China Has Its Own Mythos Now, Says Qihoo 360 Founder. And One Version Is Free

The U.S. restricted Anthropic’s cybersecurity AI model Claude Mythos behind export controls and a vetted coalition. China held a conference and announced it already has something like it—then a separate company uploaded a near-equivalent to the internet for free.

Qihoo 360 founder Zhou Hongyi took the stage at ISC.AI 2026 in Beijing on June 24 and delivered a direct message: "China's cybersecurity industry must have its own Mythos." He unveiled Tulong Feng—an AI vulnerability agent 360 is calling China's version—alongside Yitian Zhen, an automated defense platform, and a new domestic security coalition named "Panshi Zhidun," or Shield of Bedrock.

Zhou's framing was pointed. Mythos amounts to "cyber nuclear weapons" in the AI age—an autonomous system that can find vulnerabilities, analyze them, and build attack chains without human direction. "U.S. organizations can use Mythos to scan your vulnerabilities, but you don't even have the right to look at Mythos," he said. Chinese companies are excluded from Glasswing, Anthropic's vetted partner program that includes Microsoft, Apple, and other big tech giants.

According to Zhou's claims, Tulong Feng has found a cumulative 3,432 vulnerabilities, with 105 confirmed by Chinese regulatory bodies and several flagged as high-severity by the national vulnerability database. Zhou claimed the agent-first route—coordinating specialized models rather than betting on a single frontier system—offsets whatever base-model gap still exists. "America has Mythos," he told the audience. "China also has its own 'Heaven-Sword Dragon-Saber.'"

Beijing-based Z.ai also made a different argument by releasing one. The lab, also known as Zhipu AI, dropped GLM-5.2 shortly after the U.S. government pulled Mythos 5 and Fable 5 offline for foreign nationals. GLM-5.2 runs under an MIT license—no subscription gates, no geographic restrictions, freely modifiable by anyone.

The cybersecurity numbers were notable. Semgrep's evaluation of insecure direct object reference detection—a test measuring whether a model can spot unauthorized object access flaws in code, scored via the F1 metric that balances precision against recall—put GLM-5.2 at 39%, ahead of Claude Code in the same test.

A separate Graphistry evaluation found it matched Claude Opus 4.8 on a capture-the-flag challenge. Cost per finding: around $0.17, versus over $1 for Claude-based workflows.

Z.ai co-founder Tang Jie called Anthropic's withdrawal "deeply regrettable." The company's technical lead Qinkai Zheng was more blunt: "We want the model accessible to everyone." When Elon Musk predicted China wouldn't match Fable-level capability until Q1 2027, Tang replied: "Won't take that long."