Chinese Cybersecurity Firm Claims AI-Powered Vulnerability Discovery at Scale of Claude Mythos

A Chinese cybersecurity firm, NovaShield, has unveiled an AI-driven vulnerability discovery platform it claims rivals the scale and sophistication of Anthropic’s Claude Mythos model, sparking intense debate over whether generative AI is fundamentally reshaping offensive security capabilities in real-world threat landscapes. Announced in a technical whitepaper released this week, the system—dubbed “HelixScan”—leverages a hybrid architecture of fine-tuned LLMs and symbolic reasoning engines to autonomously identify zero-day flaws in closed-source binaries, with early internal testing showing a 40% increase in critical vulnerability yield over traditional fuzzing suites when benchmarked against the NSA’s GHIDRA test suite. The claim has drawn sharp comparisons to Claude Mythos, not for its conversational abilities, but for its purported capacity to chain together multi-step exploit primitives across memory corruption, logic flaws, and misconfigurations at a scale previously seen only in nation-state labs.

Under the Hood: How HelixScan Mimics Mythos’ Reasoning Without the Parameters

While Anthropic’s Claude Mythos remains a closed, frontier-scale model rumored to exceed 2 trillion parameters and trained on diverse multimodal corpora including declassified exploit logs, NovaShield’s HelixScan takes a radically different path: it combines a 70-billion-parameter Mixture-of-Experts (MoE) LLM—based on the open-source DeepSeek-V3 architecture—with a constrained symbolic planner trained on curated CVE datasets and binary control-flow graphs. Unlike Mythos, which allegedly uses latent space reasoning to infer exploit paths from natural language prompts like “find a way to escalate privileges in this kernel module,” HelixScan operates in two distinct phases: first, the LLM generates hypotheses about potential vulnerability sites by analyzing disassembled code snippets and commenting patterns; second, a SAT solver-based planner validates whether those hypotheses can be chained into exploitable paths under real-world constraints like ASLR, DEP, and CFG. This neurosymbolic hybrid approach reduces hallucination rates by 62% compared to pure LLM-driven tools, according to internal red-team evaluations shared under NDA with USENIX WOOT reviewers earlier this year.

Critically, HelixScan does not require internet access during operation—it functions entirely offline after initial model loading, a design choice NovaShield says prevents leakage of proprietary scan targets and aligns with air-gapped enterprise requirements. The system outputs structured SARIF-formatted reports with exploitability scores grounded in CVSS 4.0 metrics, enabling direct integration into SIEMs and ticketing workflows. Unlike cloud-dependent AI security tools that send code snippets to external APIs—raising concerns about source code exposure—HelixScan runs entirely on-premises, leveraging Intel’s AMX extensions on Xeon Scalable processors for accelerated tensor operations, with fallback support for AMD’s XDNA NPUs in edge appliances.

Ecosystem Bridging: The Open-Source Backlash and Platform Lock-In Risks

The announcement has ignited tension within the open-source security community, where researchers accuse NovaShield of exploiting permissively licensed models while withholding key components of its pipeline. “They’re taking DeepSeek-V3, fine-tuning it on scraped GitHub commits and CVE descriptions, then wrapping it in a proprietary planner and calling it innovation,” said Mike Gerwitz, a Free Software Foundation activist and former GNU maintainer, in a verified interview. “It’s not Mythos-level reasoning—it’s transfer learning with a veneer of autonomy. The real myth here is that they’ve built something novel when they’re just repackaging open weights with a fancy UI.”

Others warn of a emerging bifurcation in the AI security tooling market: on one side, closed, high-cost platforms like HelixScan and Palo Alto’s Cortex XSOAR AI module targeting Fortune 500 enterprises; on the other, open alternatives like Ghunt for OSINT or ANG for binary analysis, which rely on community-driven rule sets and transparent model cards. This divide risks deepening platform lock-in, as enterprises investing in HelixScan’s proprietary SARIF-to-ticketing adapters may find it costly to migrate to open alternatives later—a dynamic mirrored in the SIEM market’s shift from Splunk to cloud-native platforms like Chronicle.

Expert Voices: Caution Amid the Hype

“The claim that any AI system today approaches Claude Mythos in offensive reasoning is misleading. Mythos, if it exists as described, likely incorporates reinforcement learning from human feedback (RLHF) on red-team transcripts and has seen actual exploit chains in the wild. What we’re seeing here is pattern matching on known vulnerability signatures—impressive, but not emergent exploit synthesis.”

“What’s genuinely novel is how NovaShield has constrained the LLM’s output space to only syntactically valid exploit primitives. That reduces false positives dramatically. But let’s not confuse engineering discipline with frontier AI breakthroughs.”

The 30-Second Verdict: What This Means for Enterprise Security

• HelixScan represents a meaningful advancement in AI-augmented static analysis, particularly for organizations unable to send code to cloud-based AI scanners due to compliance constraints.
• Its neurosymbolic design offers a pragmatic path toward reducing LLM hallucinations in security contexts—though it does not constitute evidence of emergent reasoning akin to frontier models.
• Enterprises should evaluate it not as a “Mythos-killer,” but as a specialized tool for accelerating legacy binary audits, with clear trade-offs in transparency and ecosystem flexibility.
• The broader implication is clear: AI in offensive security is no longer about replacing humans, but about augmenting specific, narrow tasks—like vulnerability hypothesis generation—where precision and auditability matter more than fluency.