Cato CTRL Threat Brief: AI, Zero-Days, and the US-China Cyber Arms Race

TL;DR

Underlying the US–China AI race, there’s arguably a more sinister arms race—the race to identify zero-day threats. Frontier AI algorithms, such as Anthropic Mythos (here) and China’s Qihoo 360 (here), are compressing the zero-day discovery cycle. But how those discoveries are gathered and shared among cooperating entities is giving China significant defensive and offensive advantages.

Executive Summary

If your 2026 threat model still treats vulnerability discovery as the attacker’s bottleneck, the budget you set for Q3 patch operations was sized against last year’s economics.

Anthropic’s Claude Mythos Preview hit tier-5 control-flow hijack ten times on fully patched targets, including a 27-year-old OpenBSD TCP SACK bug, on a sweep that cost under $20,000. Tier 5 means the model isn’t just crashing the program; it’s controlling where the program goes next.

To make matters worse, days later, China’s Qihoo 360 (aka 360 Security Technology Inc., a major Chinese security company) publicly claimed close to 1,000 previously unknown vulnerabilities. The 10x increase in vulnerabilities was due to a state-controlled pipeline that routes every finding to the Ministry of Industry and Information Technology (MIIT) within 48 hours.

It’s this pipeline that’s so essential. It provides Chinese companies and nation-state actors access to zero-days for defensive and offensive purposes in a far more structured way than their US counterparts. It is effectively a digital “arms race,” and one that the US isn’t winning today. As a result, enterprises will need to change what happens on Monday morning for their patch program and pre-auth attack surface.

Note: Cato customers are protected against the exploitation patterns covered in this brief through Cato capabilities Cato Dynamic Prevention, Cato Managed IPS, network segmentation, as well as threat hunting through Cato Managed Detection and Response (MDR) service (see details below). Cato is also part of OpenAI’s Trusted Access for Cyber (TAC) to advance AI-driven defense.

2026 Cato CTRL™ Threat Report | Download the report

The Discovery Side: What AI Actually Changed

In the digital arms race, nation-states are fighting to uncover zero-day vulnerabilities first. The battlefield is the cyber. Those who hold the zero-day have a strategic advantage in breaching enemy systems. The zero-day disclosure process is part of this cyber arms race. It is defined by two stages: how you identify zero days and how you collect and report them.

AI has permanently changed the discovery of zero days. For most of the last two decades, finding a serious memory-corruption bug in mature software was a senior-engineer problem. It took weeks of full-time work, a deep mental model of the target, and a tolerance for staring at code that almost certainly contained no bugs. That’s why FFmpeg, OpenBSD, and FreeBSD shipped with bugs that were up to 27 years old. The haystack was big, and the needles were small.

AI has changed all of that. The economic constraint of paying for weeks of senior-engineer time is no longer the limiting factor.

Mythos: From “Can it find bugs?” to “How many can it write exploits for?”

Anthropic’s Project Glasswing write-up is worth reading in full, but the part that matters for a CISO is the benchmark gap. Across ~7,000 entry points into ~1,000 open-source projects from the OSS-Fuzz corpus:

Mythos Preview Outperforms Sonnet and Opus in High-Severity Crash Discovery

Model Tier 1 (basic crashes) Tier 2 Tier 3 Tier 4 Tier 5 (control-flow hijack)
Sonnet 4.6 150-175 ~100 1 0 0
Opus 4.6 150-175 ~100 1 0 0
Mythos Preview combined T1-T2 = 595 n/a “handful” “handful” 10

High_Severity_Crash_Discovery_comparison

Figure 1. High-Severity Crash Discovery comparison

Tier 5 is the bar that matters. It’s the gap between “denial of service” and “remote code execution.”

Three concrete cases from Anthropic’s writeup, all found by Mythos with no human guidance after the initial prompt, spanned OpenBSD, FFmpeg, and FreeBSD.

