AI finds 10,000 vulnerabilities. China is copying the models.

In May, Google’s Threat Intelligence Group confirmed the first known case of an AI system discovering and weaponising a zero-day exploit that was then deployed in the wild. A criminal actor used a frontier model to find a two-factor authentication bypass, build a working exploit, and use it before any defender knew the vulnerability existed.

That single incident compressed what used to take skilled hackers weeks into a process measured in hours. It is the clearest illustration yet of the dual-use problem at the heart of frontier AI: the same capabilities that let Anthropic’s Mythos find more than 10,000 high-severity vulnerabilities through Project Glasswing can, in the wrong hands, generate an equivalent number of exploits.

The defensive side

Project Glasswing is Anthropic’s showcase for what frontier models can do for cybersecurity defence. Since launch, Claude Mythos Preview has surfaced thousands of zero-day vulnerabilities across every major operating system and web browser, some of which had survived decades of human review. Anthropic has expanded the programme to approximately 150 organisations in more than 15 countries, including Samsung, SK Hynix, NATO, and the EU’s cybersecurity agency ENISA.

The bottleneck, as Anthropic has noted, has already shifted from finding vulnerabilities to patching them fast enough. That sounds like a success story. It is, until you consider that the same class of model is accessible, or soon will be, to adversaries who have no interest in patching anything.

The distillation problem

The White House released a policy memorandum in April accusing China of conducting “deliberate, industrial-scale campaigns” to extract frontier AI capabilities from American labs. Distillation does not require stealing model weights. A distiller feeds thousands of carefully constructed queries to a frontier model, collects the responses, and uses them to train a cheaper rival that approximates the original at a fraction of the cost.

Anthropic published evidence naming three Chinese laboratories. DeepSeek conducted more than 150,000 exchanges with Claude focused on foundational logic and alignment techniques. MiniMax generated over 13 million exchanges. Moonshot AI produced more than 3.4 million targeting agentic reasoning, coding, and computer vision. Across the three, Anthropic identified approximately 24,000 fraudulent accounts and 16 million total exchanges, using jailbreaking techniques and commercial proxy services to circumvent geofencing.

By early April, OpenAI, Anthropic, and Google had begun sharing distillation threat intelligence through the Frontier Model Forum. That three fierce competitors agreed to cooperate on anything is itself a measure of how seriously they take the threat.

The policy gap

On 2 June, Trump signed an executive order asking AI companies to voluntarily submit frontier models for government cybersecurity testing up to 30 days before public release. The order was originally drafted with a 90-day window, but the White House pulled it in May over concerns it would blunt US competitiveness against China, then cut the period to 30 days in the final version.

The word “voluntarily” is the operative constraint. No company is legally required to participate. The order gives the government no power to block a release. It is, by admission of multiple officials, the closest thing the United States has to an AI oversight system, and it was weakened before it was signed.

Meanwhile, Anthropic has embedded approximately six engineers inside the NSA to adapt Mythos for operational applications, according to reporting from TechTimes. Sources familiar with the arrangement said the model could be used for offensive cyber operations targeting networks in countries including China and Iran. The same company that found 10,000 defensive vulnerabilities is reportedly helping the US government use the same technology offensively.

The race nobody can win cleanly

The structural problem is clear. US frontier models are the best in the world at finding software vulnerabilities. Chinese labs are distilling those same capabilities, months behind but closing. If the US restricts access to protect the models, it slows diffusion of defensive tools to allies. If it does not restrict access, it accelerates the transfer of offensive capabilities to adversaries.

Anthropic says it does not plan to make Mythos generally available until cybersecurity safeguards can detect and block the model’s most dangerous outputs. But those safeguards do not yet exist. And as the Google incident demonstrated, criminal actors are already using frontier-class models to develop exploits in the wild, without waiting for anyone’s permission.

The AI cybersecurity arms race is not a future scenario. It is the present operating environment. The question is whether governance can keep pace with a technology that finds vulnerabilities faster than institutions can patch them, regulate them, or even agree on who should have access.