As of 2026-07-05T22:36:15Z UTC, the cleanest way to read China's newest cyber-agent story is not "has 360 matched Anthropic's Mythos?" It is: what would count as evidence if a vulnerability-discovery agent, a defensive response agent, and a long-horizon coding model all start moving toward the same security workflow?
On 2026-06-24, 360 published the full text of Zhou Hongyi's ISC.AI 2026 speech, where he introduced two AI-security capabilities: Tulongfeng for automated vulnerability discovery and Yitianzhen for automated cyber defense and incident response. The same post also announced a Panshi Shield collaboration plan with chip, operating-system, database, cloud, large-model, compute, and security partners.[1] Secondary English-language coverage framed the launch as China's answer to Mythos, while also warning that the strongest capability claims remain difficult to verify from outside the company.[4][5]
That makes this a benchmark note rather than a launch-note recap. The useful question is not whether a conference slogan sounds forceful. The useful question is whether the claimed capability survives an evaluation boundary: target provenance, vulnerability confirmation, exploit stage, tool budget, prompt budget, false-positive rate, and the handoff from discovery into remediation or defense.
Image context: the cover is a real photograph from the 360 Community ISC.AI 2026 speech post. It is not a diagram, chart, generated visual, or abstract cybersecurity illustration.[1]
What Changed
The new public artifact is not an open benchmark. It is a vendor launch with a detailed strategic speech attached. Zhou described Tulongfeng as 360's "Chinese Mythos" route and said the company was not simply trying to win with one giant base model. The proposed stack combines model capability, security expertise, vulnerability knowledge bases, agent tooling, and multi-agent coordination.[1]
The numbers are attention-grabbing: 360 says Tulongfeng has found 3,432 vulnerabilities, including 105 confirmed by regulators, with several classified as high-risk by national vulnerability databases.[1] TechRadar repeated those figures and added the important caveat that the model capabilities cannot be independently verified from the outside.[5] SC Media's brief similarly summarized the launch as a two-agent system, with Tulongfeng aimed at vulnerability discovery and Yitianzhen aimed at defense and incident response.[4]
The stronger China-AI signal is the architecture claim. 360 is arguing that a domestic cyber-agent system can compensate for a base-model gap by turning twenty years of security operations, vulnerability submissions, security data, expert workflow, and agent orchestration into a specialized system.[1] That is a familiar China-AI pattern: when the frontier model race is uncertain, product teams try to win in data, workflow, vertical tools, and deployment partnerships.
The Benchmark Boundary
The reason to be cautious is that "found vulnerabilities" is not a benchmark by itself. A vulnerability-discovery claim becomes decision-grade only when readers know the target corpus, whether targets were public or private, whether training data overlapped with test targets, how duplicates were handled, what counted as confirmation, and whether exploitability was demonstrated in a controlled environment.
AgentCyberRange shows what a stricter frame looks like. The arXiv paper introduces an open cyber-range evaluation with 110 vulnerabilities, 15 real web applications, eight enterprise-like ranges, and 156 internal hosts. It separates web exploitation from post-exploitation, evaluates six frontier AI systems under matched prompts and budgets, and reports outcomes with and without concrete hints.[3] That does not make AgentCyberRange the final word on cyber agents. It does show the kind of evaluation container needed before claims about autonomy, exploitation, and internal compromise become comparable.
This boundary matters for Tulongfeng because vulnerability discovery is a staged process. Finding a suspicious code path is not the same as producing a reliable proof of exploitability. Producing a proof of exploitability is not the same as weaponizing a chain. Weaponizing a chain is not the same as responsibly triaging, reporting, patching, and monitoring the exposure window. A benchmark should say which stage was measured.
It also matters for Yitianzhen. Automated defense is harder to summarize in one headline number because the value may come from triage compression, containment speed, alert correlation, patch prioritization, rollback discipline, or human approval quality. If the defensive agent is real, the strongest evidence will not be a claim that it is "a team." It will be incident-replay results: how often it found the right root cause, how often it avoided destructive actions, how quickly it created a validated containment plan, and how clearly it handed work to human operators.
Why GLM-5.2 Belongs In The Same Note
Z.ai's GLM-5.2 is not a cyber model in the same narrow sense, but it belongs in the evaluation picture because cyber-agent work is increasingly long-horizon engineering work. Z.ai's official documentation frames GLM-5.2 around a usable 1M-token context window, project-scale engineering context, stronger long-task execution, function calling, structured output, and long-horizon coding benchmarks.[2]
Those capabilities are adjacent to cyber operations. A vulnerability agent has to read large codebases, preserve architectural constraints, call tools, inspect logs, reason across files, generate tests or proofs, and avoid losing track of earlier evidence. A defensive agent has to keep a timeline, parse noisy signals, remember permissions, and execute steps in an auditable sequence. Long context and agentic coding do not prove cyber competence, but they make the evaluation problem more urgent because the models can now remain inside complex workflows longer.[2]
That is the connection between the Chinese base-model story and 360's vertical-agent story. A general model such as GLM-5.2 pushes the ceiling for long-horizon coding and tool use. A security company then tries to wrap that kind of capability in domain data, exploit knowledge, sandboxing, and operational workflow. The result should not be judged as a chatbot. It should be judged as a controlled security system.