  • OpenBSD, 27 years old: A subtle TCP SACK chain: missing range-start bounds check, NULL-pointer write in the append path, signed-integer overflow that satisfies the impossible condition. Remote unauthenticated kernel crash on any OpenBSD host. Anthropic’s full 1,000-run sweep over OpenBSD ran under $20,000 and produced dozens of findings; the specific run that hit this bug cost under $50, but Anthropic notes that this single-run number “only makes sense with full hindsight.”
  • FFmpeg H.264, 16 years old: A memset(..., -1, ...) sentinel collision when 65,536 slices are crafted into one frame, producing an out-of-bounds heap write of “a few bytes.” Anthropic explicitly assesses this as “not a critical severity vulnerability” and says it “would be challenging to turn into a functioning exploit.” The point isn’t the severity, it’s the location: FFmpeg is one of the most heavily fuzzed projects in the world, and every fuzzer missed this for 16 years.
  • FreeBSD NFS, 17 years old (CVE-2026-4747): A 304-byte stack overflow in RPCSEC_GSS authentication. Mythos found it, then chained it across six RPC requests to land a 1,000-byte ROP chain into a 200-byte window, ultimately writing the attacker’s public key into /root/.ssh/authorized_keys. The FreeBSD advisory and NVD list this as requiring an authenticated user (Privileges Required: Low). Anthropic’s writeup describes how Mythos sidesteps that by using an unauthenticated NFSv4 EXCHANGE_ID call to recover the kernel hostid and approximate boot time, which is enough to forge the GSS handle the vulnerable code path requires. Whether that constitutes “unauthenticated” or “low-privilege with a recon step” is an active technical debate. Either way, Anthropic engineers with no formal security training reported asking Mythos for a remote code execution overnight and waking up to a working exploit.

The cost economics are the part that should keep architects up at night. A 1,000-run sweep over OpenBSD ran under $20,000: a single mid-level engineer’s monthly salary, for one operating system, with dozens of additional findings beyond the published one.

China’s 360: Different model, same trajectory

But as impressive an achievement as Mythos was, Qihoo 360 may be even more impressive. The model claimed to have uncovered 1,000 vulnerabilities—100x Anthropic’s results. However, the results were less independently validated. ETH Zurich’s Eugenio Benincasa, who wrote the primary analysis on Natto Thoughts, notes that 360’s system looks closer to Google’s Big Sleep, accelerating discrete stages of vulnerability research, than to Mythos’s fully autonomous loop. At least one of 360’s headline attributions (CVE-2026-24293, a Windows AFD null-pointer dereference / privilege escalation) has been questioned in secondary reporting, with the formal Microsoft acknowledgment crediting other researchers; we have not independently confirmed the specific identities involved.

Among the claimed discoveries were:

  • Tianfu Cup 2026 ran in January under the Ministry of Public Security organization, with an explicit AI-assisted vulnerability discovery track. The competition’s website went offline and stayed inaccessible from outside China after the event. 360 won first place, and says its agent contributed roughly half of the vulnerabilities found.
  • CVE-2026-32190 (a confirmed Microsoft Office use-after-free in PowerPoint, CVSS 8.4, patched April 2026) is described in 360’s marketing as having been identified by its agent “within minutes” after going undetected for roughly eight years. Those discovery-speed and elapsed-time claims come from 360 itself and are not independently verified. The CVE itself is real; NVD describes the attack vector as local, and Microsoft’s own assessment categorizes it as “less likely” to be exploited, which is a softer profile than 360’s “zero-click via Preview Pane” promotional framing implies.
  • OpenClaw prompt injection: A March 2026 disclosure of a MEDIA-protocol prompt injection in the OpenClaw AI agent platform that bypasses tool privilege controls. 360 reported it as affecting 170,000+ public OpenClaw instances at initial disclosure; subsequent reporting (VentureBeat) put the publicly accessible footprint closer to 500,000 instances by March 30, 2026, across 50+ countries.

So, if the discoveries themselves were questionable, what was so remarkable about Qihoo 360?

The Pipeline Side: This Is Where the Digital Arms Race Lives

pipelines_are_the_war

Figure 2. Discovery is the lab; pipelines are the war.

Alongside the discovery of zero days is the collection and use of them. AI-assisted vulnerability discovery is now a strategic priority on both sides, but the pipelines for gathering those zero days looks different: in China, it is tied directly into a state-directed vulnerability reporting ecosystem; in the US, it is emerging first through private AI labs, security vendors, and defensive disclosure partnerships.

China: Legally Mandated Collection

Beijing’s structural advantage is in the law. The 2021 Regulations on the Management of Network Product Security Vulnerabilities (RMSV) require:

  • All discovered vulnerabilities are to be reported to MIIT within 48 hours of discovery
  • No public disclosure or PoC publication before MIIT processing
  • No sharing of vulnerability information with any foreign entity

Reports flow into MIIT’s CSTIS platform first, and then into the China National Vulnerability Database (CNNVD), which is operated by the China Information Technology Security Evaluation Center (CNITSEC), an organization with documented institutional ties to the Ministry of State Security. From there, prioritized vulnerabilities can be funneled to MSS Bureau 13 (offensive operations), the PLA’s Cyberspace Force, and a contractor ecosystem exposed in painful detail by the February 2024 i-Soon leak.

