The cyber arms race just went autonomous, and China's biggest security firm isn't waiting for permission.
The Summary
- 360 Security Group is deploying AI to hunt zero-day vulnerabilities in commercial software, directly competing with Anthropic's approach
- This mirrors the capabilities OpenAI demonstrated with Mythos, the AI that found vulnerabilities faster than human researchers
- The shift from human-led to agent-led vulnerability discovery changes the economics and speed of both defense and offense in cybersecurity
The Signal
360 Security Group, China's largest cybersecurity firm with over 500 million users, is now using AI agents to autonomously discover software vulnerabilities. This isn't a research project. It's a production system scanning real commercial applications for exploitable flaws.
The company is positioning this as a direct answer to Anthropic's security research capabilities and OpenAI's Mythos demonstration. For context: when OpenAI unveiled Mythos in early 2025, the model found real zero-day vulnerabilities in widely deployed software within hours, a process that typically takes human security researchers weeks or months.
"The vulnerability discovery game just shifted from asymmetric to algorithmic."
What makes this significant isn't just that China has matched Western AI capabilities in another domain. It's what happens when both sides have agents that can find flaws faster than patches can ship. The traditional responsible disclosure timeline assumes human speed: researcher finds bug, reports it privately, vendor has 90 days to patch, public disclosure follows.
That timeline collapses when agents are hunting. If 360's AI finds a flaw on Tuesday, how many other AIs found it on Monday? The window between discovery and exploitation shrinks to hours, maybe minutes.
Key dynamics in play:
- Human security researchers typically find 1-3 vulnerabilities per month in targeted software
- AI agents can scan orders of magnitude more code, faster, with consistent attention
- The defensive advantage (patching) has always lagged the offensive advantage (exploiting), and AI widens that gap
This also changes the market structure of cybersecurity. Bug bounties, penetration testing firms, and security consulting have all been built on human scarcity. When 360 can deploy agents that work 24/7 across their entire client base, the unit economics shift dramatically. They're not selling hours. They're selling compute and model access.
The geopolitical layer matters too. 360 has deep ties to the Chinese government. It's the same firm that built China's national cybersecurity monitoring infrastructure. An AI that finds vulnerabilities in Western software isn't just a product feature, it's a strategic asset. The same capability that helps clients patch their systems can be pointed outward.
The Implication
If you're building software, assume AI agents are already probing it for weaknesses. The days of "security through obscurity" or slow patch cycles are over. Your security posture now needs to match AI speed, which likely means deploying your own defensive agents.
For the agent economy, this is a preview. Autonomous agents doing high-value knowledge work at machine speed, competing directly with established human-led services. 360 isn't the last company to make this shift. Every domain with a search problem, pattern recognition, or systematic exploration is next.