Qihoo 360 says its vulnerability discovery tool surpasses a closed, partner only model Anthropic uses to find software flaws. The keynote stage claim lands against a baseline that itself shipped a new version three weeks ago, with no independent benchmark yet to verify it.
Qihoo 360, one of China's largest cybersecurity vendors, used an ISC.AI keynote in late June to claim its artificial intelligence bug-finder outperforms Anthropic's Claude Mythos, a partner-only vulnerability discovery model that has driven much of the recent AI security conversation. The company's founder, Zhou Hongyi, framed the tool as a "Chinese version of Mythos" and said it had surpassed Anthropic's results on undisclosed benchmarks. The claim came from a stage, not a paper, and it landed against a baseline that itself moved three weeks earlier.
That asymmetry is the story. Anthropic has never publicly released Mythos. Access is restricted to a small set of partners under Project Glasswing and to the UK AI Safety Institute for evaluation. The result is a competitive claim that cannot, by construction, be reproduced by an outside researcher. The vendor with the most incentive to win the comparison is also the only one who can run it.
For context, Claude Mythos is Anthropic's internal designation for a frontier model trained to surface memory-corruption, logic, and design flaws in large codebases. Anthropic's published Glasswing figures put Mythos at 83.1% on CyberGym, against 66.6% for Claude Opus 4.6, and at 181 confirmed exploits in the Firefox JavaScript engine, where Opus 4.6 found two. Over its first month, Glasswing partners reported 10,000-plus high or critical vulnerabilities across systemically important code, including 2,000 bugs at Cloudflare and 271 vulnerabilities in Firefox 150, roughly ten times the rate in Firefox 148. Mythos also assisted in the discovery of SquidBleed, a memory leak in the Squid proxy whose vulnerable code path dates to a 1997 NetWare FTP directory listing parser, and previously surfaced a 27-year OpenBSD TCP SACK bug and a 17-year FreeBSD NFS remote code execution flaw. These are the numbers any "better than Mythos" claim has to clear, and the numbers no independent party can rerun.
The comparison 360 is invoking is also a moving target. Mythos 5 and Fable 5 were announced in June 2026, with Fable 5 available on Anthropic's public API and Mythos 5 replacing Mythos Preview for Glasswing partners. Any benchmark 360 ran internally against Mythos Preview is now, in marketing terms at least, a comparison to last month's model. Whether 360's numbers reflect Mythos 5 or its predecessor is not yet public. The Chinese-language report on Zhou's keynote, carried by Sina, provides product framing and color but does not publish a methodology a third party could reproduce.
The structural problem is not unique to 360. AI bug-hunting tools are routinely evaluated on benchmarks the vendor itself selects, against versions of the competing model the public cannot access, in conditions the vendor can adjust. Independent analyst Natto Thoughts has argued that Chinese vendors have closed ground on the public cybersecurity AI stack but remain several model generations behind on closed, partner-only systems. SecurityWeek and Yahoo Tech have both carried 360's announcement. No independent researcher has yet published a head-to-head test.
What would move the claim from announcement to news is a short, well-defined list of artifacts: a reproducible benchmark against a publicly named Mythos version, a CVE-class discovery attributable to the tool, a customer deployment in which a security team credits 360's system with finding a flaw in production code, or a peer-reviewed paper on methodology. None of those have appeared. Until they do, defenders evaluating AI bug-hunters for procurement should treat "better than Mythos" the same way they would treat any closed-system superlative: as a marketing claim against a moving, unverifiable target.
The watch item is concrete. It is the next CVE of comparable severity to SquidBleed that an outside lab attributes to a Chinese AI bug-hunting tool, and the first time an independent party publishes a reproducible head-to-head.