The Atlantic Council’s 2023 “Sleight of Hand” report puts numbers on it: At least 151 private cybersecurity companies and 1,190 researchers feed at least 1,955 software vulnerabilities to MSS each year, at least 141 of which are rated critical. That was before AI agents could find a thousand-plus vulnerabilities per quarter per firm.

US: Fragmented, Expensive, and Bleeding

The US side is governed by the Vulnerabilities Equities Process (VEP), an interagency framework that, in 2023, disclosed 39 zero-days to vendors. How many were retained for exclusive use by the US government, intelligence, law enforcement, or the military? Classified.

Around the VEP sits a private market that the Atlantic Council’s 2025 “Crash (exploit) and burn” report calls “horrendously inefficient and broken.” Atlantic Council research describes a chain of intermediaries, boutique research firms, prime contractors, and brokers, where each layer marks up the exploit before it reaches a government end user. The Council’s March 2026 “Mythical Beasts” paper places per-broker markups in the 10–15% range per transaction, and across a multi-broker chain the cumulative effect is significant; some secondary analyses have characterized total markups as multiples of the original price, but we have not been able to verify a specific multiplier in the primary sources. Boutique vulnerability research firms cycle through 6–18 months of unpaid development for each market-ready exploit, and many researchers leave the profession within a decade.

And then there’s the L3Harris Trenchant case. From 2022 to 2025, Peter Williams, an Australian national, the general manager of Trenchant (L3Harris’s offensive cyber division), and a former employee of Australia’s Signals Directorate, stole eight zero-day exploits built for exclusive US government use and sold them to Russian broker Operation Zero for $1.3 million in cryptocurrency. He pleaded guilty in October 2025 and was sentenced to 87 months on February 24, 2026. Operation Zero re-sold the tools to “at least one unauthorized user,” per Treasury’s announcement. The US response, also on February 24, 2026, was the first-ever PAIPA sanction against a foreign exploit broker. Punishment after the fact, not interdiction. The fact that the perpetrator was a senior executive with prior signals-intelligence credentials, not a junior contractor, is what makes the insider-threat picture worse, not better.

The asymmetry in the vulnerability reporting between the two countries is the point. Beijing’s pipeline collects almost everything found inside its borders. The US pipeline leaks tools that were built for exclusive use.

Figure 3. US vs China vulnerabilities pipeline

What This Means for Enterprises

Of course, nation state cyber conflicts ultimately impact enterprises as well. Threat actors backed by nation states can target enterprises. This is the part most CISO conversations skip, because it’s where the strategic story meets the patch-Tuesday spreadsheet. So, let’s get specific.

The “Social Engineering is #1” Assumption is Shifting

For years, phishing was the right answer to “How do attackers get in?” It still is, mostly. The 2025 Verizon DBIR puts stolen credentials at 22% of breaches. Unit 42’s 2025 incident response data found social engineering involved in 36% of all incidents. Identity is still the perimeter.

But vulnerability exploitation is the line moving fastest. Verizon DBIR 2025: Vulnerability exploitation hit 20% of breaches, up 34% year-over-year. Unit 42: Phishing and exploitation tied at 22% each as initial access. Google’s GTIG tracked 90 zero-days exploited in the wild in 2025. Of those, 43 (48%) targeted enterprise technologies: VPN appliances, security gateways, virtualization platforms, and identity providers.

That mix-shift was happening before AI agents started industrializing discovery. The reasonable working assumption for 2026 is that the curve gets steeper.

The “We Patched Last Week” Defense is Shrinking

The most underrated finding in the Anthropic writeup is the N-day work. Mythos was given 100 known Linux kernel CVEs from 2024-2025 and asked which were exploitable; Anthropic documents nearly a dozen working privilege escalation exploits, several of which chained two, three, or four vulnerabilities together. The two cases it documented in detail, an ipset bit-flip that turns a one-bit OOB write into an /etc/passwd rewrite, and a one-byte heap read that chains into root, each cost under $2,000 in API calls and took less than a day.

Translate that for your patch program: The “time from CVE publication to weaponized exploit in the wild” historically ran days to weeks. AI agents drop that to hours. Your maintenance windows have to keep up. If your enterprise routinely waits for the next patch cycle to roll out kernel updates, that calendar lives in the wrong era.

