Capability Overview
Two new frontier AI models — Sakana AI’s Fugu and Chinese cybersecurity firm 360’s Tulongfeng — launched this week, each explicitly positioned against Anthropic’s export-restricted Mythos and Fable 5. The timing is significant: the US government banned Anthropic from distributing Mythos and Fable 5 globally just two weeks prior, and at least one vendor (Sakana) is actively marketing the absence of export controls as a product feature.
Fugu is particularly notable from a security architecture perspective. It is designed as an agentic orchestration layer capable of routing tasks to other frontier models via their APIs — meaning it sits as a hub in multi-model pipelines rather than operating in isolation. Sakana targets Japanese enterprises and government agencies; 360 targets the broader Chinese and Asian market with a model explicitly framed around cybersecurity capability parity.
For defenders, this is not simply a competitive story. It is a meaningful shift in the threat landscape.
Attack Surface Analysis
1. Export-control bypass as a feature, not a bug. Mythos was restricted precisely because of its assessed offensive capability ceiling. Models marketed as functional equivalents, now freely accessible outside US jurisdiction, represent a direct reduction in the friction that previously slowed adversary access to high-capability AI for vulnerability research, exploit generation, and offensive cyber operations.
2. Agentic multi-model orchestration risk. Fugu’s design — routing instructions across third-party model APIs — creates compounded trust-boundary problems. Each inter-model handoff is a potential prompt-injection vector. A malicious instruction embedded in one model’s output can propagate to downstream models in the chain, amplifying impact beyond what a single-model deployment would allow.
3. Regulatory arbitrage and silent guardrail degradation. Organisations under pressure to find US-model alternatives may substitute Fugu or Tulongfeng into pipelines originally validated against Anthropic’s Constitutional AI safety layer. The new models carry no equivalent third-party safety audit history, meaning existing risk acceptance decisions become invalid without re-evaluation.
4. State-aligned supply-chain risk (Tulongfeng). 360 is a Chinese cybersecurity firm with documented ties to state institutions. Any enterprise ingesting Tulongfeng into its toolchain inherits the full supply-chain risk profile of that vendor relationship — including potential for model-embedded backdoors, telemetry exfiltration, or output manipulation aligned with state interests.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| ATLAS | AML.T0051 – LLM Prompt Injection | Multi-model orchestration multiplies injection surface |
| ATLAS | AML.T0010 – ML Supply Chain Compromise | Unvetted model substitution under geopolitical pressure |
| ATLAS | AML.T0018 – Backdoor ML Model | State-adjacent vendor (360) with opaque training provenance |
| ATLAS | AML.T0047 – ML-Enabled Product or Service | Both models exposed as API-accessible services |
| OWASP | LLM05 – Supply Chain Vulnerabilities | Rapid model substitution without equivalent vetting |
| OWASP | LLM08 – Excessive Agency | Fugu’s autonomous cross-model orchestration |
| OWASP | LLM01 – Prompt Injection | Agentic API chaining across model boundaries |
Threat Scenarios
Scenario A — Adversarial offensive capability uplift. A threat actor previously unable to access Mythos due to export controls now uses Tulongfeng or Fugu to accelerate vulnerability discovery in critical infrastructure software, with no US oversight mechanism available.
Scenario B — Cascading prompt injection via Fugu orchestration. An attacker plants a malicious instruction in a data source ingested by Fugu. Fugu relays the instruction to a connected code-execution model API, resulting in unauthorised action that no single-model guardrail would have caught.
Scenario C — Silent safety regression. A Japanese government agency, under pressure from export restrictions, swaps its Fable 5 deployment for Fugu with minimal re-evaluation. Existing red-team findings and policy controls, calibrated for Anthropic’s model behaviour, no longer apply — creating undetected gaps.
Defender Checklist
- Inventory model substitutions triggered by export-control pressure; require formal security re-assessment before any swap is approved
- Classify Fugu deployments as agentic high-risk and apply prompt-injection controls at every inter-model API boundary
- Treat 360/Tulongfeng as elevated supply-chain risk; enforce data-flow isolation and prohibit use with sensitive or classified data pending vendor audit
- Re-run red-team and safety evaluations whenever a new base model is introduced, even if the application layer is unchanged
- Monitor geopolitical triggers — further US export restrictions are likely to accelerate adoption of unvetted alternatives; maintain a standing review process
- Assess API key and credential exposure for any pipeline where Fugu orchestrates access to other model providers