When vulnerabilities are being repriced by AI, 360 wants to create a Chinese version of Mythos

``` Traditional cybersecurity is being repriced by AI. In the past, vulnerability discovery was highly dependent on human labor. Top-level hackers, prolonged code analysis, and scarce zero-day vulnerabilities collectively supported the commercial value of security companies. But at the 14th Internet Security Conference, 360 Group founder Zhou Hongyi offered a more direct warning: “In the end, it probably won’t be our competitors who take us down, but rather strangers breaking into this industry.” The “strangers” he refers to are AI agents like Mythos from Anthropic. These AI systems are now capable of autonomously discovering vulnerabilities, analyzing them, and crafting attack code, imposing fresh pressure on traditional security defense systems. As vulnerability discovery becomes faster, more abundant, and cheaper, the expert experience- and hardware/software-heavy security model will be forced to adjust. Facing this transformation, 360 has launched an automated vulnerability discovery agent called "Tulongfeng," with plans to release an automated defense system called “Yitian Array.” Beyond offensive and defensive security itself, Zhou Hongyi also discussed changes in organizational structure for enterprises in the age of AI. In his view, enterprises deploying AI agents should not treat them as mere efficiency tools — more crucial is reorganizing employee experience, business processes, and organizational collaboration, or else they risk ending up in a dilemma of high Token consumption and low business return. 01 Vulnerability Deflation For a long time, the cybersecurity industry’s business logic has been built on"vulnerabilities are hard to find, vulnerabilities are valuable." High-quality zero-day vulnerabilities can fetch millions or even tens of millions of dollars in the market, and their discovery has long relied on sustained manual analysis by top hackers. But AI is changing this. Zhou Hongyi mentioned in his speech that Anthropic initially trained Mythos to address code security risks brought by AI-driven coding. The model later showed even greater capabilities: not only can it understand code logic, it can autonomously find vulnerabilities, analyze them, and construct attack software. “The real reason is, I think, that the U.S. government sees not just a large model, but a new kind of national strategic capability,” Zhou defined its disruptive power as a qualitative shift in his speech, “my description is that it’s the nuclear weapon of the AI era.” Zhou believes the impact of Mythos appears in four main aspects. First is speed. In the past, transforming a high-value vulnerability from discovery into an attack weapon could take months or even years. Now, this process could be compressed into “N minutes or N hours.” Second is volume. As long as computing power is sufficient, AI can simultaneously operate hundreds or thousands of agents, continuously searching open-source code and existing systems. Historical vulnerabilities hidden deep within code may be unearthed en masse. Third is cost. AI-driven vulnerability discovery mainly consumes computing power. Zhou noted the average cost of finding a high-value vulnerability has dropped below $1,000. Compared with relying on elite hackers over the long term, this will directly reshape the price structure of the vulnerability market. Fourth is the threshold. Once a top hacker’s expertise is distilled into an intelligent agent, it can be replicated at scale. Ordinary people with no programming skills may use such tools to generate attack code. Zhou also mentioned that the U.S. has rallied tech giants like Google, Apple, and core allies to create the "Glasswing" alliance, allocating up to $100 million in Tokens to internally scan for vulnerabilities in key infrastructure, while Chinese companies have been excluded. This gives security issues a more geopolitical flavor. In response to this risk, Zhou gave his own assessment: “If we can’t find effective countermeasures, China’s cybersecurity may face a second wave of unilateral transparency... It will no longer be a case of ‘hidden enemies and visible defenders’—it will become ‘fast enemies and slow defenders, many enemies and few defenders.’” In his view, when competitors can use AI to mass-discover vulnerabilities, traditional defense systems relying on manual response will grow increasingly strained. China’s security industry cannot remain stuck in passive defense, but needs to quickly establish automated capabilities. 360’s response is to steer away from simply competing with base models, and turn toward an "Agent Harness System," transforming 20 years of offensive and defensive experience and big security data into a suite of collaborative security AI agents. Among these, the automated vulnerability discovery agent “Tulongfeng” has already found over 3,000 vulnerabilities. 360 also plans to release the automated defense system “Yitian Array,” aiming to connect vulnerability discovery, verification, patching, and defense responses into a more automated process. “The only way out is to fight computing power with computing power, intelligence with intelligence, machine against machine, enabling China’s defense to shift from manpower to autopilot,” Zhou summarized. At the same time, 360 and 20 key domestic digital infrastructure providers have launched the "Rock Shield" initiative, seeking to proactively establish a vulnerability screening mechanism for critical domestic software and hardware. 02 AI Drives Enterprise Organizational Restructuring Beyond offensive and defensive security, Zhou also discussed how enterprises can use AI agents. He believes that many enterprises now view agents too much as tools, merely using them as smarter assistants for documentation, customer service, or code generation. But if you just give employees another AI tool, true intelligent transformation is hard to realize. Zhou told media such as Wallstreetcn that agents must be highly customized internally, with the key being to extract “implicit knowledge.” “If you can’t distill employees’ implicit knowledge into skills and into agents, agents will never be able to really do their job within the company,” he said. This implicit knowledge includes not just experienced staff’s handling of business, but also meeting minutes, records of communication, process rules, and exception handling methods. In other words, how deeply a company has digitized its processes and accumulated data will directly affect whether AI agents can really function in business operations. Token cost is also becoming a practical issue for enterprises as they run the numbers. Zhou stated bluntly that due to uncertain security boundaries and the cost-effectiveness pressure of Token consumption, 360 chose not to connect to the Lobster model on its NanoWORK AI work platform. He believes that this kind of open-ended reasoning agent, if deployed in enterprise production environments, can easily cause excessive compute usage. Early-stage agents with open-ended reasoning might repeatedly try tools or get stuck in loops while performing tasks. Completing a goal might consume tens or even hundreds of millions of Tokens, with results that are not always stable. More importantly, open-ended reasoning poses security risks. Zhou argues that putting open-ended reasoning agents into an enterprise’s internal network is extremely dangerous: “It will definitely create security issues, and those issues are unpredictable, because you don’t know what tools it’ll reason to use or what actions it’ll take.” Therefore, due to cost and compliance pressures, the B2B market is more likely to shift toward workflow-based agents operating in restricted environments. These do not freely explore, but complete tasks within the set permissions, tools, and processes of the enterprise. But Zhou thinks the hardest part of agents entering enterprises is not in code or tools, but in the organization itself. Many companies now push for AI transformation just to improve efficiency at individual roles. A product manager uses AI to write requirements, a front-end developer uses AI to design pages, a back-end developer uses AI to generate code. Each role’s efficiency appears to improve, but inter-departmental collaboration remains unchanged, and overall efficiency may not actually rise. “Simply treating AI agent capabilities as point tools to improve spot efficiency, while leaving the enterprise’s organizational structure, job definitions, and business processes unchanged, is like putting the most advanced engine on a horse-drawn carriage—it just won’t work.” Zhou used this analogy in an interview to describe the current industry mismatch. He believes what enterprises must do next is not just cultivate “super individuals,” but to build “super organizations.” As traditional software becomes underlying skills callable by agents, managers also need to learn to redefine roles, processes, and agent boundaries. This means that business leaders cannot simply assign tasks to AI, nor can they fully let AI act autonomously. The real challenge is to clarify business logic, define permissions, and design processes clearly, and then let agents continually operate within that framework. Risk Reminder and Disclaimer The market entails risks; investments must be made cautiously. This article does not constitute personal investment advice, nor does it take individual users’ investment objectives, financial situations, or needs into account. Users should consider whether any opinions, views, or conclusions in this article fit their particular circumstances. Investments based on this are at one's own risk. ```