How To Read The 3,432 Claim
The 3,432-vulnerability figure is best treated as directional until the distribution is visible. The number would mean different things depending on whether it includes open-source packages, proprietary partner code, binary targets, known-vulnerable training fixtures, internally reproduced bugs, or regulator-confirmed submissions. It would also mean different things depending on severity distribution, duplicate handling, time to confirmation, and false-positive attrition.
The 105 regulator-confirmed figure is more meaningful because it points to an external confirmation path, but even there the missing denominators matter. A high-quality release would separate submitted, accepted, rejected, duplicate, high-risk, patched, and publicly disclosed findings. It would also show the median time from agent report to human validation and from validation to remediation. Without those denominators, the number signals seriousness but not yet reproducibility.
The more interesting claim is 360's multi-agent engineering stance. The speech describes an approach in which agents divide the work, model threats, inspect attack surfaces, follow cross-file data flows, generate exploit code, build sandboxes, and then test whether the issue is confirmed rather than merely suspected.[1] If that workflow is implemented with strong containment and audit logs, it could be useful even before it reaches frontier-lab parity. If it is mostly a narrative around ordinary scanning plus model-generated explanations, the benchmark gap will show up quickly.
What Would Make It Decision-Grade
The first requirement is a reproducible range. A credible public evaluation would test the system on a corpus with hidden targets, documented provenance, no training overlap, and both source-code and binary tasks. It should report the exact tool environment, model versions, prompt budgets, runtime limits, hint policy, and human intervention rules. AgentCyberRange is useful here less as a rival leaderboard than as a template for making offensive stages separable and inspectable.[3]
The second requirement is confirmation discipline. For vulnerability discovery, the key metric is not "issues found" but "confirmed exploitable findings per unit of time and compute, after duplicate and false-positive removal." For defense, the key metric is not "alerts processed" but "validated incidents resolved or contained under a clear human-approval model." The important unit is workflow reliability.
The third requirement is safety accounting. Cyber-agent evaluations should state what the system is allowed to do, what it is prevented from doing, whether exploit generation is sandboxed, how secrets are handled, how logs are retained, and how reports move into coordinated disclosure. A model that can discover vulnerabilities but cannot be governed is a liability, not a product.
The fourth requirement is comparative clarity. If 360 wants the Mythos comparison to be more than rhetoric, it needs a shared task definition or at least a transparent reason why the task definitions differ. Otherwise "Chinese Mythos" is a positioning phrase, while "found confirmed vulnerabilities under this range, budget, and disclosure process" is an evaluable claim.
What To Watch
Watch for whether 360 publishes audited case studies with enough detail for external reviewers to distinguish novel findings from re-detections. Watch whether Chinese vulnerability databases, regulators, or major software vendors attach public acknowledgments to specific Tulongfeng-originated reports. Watch whether Yitianzhen gets measured through incident-replay exercises instead of demo scenes. And watch whether Chinese model labs make long-horizon code models easier to plug into constrained security environments without turning every security task into a general-purpose agent free-for-all.
The falsifier is straightforward. If the public record stays at conference slides, vendor summaries, and uninspectable totals, then this is a strong market signal but not a benchmark result. If independent ranges, regulator-confirmed reports, vendor acknowledgments, and incident-replay metrics begin to line up, then the story changes: China's cyber-agent race will have moved from parity slogans toward auditable security automation.
For now, the right conclusion is neither dismissal nor hype. Tulongfeng and Yitianzhen matter because they show where Chinese AI-security companies want the race to move: from single-model intelligence toward engineered agent systems. The evidence bar should move with them.
Sources
- 360 Community, "ISC.AI 2026 周鸿祎演讲全文:打造中国版'Mythos',应对网络安全新挑战" (June 24, 2026; official speech text, launch framing for Tulongfeng and Yitianzhen, Panshi Shield plan, and source page for the article image).
- Z.ai Developer Documentation, "GLM-5.2" (official model overview; 1M context, long-horizon engineering positioning, function calling, structured output, and coding benchmark claims).
- Fengyu Liu et al., "AgentCyberRange: Benchmarking Frontier AI Systems in Realistic Cyber Ranges," arXiv:2606.14295 (submitted June 12, 2026; cyber-range design, task stages, target counts, prompts, budgets, and reported agent results).
- SC Media, "China's 360 Security Technology unveils AI models for vulnerability discovery" (brief secondary report on Yitian Tulong, Tulongfeng, Yitianzhen, the vulnerability figures, and the 20-30% base-model gap framing).
- TechRadar, "Chinese cybersecurity company 360 unveils 'China's version of Mythos', and Yitianzhen, to automate cyber defense" (June 25, 2026; secondary report on the ISC.AI 2026 launch, claimed findings, and verification caveat).