Anthropic’s export ban is already creating room for rival AI models in Asia

Anthropic’s Mythos export restrictions were meant to keep one of the most capable cybersecurity AI systems out of foreign hands. Two weeks later, Asian AI companies are treating the gap as a product opening.

Chinese cybersecurity firm 360 has reportedly unveiled Tulongfeng, an AI tool it says can compete with Anthropic’s Mythos on automated vulnerability discovery. It also introduced Yitianzhen, aimed at cyber defense and incident response automation.

In Japan, Sakana AI launched Fugu, a frontier model named after the Japanese word for blowfish. Sakana says Fugu stands “shoulder-to-shoulder” with Anthropic’s Fable 5 and Mythos Preview, and frames it as an orchestration model for agent workflows.

The timing matters. The U.S. government order restricting Anthropic from providing global access to Mythos and the more limited Fable 5 took effect roughly two weeks ago. Anthropic has said the models are restricted to Americans under the current order. The ban has already become a sales argument for local alternatives.

Sakana’s website says it plainly: “delivering frontier capability without the risk of export controls.”

That’s a strong message for enterprise buyers, government agencies, and technical leaders who don’t want their AI roadmap tied to Washington’s next policy decision.

Why Mythos became politically sensitive

Mythos is reportedly a cybersecurity-focused AI model, the kind of system that can assist with vulnerability research at a level that starts to look strategically important.

General-purpose coding assistants can help write a Python script, explain a CVE, or generate a fuzzing harness. A specialized security model trained and evaluated for vulnerability discovery can shorten the loop between codebase analysis, exploitability reasoning, and patch prioritization. In the wrong hands, the same capability can speed up offensive cyber work.

That dual-use problem is likely why Mythos triggered export concerns. A model that finds subtle memory corruption bugs, auth bypasses, deserialization flaws, or cloud misconfiguration chains has obvious value for defenders. It also has value for intelligence agencies, ransomware crews, and state-backed attackers.

Access controls rarely freeze capability. They usually redirect demand.

If a U.S. model becomes unavailable in Japan, South Korea, Singapore, India, or Europe, large buyers won’t wait politely. They’ll evaluate domestic suppliers, open models, Chinese vendors where allowed, or orchestration layers that avoid dependence on one provider. Sakana and 360 are moving into that opening.

Sakana’s Fugu makes the agent argument

Sakana AI says Fugu has been in development since last year, with research presented at ICLR this spring. A company spokesperson told TechCrunch the launch timing was “entirely coincidental,” though the company is clearly leaning into the export-control angle now that buyers are paying attention.

Fugu is aimed at Japanese businesses and government agencies that want advanced AI while reducing exposure to foreign policy restrictions. Sakana has a credible lane here. The company, founded in 2023 by David Ha, Llion Jones, and Ren Ito, has focused on models tuned for Japanese language, culture, and data constraints rather than chasing the largest possible parameter count.

That local optimization matters more than many benchmark decks admit. Enterprise AI systems fail in boring, specific ways: a legal assistant mishandles jurisdiction-specific phrasing, a customer-service model misses social nuance, a procurement agent misunderstands a vendor document, a government workflow requires policy context that an English-heavy model treats as trivia. For Japanese institutions, a model tuned around local language and operating context can be more useful than a stronger generic model with weak localization.

The more interesting technical claim around Fugu is orchestration.

David Ha described “orchestration models” as the next frontier beyond bigger models. In practice, that means a model that coordinates other models and tools through APIs, deciding when to call a specialist model, when to retrieve context, when to use a cheaper model for routine work, and when to escalate to a stronger one.

For engineering teams, that architecture is familiar. It looks like a distributed system:

• A router chooses between models based on task type, cost, latency, and risk.
• Tool-calling agents invoke APIs, databases, search indexes, code execution sandboxes, or security scanners.
• A planner breaks a task into steps and delegates subproblems.
• Evaluation layers check outputs for policy, correctness, or regressions.
• Observability tracks token use, failure rates, latency, and model drift.

The appeal is clear. Teams avoid tying their whole stack to one provider. They can swap models as pricing, latency, regulation, or quality changes. Sensitive workloads can stay on domestic infrastructure while lower-risk tasks call foreign APIs.

The trade-off is complexity. Agent orchestration adds failure points. Routed workflows can produce errors that are harder to debug than a single model call. API dependencies change. Tool calls can leak context if the permission model is sloppy. Latency can spike when a planner takes too many steps. Costs can become unpredictable if an agent loops through expensive calls.

Good orchestration needs boring engineering discipline: typed tool schemas, sandboxing, rate limits, audit logs, prompt and policy versioning, eval suites, and kill switches. Without that, “agentic” systems become expensive nondeterministic glue.

Sakana’s pitch lands because it matches how serious organizations are already designing AI systems. In 2026, the best AI stack is rarely one model. It’s a portfolio with routing, governance, and fallback paths.

