchestrated vulnerability-research platform built on an agent-based approach. It pairs AI models with security expertise and automated tools, an architecture Zhou says is designed to compensate for a 20-30% capability gap between domestic Chinese models and the top Western ones. Yitianzhen operates as an AI-driven security operations center (SOC) layer for automated defense. The names draw from a classic martial arts novel: Tulongfeng translates to the tip of the dragon saber, while Yitianzhen refers to a cluster sword formation.

Zhou framed the technical contest in stark Cold War terms. He argued that the U.S. could use Mythos to scan Chinese systems while China remains blind, creating a dangerous asymmetry. The export ban on Anthropic’s Fable 5, which he called the “civilian, neutered version of Mythos,” proved, in his view, that Washington considers vulnerability-hunting AI a strategic asset that must be kept exclusively in American hands.

The Numbers

  • 3,432 vulnerabilities flagged by Tulongfeng across open-source code, binary software, and AI/agentic systems, according to Qihoo 360’s CEO.
  • 250,000 vulnerabilities in Qihoo 360’s internal database accumulated since 2005, used to train the tool.
  • 20-30% estimated gap in underlying AI model capabilities between China’s best models and those from the U.S., per Zhou.
  • 23,000+ total findings generated by Anthropic’s Claude Mythos Preview across more than 1,000 open-source projects, including over 6,200 rated high or critical.
  • 10,000+ serious flaws identified to date by Project Glasswing partners (Cisco, Palo Alto Networks) using Mythos’ full capabilities.

The same logic that kept nuclear powers from direct war now applies to cybersecurity: mutual deterrence through advanced AI capabilities.

What Comes Next

The AI sovereignty fire is gaining fuel. The U.S. government partially rescinded the Mythos 5 export ban, granting access to a select group of more than 100 companies and agencies, while Fable 5 remains blocked. Security analyst Laura Wilber of Enea said the move added yet more fuel to the digital sovereignty push in Europe, likely channeling more funding to Mistral. Separately, Tsinghua University professor Jie Tang, founder of Z.ai, predicted a Chinese “Mythos” class model would arrive before Q1 2027. The arms race in vulnerability-hunting AI shows no sign of cooling.

What This Means for You

For businesses that rely on digital infrastructure, automated vulnerability discovery at scale changes the threat landscape. Tools like Mythos and Tulongfeng promise faster patching but also lower the barrier for identifying exploitable weaknesses. Staying informed about these capabilities is becoming part of basic cybersecurity hygiene. As we have covered recently, the rapid progress in AI-driven bug hunting means that every organization’s attack surface is under more intense scrutiny. Catch up with Z.ai GLM-5.2 matching Mythos in cybersecurity and OpenAI’s GPT-5.6 Sol cyber safeguards to see how the defensive and offensive capabilities of AI are evolving together.

The Bigger Picture

The Qihoo 360 announcement is more than a product launch; it’s a signal that the AI security race is now fully multipolar, with cyber-deterrence doctrines being openly adopted. Whether Tulongfeng lives up to its claims or not, the rhetorical framing makes clear that nations see vulnerability-hunting AI as a strategic asset. The debate over sovereignty and export controls will shape the next generation of internet security for everyone.

Frequently Asked Questions

What is Tulongfeng and how does it compare to Anthropic’s Mythos?
Tulongfeng is Qihoo 360’s AI-driven vulnerability hunting platform that uses an agent-based orchestration approach rather than a single frontier model. It claimed to have found 3,432 vulnerabilities by pairing AI models with security expertise. Anthropic’s Mythos Preview generated over 23,000 findings across 1,000+ open-source projects, with partners in Project Glasswing finding more than 10,000 serious flaws. Qihoo 360 argues its architecture compensates for a 20-30% gap in underlying model capabilities between Chinese and U.S. systems.
Why is Qihoo 360 on the U.S. Entity List?
Qihoo 360 was added to the Bureau of Industry and Security’s Entity List in 2020 after being accused of enabling China’s high-technology surveillance in the alleged crackdown on Uyghurs in Xinjiang. This listing restricts its access to U.S. exports, making the development of indigenous AI tools like Tulongfeng both a technical and geopolitical statement.
What does the ‘cyber nuclear deterrence’ framing mean?
Qihoo 360 CEO Hongyi Zhou compared advanced vulnerability-hunting AI to nuclear weapons, arguing that when both sides possess such capabilities, mutual deterrence prevents aggressive use. He suggested that the U.S. could use Mythos to scan Chinese systems while China remains blind, and that a similar Chinese capability is needed to shift the balance and avoid one-sided transparency.
How many vulnerabilities has Mythos found versus Tulongfeng?
According to respective company claims, Tulongfeng flagged 3,432 vulnerabilities across open-source, binary, and AI/agentic systems, trained on Qihoo 360’s 250,000-vulnerability database. Anthropic’s Claude Mythos Preview found over 23,000 findings across more than 1,000 open-source projects, with over 6,200 estimated as high or critical. Its Project Glasswing partners have identified more than 10,000 serious flaws to date.
What is Project Glasswing?
Project Glasswing is the taskforce of security partners, including Cisco and Palo Alto Networks, that has exclusive access to the full capabilities of Anthropic’s Mythos. It was launched to use the model for defensive vulnerability discovery at scale and to coordinate responsible disclosure of critical findings.
Will a Chinese Mythos-class model really arrive by 2027?
Tsinghua University professor Jie Tang, founder of Z.ai, estimated that a Chinese “Mythos” class model would arrive before Q1 2027. His organization recently shipped the well-received GLM-5.2 open-weight model, which has already shown competitive cybersecurity bug-finding performance, narrowing the gap with proprietary Western systems.
🤖
Is your business visible to AI assistants?

Run a free scan to see your AI Visibility Score, SEO rating, and local citation accuracy.

Check Your Score →

© 2026 List All rights reserved. Web Development - NewSunSEO.com