SAN FRANCISCO — A vulnerability-hunting artificial intelligence system built by 360, a leading Chinese cybersecurity company, has drawn international attention after a series of disclosures, placing the team among a small group of efforts staking out one of the most closely watched frontiers in cybersecurity: getting AI to find software flaws on its own.
By 360’s account, its system has cumulatively found close to 1,000 vulnerabilities across Microsoft Windows, Office, OpenClaw, Android and other domains — including a Windows kernel privilege-escalation flaw the company says lay dormant for nearly five years, and a critical-rated Office remote-code-execution flaw dormant for eight years that earned an acknowledgment from Microsoft’s Security Response Center. Findings reported to China’s national vulnerability databases carry CNNVD or CNVD identifiers, and 360 demonstrated related research at the DEFCON conference in Singapore. More recently, the company disclosed an automated audit of OpenClaw — a fast-growing open-source platform for AI “agents” — and ten derivative products, reporting 23 flaws.
The Chinese team’s work enters a field whose visibility has risen sharply this year. Anthropic’s Claude Mythos, released in April, was described by the company as a frontier capability in vulnerability discovery and accompanied by an alliance of roughly 40 critical-infrastructure vendors granted an early window to patch flaws. Its launch put AI-driven vulnerability discovery on the agenda of governments and major industry players.
That two of the most prominent companies in their respective national tech sectors — Anthropic in the U.S., 360 in China — are now visibly committed to the same capability has clarified something: automated vulnerability discovery has become contested ground in the AI era.
The two leading companies, however, have made notably different bets on how to build it. Anthropic’s approach treats vulnerability discovery as a downstream result of general-purpose code comprehension and reasoning — capability expected to emerge as the foundation model grows more powerful. OpenAI’s GPT-5.5-cyber follows the same logic.
360 has taken what it describes as an “agent cluster” route — combining expert knowledge, large-model reasoning and automated execution. Its most distinctive element is the security-domain knowledge layer: years of frontline offensive-and-defensive work, with techniques from past vulnerability research distilled into trainable form, injected as engineered priors rather than left to emerge from the foundation model.
The capability now being contested — automatically discovering vulnerabilities in software, hardware and AI infrastructure itself — is potent enough that some specialists have begun calling it a strategic weapon of the AI era. In a domain governments now treat as foundational to AI-era national security, the architecture chosen at the frontier shapes more than products. It shapes the rules of contest in cyberspace itself.
Company Name: 360 Group
Contact Person: Tequire
Email: anfu-b@360.cn
City: Beijing
Website:https://360.net/
