Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > OODA Original > Security and Resiliency > China’s Mythos Moment: Why the AI Arms Race Favors Cyber Offense

China’s Mythos Moment: Why the AI Arms Race Favors Cyber Offense

Anthropic’s Mythos arrival earlier this year was a turning point in cybersecurity. Rather than being a tool that helps analysts, the model demonstrated the ability to autonomously identify software vulnerabilities at machine speed, forcing policymakers to view artificial intelligence (AI) as a strategic national security capability rather than just a commercial tool. Unsurprisingly, as with most things the United States does, Beijing has responded. Chinese cybersecurity company 360 Security Technology recently revealed Tulongfeng, largely regarded as China’s answer to Mythos, alongside Yitianzhen, an AI system designed to automate cyber defense and incident response. The announcement underscores that the AI race is rapidly becoming a cyber arms race, where offensive capability, and not defensive resilience, will increasingly define national power.

Beijing’s promotion of this competing capability is not a surprise. Throughout history, nation states have rarely been able to keep strategic technologies exclusively to themselves for long. History is full of examples ranging from nuclear weapon development, satellite reconnaissance, precision-guided munitions, and now with offensive cyber capabilities. Once one nation demonstrates a new capability, geopolitical competitors inevitably seek to follow suit, investing to close the gap. AI capable of autonomously discovering software vulnerabilities now is a part of that category.

Chinese officials have done little to hide their thoughts on the subject. During the ISC.AI 2026 conference, 360’s founder characterized Mythos as a “cyber nuclear weapon,” arguing that China could not allow such a capability to remain solely in American hands. He warned that without an equivalent system, Chinese networks would face what he described as “one-way transparency,” where U.S. organizations could use advanced AI to discover vulnerabilities in Chinese infrastructure while China lacked comparable capabilities as a counterbalance.

On the surface, both Washington and Beijing advocate these systems as defensive technologies. Mythos was introduced under Anthropic’s Project Glasswing initiative to help trusted organizations identify vulnerabilities before adversaries exploit them. Likewise, 360 describes Tulongfeng as a platform for vulnerability discovery while positioning Yitianzhen as an automated defensive assistant. However, history has shown that advanced vulnerability discovery overwhelmingly benefits offensive cyber operations. Organizations routinely struggle to remediate known vulnerabilities because of resource limitations, operational constraints, legacy systems, and competing business priorities. The cybersecurity industry already produces millions of vulnerability alerts. Just because another AI tool can find more weaknesses does not automatically produce more security.

Conversely, offensive operators do not face the same limitations.

For intelligence and military agencies, every newly discovered vulnerability represents another potential attack vector to conduct espionage, establish persistence on a compromised target, and cause disruption or sabotage. Unlike defenders, who must patch every critical weakness, attackers need to exploit only one to accomplish their objectives. AI changes the game by speeding up the research phase because tasks that used to take a lot of time and specialized knowledge can now be done much faster.

It is evident why AI’s ability to find vulnerabilities before any other government is a strategic necessity.  Zero-day vulnerabilities have long been among the most valuable assets in cyberspace. Nation-states routinely invest enormous resources developing or acquiring previously unknown vulnerabilities because they provide covert access into adversary systems. AI shortens this time achieving not only greater efficiency but also expanding the opportunity to conduct offensive operations across an environment.

China clearly recognizes this reality.

Notably, Chinese company 360 claimed that its AI had already identified more than 3,400 software vulnerabilities, with over 100 of them validated by Chinese authorities. Notwithstanding if those numbers can be independently verified, the message is significant, as Beijing appears to be signaling that autonomous vulnerability discovery is now viewed as a national capability worthy of state investment. What’s more, the implications extend well beyond vulnerability discovery.

Once AI systems become capable of autonomously identifying weaknesses, it is only a small step toward using those discoveries to engage in exploit development. There is the real possibility that future models will evolve and start to generate proof-of-concept exploits, evaluate exploit reliability, list potential attacks, and ultimately orchestrate start-to-finish cyber operations. The human element in this chain will increasingly be in a supervisory capacity rather than an in-the-trenches operator, fundamentally changing how offensive cyber operations are conducted.

To put this into context, traditional advanced persistent threat (APT) campaigns have often required substantial personnel resources involved in malware development, exploit research, reconnaissance specialists, linguists, and planners collaborating, sometimes over great periods of time. Agentic AI condenses and automates many of these workflow disciplines into continuous operations. In this way, AI multiplies the effectiveness of cyber organizations and their processes.

With respect to defensive side of the house, while AI can certainly expedite vulnerability identification, security teams will still be required at least for now to prioritize these findings, validate exploitability, and coordinate their remediation efforts across several different business units while minimizing operational disruption (such tasks include monitoring for active exploitation and patch testing). At present, it’s difficult to fully automate these activities because they involve risk management as well as technical analysis. AI may get there eventually to cover these, but it’s not there right now. AI shortens the offensive decision cycle far more than the defensive one. This has important implications when it comes to governments jockeying for strategic advantage.

The United States has tried to restrict access to advanced cybersecurity models such as Mythos because policymakers recognize their potential military significance. Export controls, limited deployment, and trusted-partner programs acknowledge that AI has become dual-use technology with profound national security implications. China’s fast development of competing capabilities demonstrates that technological restrictions may slow progress but will unlikely prevent it forever.

Based on current observations, there is every reason to expect that future operations will maximize AI’s capabilities and autonomously combine all facets of a cyber operation from target selection, reconnaissance, generated custom social engineering, exploit development, attack execution, and adaptive defense response, all at machine speed. Once this is achieved, the line separating offensive cyber activities and autonomous warfare begins to blur. As always, this puts network defenders at a great disadvantage.

China’s development of a Mythos competitor is more likely the beginning of strategic AI competition between Beijing and Moscow where automatous vulnerability discovery has kicked off the race. While governments will undoubtedly emphasize AI’s defensive potential, those looking toward the future will overwhelmingly favor offensive innovation because offensive cyber operations generate strategic intelligence, military advantage, and geopolitical leverage critical to maintain global influence. Therefore, over the next several years, we should expect leading nation-states to invest aggressively in creating increasingly autonomous cyber campaigns in order to increase their speed and effectiveness in the domain. For the foreseeable future, the countries that master AI-enabled offensive cyber operations will shape the future balance of power in cyberspace long before defensive capabilities can catch up.

Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.