Wednesday, July 1, 2026
spot_img

The Complete Machine: When Cyber Capability Moves Off the Model

Zhou Hongyi stood at ISC.AI 2026 in Beijing this week and made a claim that should reorganize how people think about frontier AI export controls. His company, the sanctioned cybersecurity firm Qihoo 360, has built a vulnerability-discovery system it calls Tulongfeng, and Zhou positioned it as China’s answer to Anthropic’s Mythos. The headline writes itself as an arms-race story. The substance is something more specific, and it lives in how the system is built.

An earlier paper in this series, “The Operational Layer Goes Dark,” argued that the layer where models are combined with data and tooling into working systems is the layer where sovereignty is actually won or lost, and that this layer is the one Canadian policy sees least clearly. That paper made the case structurally, from how agentic systems are assembled. Tulongfeng is the same case made from the other side of the board. It is a foreign adversary, under hardware sanction, demonstrating that the operational layer is load-bearing by building strategic capability on it after the model layer was closed to him.

What Qihoo actually built

Zhou was direct about the design choice. He told the conference that China should not try to replicate the path Western labs took, which he characterized as the strongest model, the strongest computing power, and the strongest chips. That path runs through hardware China cannot reliably buy. So Qihoo took a different route. Tulongfeng is a multi-agent platform that combines several AI models with the company’s two decades of accumulated security expertise, vulnerability databases, and automated tooling, with different agents collaborating on discovery and analysis. His own framing carried the argument. If Mythos is a top-end chip, what Qihoo built is a complete machine that runs continuously and makes fewer mistakes. If the American route is to cultivate a genius hacker, the Qihoo route is to organize a professional attack-and-defense team.

The capability claim attached to this is large and unverified. Qihoo says Tulongfeng has surfaced 3,432 software vulnerabilities, 105 of them confirmed by Chinese authorities. The company has published no technical evidence, and Reuters could not independently confirm the figures. Hold the number loosely. The architecture is the part that survives even if the count does not.

Where the capability sits

Tulongfeng raises a structural question. Mythos represents one theory of where vulnerability-discovery capability comes from: a single very strong model, trained at the frontier, doing the reasoning end to end. Tulongfeng represents a competing theory. It says the model is one component, and that a system of moderate models coordinated against a deep corpus of security knowledge and tooling can approach the same output on a narrow task.

These are different bets, and the difference reaches far beyond Qihoo. The frontier-model theory locates capability in the weights. The agentic theory distributes it across the weights plus the orchestration plus the data plus the tools, and holds that the orchestration can carry weight the model lacks. On a bounded, well-specified task like finding software flaws, the second theory is more plausible than it sounds. Vulnerability discovery decomposes well. It rewards breadth, persistence, and the ability to chain many narrow checks, which is what a coordinated agent system supplies and what a tired human researcher does not.

This is testable in a way the rhetoric is not. The question is not whether Tulongfeng matches Mythos in some abstract sense. It is how much of the gap between a weaker model and a frontier model closes when the weaker model is wrapped in enough scaffolding, and on which classes of task that closure holds. Qihoo is running that experiment in public, with strong motivation to find the answer, because the answer determines whether chip denial actually denies the capability.

What export controls were aimed at

The architecture collides with policy here. The United States ordered Anthropic to suspend exports of a less powerful version of Mythos this month, citing national security. The logic of that order, and of the broader chip-control regime running since 2022, rests on an assumption: that the decisive capability lives at the frontier model layer, and that controlling access to the most advanced models and the chips that train them controls access to the capability itself.

Tulongfeng is an argument that the assumption is incomplete. If a sanctioned firm with constrained hardware can recover a usable fraction of frontier vulnerability-discovery capability by reorganizing the system around the model rather than scaling the model, then the control is aimed at one layer while the capability has partly relocated to another. The chip restriction still bites. It still slows frontier training, and the gap between Chinese and American models, while narrowing, remains real. What the restriction does not obviously do is prevent the assembly of a working offensive-security system out of available parts.

Zhou understands this and said so in the language of deterrence. He called Mythos a cyber nuclear weapon and warned that without an equivalent, China faces what he termed a second era of unilateral transparency, a state where its systems are legible to an adversary’s tools while it lacks the same reach. Read past the theatrics and the operational claim is sober. Vulnerability-discovery capability is becoming a strategic asset, and the asset can be built rather than only bought.

Governing a loop, not a box

This is where the Qihoo announcement stops being a foreign news item and becomes a sovereignty question with direct relevance to Canada. The dependency frameworks most governments use to reason about AI risk still treat the model as the unit of analysis. Which model, trained where, owned by whom, governed under whose law. That framing fit when capability was concentrated in the weights. Tulongfeng is evidence that for at least one strategically significant task, capability has spread into the operational layer, the orchestration and tooling and accumulated domain data that sit around the model and turn it into a system.

The operational layer is harder to see, harder to govern, and harder to control at the border. A frontier model has a name, an owner, and a jurisdiction. An agent platform assembled from several models, a proprietary vulnerability corpus, and twenty years of in-house tooling has none of those clean handles. It is the difference between governing a box and governing a loop. Export control is a box instrument. The capability Zhou described is a loop.

For Canadian policy this lands on a familiar gap. A sovereignty posture built around model access, around who can use which frontier system under what license, addresses a layer that is becoming less decisive for certain capabilities. The layer that is becoming more decisive, the operational stack where models are combined with data and tools into working systems, is the layer Canadian policy has paid the least attention to. The earlier paper in this series argued that point from how the systems are built. Qihoo has now demonstrated it from the field, on a strategically loaded task, by showing that the operational layer can substitute for frontier access. That demonstration is the part worth tracking, whether or not 3,432 holds.

The arms-race story will take the coverage. The architecture is the lesson, and it points at the layer most sovereignty frameworks still leave dark.

Jen Evans is Principal, Pattern Pulse AI and co-founder, Tech Reset Canada.

Featured

Jennifer Evans
Jennifer Evanshttps://www.b2bnn.com
Principal, patternpulse.ai, and cofounder, Tech Reset Canada. AI policy, research and analysis. Entrepreneur since 2002, marketer since 1998, machine learning since 2009. Based in Toronto and Southeast Asia.