Don’t Look for the “Big Breach” to Uncover Attackers

Two China-linked groups, both confirmed by CISA, have spent the last several years inside US critical infrastructure: Volt Typhoon (active since 2021) used living-off-the-land techniques to maintain persistent access in US energy, water, communications, and transportation networks for at least five years. Salt Typhoon breached at least nine US telecommunications providers (2023-2024), including Verizon, AT&T, and T-Mobile, and accessed lawful-intercept systems: the FBI’s court-authorized surveillance infrastructure.

These groups don’t need AI-discovered zero-days to be dangerous. But every additional vulnerability that flows through China’s RMSV pipeline is another potential enabler of a first strike. Recorded Future’s read on the strategic posture: China’s apparent reduction in publicly attributed zero-day use (12 in 2023, 5 in 2024, ~10 in early 2025) reflects deliberate stockpiling, not declining capability.

AI is Reshaping the Defensive Playbook

The honest read on Anthropic’s “advice for defenders” section is that defenders must adopt these tools too. And most haven’t. Concretely:

  1. Use today’s models on your codebase now. Opus 4.6 and Sonnet 4.6 are not Mythos, but they find real bugs. Anthropic’s earlier work submitted 112 bugs to Firefox; every one was confirmed. The scaffold matters more than the model. Building the harness now means you’re ready when stronger models ship.
  2. Tighten patch windows, especially for kernels and security appliances. The “out-of-band release for in-the-wild exploits, otherwise next cycle” cadence assumed a slow attacker. That assumption is dead.
  3. Audit pre-authentication attack surface. Mythos doesn’t care that your auth is strong. It cares about the protocol parsers, decompression paths, and certificate handlers that run before any auth check. Network appliances, VPN endpoints, and edge services are the highest-value targets.
  4. Plan for n-day chaos. The day a major Linux kernel CVE drops, AI-assisted exploit development means working PoCs in hours, not days. Your detection and response pipeline needs to absorb that volume without humans triaging every alert.

Cato Protections Defend Against These Threats

Cato customers benefit from a SASE-native architecture that addresses several layers of the attack chain described above:

  • Cato Dynamic Prevention (auto-adaptive threat prevention engine): Announced March 3, 2026 as the world’s first auto-adaptive threat prevention engine in a SASE platform. The engine continuously correlates months of security and networking activity across Cato’s inline sensors (IPS, DLP, NGAM) and out-of-band engines to identify multi-stage threats that look benign in isolation but form a malicious pattern across time, hosts, and networks. When that pattern is confirmed, Dynamic Prevention automatically adapts and enforces restrictions across the threat actor’s related actions, blocking the attack chain early without requiring SOC or IT intervention. This is the layer that directly addresses the long-running, low-signal pre-positioning campaigns Volt Typhoon and Salt Typhoon run today, and the AI-driven n-day chaos this brief argues is coming.
  • IPS: The Cato Managed IPS engine inspects all traffic across the SASE Cloud and detects exploitation attempts against widely deployed enterprise targets: VPN appliances, file transfer servers, virtualization platforms, and identity stacks. Signature and behavioral coverage updates without customer maintenance windows.
  • Network Segmentation: Cato SDP and ZTNA isolate east-west movement that groups like Volt Typhoon rely on. Even when an edge appliance is compromised, segmentation limits lateral reach into the crown jewels.
  • Cato XDR + MDR: The Cato MDR team threat-hunts for living-off-the-land patterns and pre-positioning behavior across customer environments, with SOC analysts triaging suspicious traffic that matches the China-linked APT TTPs documented above.
  • DLP and CASB: Reduce exposure of credentials, source code, and configuration data that feed AI-driven reconnaissance.

Pipeline Competition is the True Battleground in Threat Disclosure

The narrow story is that two AI systems in two countries can now find vulnerabilities at speeds that previously required senior offensive researchers and weeks of work. That is true and important.

The bigger story is what happens to the pipelines. China’s pipeline collects; the US pipeline leaks. Every additional vulnerability that AI surfaces in 2026 is processed differently depending on which side of the Pacific it was found on.

For enterprises, the call to action is unglamorous: shorten patch cycles, audit pre-auth attack surface, get serious about hunting for living-off-the-land activity, and assume that the time-to-weaponize for a public CVE is now measured in hours. The companies that do this in 2026 will be the companies that aren’t on next year’s breach disclosure list.

If your patch SLA assumes “serious vulnerabilities are rare,” what happens when 1,000 of them drop at once?

The post Cato CTRL Threat Brief: AI, Zero-Days, and the US-China Cyber Arms Race appeared first on Cato Networks.

Similar Posts

Leave a Reply