360 points at the security arms race

360’s announcement has a different tone. The Chinese company reportedly framed Tulongfeng as a direct answer to Mythos, with founder Zhou Hongyi describing vulnerability-finding AI as a national strategic asset.

That language treats AI-assisted vulnerability discovery as part of national cyber capability.

Tulongfeng is designed to automatically discover software vulnerabilities. Yitianzhen is built for automated cyber defense and incident response. Those are useful categories, but they’re broad. Without public technical details, evaluation methodology, or reproducible benchmarks, claims of parity with Mythos need skepticism.

Security AI benchmarks are especially slippery. A model can perform well on known CVEs, synthetic vulnerable code, or curated CTF-style tasks and still struggle against large production systems with messy dependencies, custom frameworks, incomplete build instructions, and sparse documentation. Real vulnerability research requires build reproduction, threat modeling, protocol understanding, exploitability analysis, and judgment about impact.

A credible vulnerability-discovery system needs a strong language model plus integration with:

• Static analysis tools such as CodeQL, Semgrep, or custom AST analyzers
• Fuzzing frameworks like AFL++, libFuzzer, Honggfuzz, or domain-specific fuzzers
• Dynamic analysis, tracing, and sanitizers
• Dependency graphs and software bill of materials data
• Patch history, issue trackers, and exploit databases
• Secure sandboxes for test execution
• Human review loops for triage

The model can improve prioritization and reasoning, especially when it connects clues across code, docs, commits, and runtime behavior. Full automation remains difficult. False positives waste security teams’ time. False negatives create a false sense of safety. Generated proof-of-concept exploit code can cross legal and ethical lines fast.

For defenders, these systems could shorten mean time to detect and patch serious bugs. For attackers, they could scale reconnaissance. That asymmetry explains why export controls appeal to policymakers and frustrate global enterprises.

Export controls are becoming an infrastructure risk

Anthropic’s business has been growing fast. The company said its run-rate revenue crossed $47 billion in May 2026, and it has been moving toward a much larger enterprise footprint. The company hasn’t disclosed how much revenue depends on Asian customers.

The precise number may matter less than the signal the ban sends. If a frontier model can be cut off from non-American users with little operational warning, technical buyers have to treat provider access as a dependency risk, not just a procurement detail.

That changes architecture decisions.

A bank in Tokyo, a telecom in Seoul, or a logistics firm in Singapore now has to ask uncomfortable questions before building critical workflows around a U.S.-hosted frontier model:

• Can access disappear because of export policy?
• Can the vendor keep serving regulated workloads?
• Is there a fallback model with acceptable quality?
• Can prompts, embeddings, fine-tuning data, and eval pipelines move quickly?
• Are agent tools portable across providers?
• What happens to incident response if the model endpoint goes dark?

The practical response is multi-provider design. That means abstraction layers for model calls, evals that compare providers on real internal tasks, data governance policies that separate sensitive workloads from commodity ones, and caching or local inference where possible.

There’s a cost. Multi-model systems are harder to maintain than single-vendor stacks. Quality varies across languages and domains. Fine-tuned behavior doesn’t transfer cleanly. Prompt templates break. Tool-calling formats differ. Even when vendors support OpenAI-compatible APIs, the semantics aren’t identical.

Still, dependence on one frontier provider now looks careless for any organization treating AI as infrastructure.

Local models have an opening, but parity claims need proof

Sakana and 360 are both benefiting from Anthropic’s restricted access, but their claims shouldn’t be treated as equivalent.

Sakana is making a strategic argument around resilience, Japanese localization, and orchestration. That’s plausible and technically grounded. It also avoids claiming that Asia is walking away from U.S. models entirely. Sakana’s spokesperson said U.S. models remain important to Asia, which lines up with Ren Ito’s recent argument that AI access for close U.S. allies should be preserved rather than hoarded.

360 is making a sharper national-security claim. It says it has tools that can match Mythos-like capabilities in cybersecurity. Maybe. But security models need transparent evaluation, not launch language. Developers and CISOs should ask for task-level results, not broad benchmark summaries.

Useful evidence would include:

• Performance on previously unseen open-source projects
• Time-to-triage measurements against human security researchers
• False positive and false negative rates
• Ability to reproduce builds and validate exploitability
• Integration quality with existing AppSec and SOC workflows
• Isolation controls around generated exploit artifacts
• Auditability for regulated environments

Without that, “matches Mythos” is a positioning statement.

The broader trend is clear enough. Export restrictions create market pressure for sovereign or regional AI stacks. Some of those systems will be weaker than the best U.S. models. Some will be better for local use cases. Some will specialize in narrow domains where general frontier models are unavailable, overkill, or too expensive.

For developers, the lesson is simple: build AI systems assuming model access can change. Quality matters, but so do portability, fallback paths, eval coverage, and control over sensitive workflows. Anthropic’s ban has made that risk harder to ignore.